theis.gaedigk/wg-easy-ca-lose
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Deployed 5228734 to edge with MkDocs 1.6.1 and mike 2.1.3

Browse Source
This commit is contained in:
github-actions[bot]
2026-03-05 11:50:58 +00:00
parent 60230e032a
commit d408051316
33 changed files with 357 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files
edge/guides/clients/index.html
+69 -2
View File
@@ -25,7 +25,7 @@
<link rel="icon" href="../../assets/logo/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.7.3">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.7.4">
@@ -1733,6 +1733,17 @@
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#firewall-allowed-ips" class="md-nav__link">
<span class="md-ellipsis">
Firewall Allowed IPs
</span>
</a>
</li>
<li class="md-nav__item">
@@ -1889,6 +1900,17 @@
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#firewall-allowed-ips" class="md-nav__link">
<span class="md-ellipsis">
Firewall Allowed IPs
</span>
</a>
</li>
<li class="md-nav__item">
@@ -1995,7 +2017,52 @@
<h2 id="allowed-ips"><a class="toclink" href="#allowed-ips">Allowed IPs</a></h2>
<p>Which IPs will be routed through the VPN.</p>
<p>This will not prevent the user from modifying it locally and accessing IP ranges that they should not be able to access.</p>
<p>Use firewall rules to prevent access to IP ranges that the user should not be able to access.</p>
<p>Use the Firewall Allowed IPs feature to prevent access to IP ranges that the user should not be able to access.</p>
<h2 id="firewall-allowed-ips"><a class="toclink" href="#firewall-allowed-ips">Firewall Allowed IPs</a></h2>
<div class="admonition note">
<p class="admonition-title">Attention</p>
<p>This field only appears when <strong>Per-Client Firewall</strong> is enabled in the Admin Panel → Interface settings.</p>
</div>
<p>Server-side firewall rules that restrict which destinations the client can access, regardless of their local configuration.</p>
<p>Unlike "Allowed IPs" which only controls routing on the client side, these rules are enforced by the server using iptables/ip6tables and cannot be bypassed by the client.</p>
<p><strong>Supported Formats:</strong></p>
<ul>
<li><code>10.10.0.3</code>, <code>2001:db8::1</code> - Allow access to a single IP address</li>
<li><code>10.10.0.0/24</code>, <code>2001:db8::/32</code> - Allow access to an entire subnet</li>
<li><code>192.168.1.5:443</code> - Allow access to specific port (TCP+UDP)</li>
<li><code>192.168.1.5:443/tcp</code> - Allow access to specific port (TCP only)</li>
<li><code>192.168.1.5:443/udp</code> - Allow access to specific port (UDP only)</li>
<li><code>10.10.0.0/24:443</code> - Allow access to an entire subnet on a specific port (TCP+UDP)</li>
<li><code>10.10.0.0/24:443/tcp</code> - Allow access to an entire subnet on a specific port (TCP only)</li>
<li><code>10.10.0.0/24:443/udp</code> - Allow access to an entire subnet on a specific port (UDP only)</li>
<li><code>[2001:db8::1]:443</code> - IPv6 address with port (brackets required)</li>
<li><code>[2001:db8::/32]:443/tcp</code> - IPv6 CIDR with port and protocol</li>
</ul>
<div class="admonition warning">
<p class="admonition-title">Invalid Formats</p>
<p>Protocol specifiers (<code>/tcp</code> or <code>/udp</code>) require a port number. The following formats are <strong>not supported</strong> and will result in an error:</p>
<ul>
<li><code>10.10.0.3/tcp</code> (use <code>10.10.0.3:443/tcp</code> instead)</li>
<li><code>10.10.0.0/24/udp</code> (use <code>10.10.0.0/24:53/udp</code> instead)</li>
</ul>
</div>
<p><strong>Behavior:</strong></p>
<ul>
<li><strong>Empty</strong>: Falls back to the client's "Allowed IPs" setting</li>
<li><strong>Specified</strong>: Only listed destinations are accessible (allow-only, everything else is blocked)</li>
<li><strong>Disable for specific client</strong>: To disable firewall filtering for a single client while keeping it enabled for others, add <code>0.0.0.0/0, ::/0</code> to allow all traffic</li>
</ul>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>To allow clients to reach the VPN server itself (e.g. for DNS), include the server's VPN address in the firewall allowed IPs.</p>
</div>
<p><strong>Use Case Examples</strong>:</p>
<ul>
<li>Allow only specific servers: <code>10.10.0.5</code></li>
<li>Allow only internal network: <code>10.10.0.0/24, 192.168.1.0/24</code></li>
<li>Allow only web browsing: <code>0.0.0.0/0:80, 0.0.0.0/0:443, [::/0]:80, [::/0]:443</code></li>
<li>Block internet, allow LAN: Leave "Allowed IPs" as <code>0.0.0.0/0, ::/0</code> but set Firewall IPs to <code>10.0.0.0/8, 192.168.0.0/16</code></li>
</ul>
<h2 id="server-allowed-ips"><a class="toclink" href="#server-allowed-ips">Server Allowed IPs</a></h2>
<p>Which IPs will be routed to the client.</p>
<h2 id="dns"><a class="toclink" href="#dns">DNS</a></h2>