I’m trying to set up my Wireguard server on my Unifi UDM so that it drops all connections that are not to a shared NAS.
since clients cannot be trusted, I’ve already set it up to only allow talking to the NAS on the local network but I want to ensure that all other traffic, internet included is not tunneled.
I’m not allowed to make an IP group for 0.0.0.0/0 so I’m not sure what to specify for “the internet” when blocking IP’s server side.
Anyone set something like this up before?
I‘m not familiar with unify, but it should be possible to add the nas to the wireguard network and then simply disable forwarding from wireguard to outside networks. Or to enable forwarding only to the nas ip.
But the bottom line is, packets must be forwarded somehow to get „out of“ the wireguard network. So no forwarding immediately implies no access outside.
I think I figured this one out. Sometimes this happens when I get stuck and make a post. I relax the knot in my head and just as my tiny brain relaxes it something clicks.
In the Unifi interface I didn’t know you could leave destination or source “empty”, you can’t but
the default is any!
So I can just set 2 new firewall rules with the VPN as source, leaving destination as any.
Type = internet in (then out for the other)
Action = Drop
Address Group = Wireguard VPN
Rest is on default.
I am unfamiliar with Unifi UDM.
I like their APs but UDM was a burning pile of s*** when I last looked at it 2y ago.
Anyway, you basically have two options and probably should use both.
A: Create rules on UDM so that WG clients can only connect to the NAS IP and not the whole subnet.
B: On the clients itself, you can set allowed IPs to the NAS IP only. That way only traffic to that NAS will go through WG. Browsing reddit or youtube does not go through WG in that case.
