From d91ab10374690f51ff792be81a62996e6a2ddd2b Mon Sep 17 00:00:00 2001 From: Ian Foster Date: Fri, 23 Jan 2026 20:20:22 -0800 Subject: [PATCH] added Comprehensive documentation in README and docs/ for firewall filtering --- README.md | 1 + docs/content/faq.md | 12 ++++++++++++ docs/content/guides/admin.md | 24 +++++++++++++++++++++++- docs/content/guides/clients.md | 30 +++++++++++++++++++++++++++++- 4 files changed, 65 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 741cc12e..7f2df64a 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,7 @@ You have found the easiest way to install & manage WireGuard on any Linux host! - IPv6 support - CIDR support - 2FA support +- Per-client firewall filtering > [!NOTE] > To better manage documentation for this project, it has its own site here: [https://wg-easy.github.io/wg-easy/latest](https://wg-easy.github.io/wg-easy/latest) diff --git a/docs/content/faq.md b/docs/content/faq.md index b2430530..1645c4bb 100644 --- a/docs/content/faq.md +++ b/docs/content/faq.md @@ -6,6 +6,18 @@ hide: Here are some frequently asked questions or errors about `wg-easy`. If you have a question that is not answered here, please feel free to open a discussion on GitHub. +## How do I restrict client access to specific networks or servers? + +Use the **Per-Client Firewall** feature to enforce server-side restrictions on what each client can access. + +1. Enable "Per-Client Firewall" in **Admin Panel → Interface** +2. Edit a client and configure "Firewall Allowed IPs" +3. Specify which destinations the client should be allowed to access + +Unlike "Allowed IPs" which only controls client-side routing, firewall rules are enforced by the server and cannot be bypassed. + +See the [Admin Panel Guide](guides/admin/#per-client-firewall) and [Client Guide](guides/clients/#firewall-allowed-ips) for detailed configuration. + ## Error: WireGuard exited with the error: Cannot find device "wg0" This error indicates that the WireGuard interface `wg0` does not exist. This can happen if the WireGuard kernel module is not loaded or if the interface was not created properly. diff --git a/docs/content/guides/admin.md b/docs/content/guides/admin.md index 7899d670..231f7b1a 100644 --- a/docs/content/guides/admin.md +++ b/docs/content/guides/admin.md @@ -2,4 +2,26 @@ title: Admin Panel --- -TODO +## Interface Settings + +### Per-Client Firewall + +Enable server-side firewall filtering to enforce network access restrictions per client. + +When enabled, each client can have custom "Firewall Allowed IPs" configured that restrict which destinations they can access through the VPN. These restrictions are enforced by the server using iptables/ip6tables and cannot be bypassed by the client. + +**Enable this feature if you want to:** + +- Restrict certain clients to only access specific servers or networks +- Prevent clients from accessing the internet while allowing LAN access +- Enforce port-based restrictions (e.g., only allow HTTP/HTTPS) +- Separate routing configuration from security enforcement + +**How it works:** + +1. Enable "Per-Client Firewall" in Admin Panel → Interface +2. Edit any client to see the new "Firewall Allowed IPs" field +3. Specify allowed destinations (IPs, subnets, ports) for that client +4. Server enforces these rules automatically + +See [Edit Client → Firewall Allowed IPs](../clients/#firewall-allowed-ips) for detailed configuration syntax and examples. diff --git a/docs/content/guides/clients.md b/docs/content/guides/clients.md index 973be689..ec532b1b 100644 --- a/docs/content/guides/clients.md +++ b/docs/content/guides/clients.md @@ -19,7 +19,35 @@ Which IPs will be routed through the VPN. This will not prevent the user from modifying it locally and accessing IP ranges that they should not be able to access. -Use firewall rules to prevent access to IP ranges that the user should not be able to access. +Use the Firewall Allowed IPs feature to prevent access to IP ranges that the user should not be able to access. + +## Firewall Allowed IPs + +!!! note + This field only appears when **Per-Client Firewall** is enabled in the Admin Panel → Interface settings. + +Server-side firewall rules that restrict which destinations the client can access, regardless of their local configuration. + +Unlike "Allowed IPs" which only controls routing on the client side, these rules are enforced by the server using iptables/ip6tables and cannot be bypassed by the client. + +**Supported Formats:** + +- `10.10.0.3` - Allow access to a single IP address +- `10.10.0.0/24` - Allow access to an entire subnet +- `192.168.1.5:443` - Allow access to specific port (TCP+UDP) +- `192.168.1.5:443/tcp` - Allow access to specific port (TCP only) +- `192.168.1.5:443/udp` - Allow access to specific port (UDP only) +- `[2001:db8::1]:443` - IPv6 address with port (brackets required) + +**Behavior:** + +- **Empty**: Falls back to the client's "Allowed IPs" setting +- **Specified**: Only listed destinations are accessible (allow-only, everything else is blocked) +- **Use Case Examples**: + - Allow only specific servers: `10.10.0.5` + - Allow only internal network: `10.10.0.0/24, 192.168.1.0/24` + - Allow only web browsing: `0.0.0.0/0:80, 0.0.0.0/0:443, ::/0:80, ::/0:443` + - Block internet, allow LAN: Leave "Allowed IPs" as `0.0.0.0/0, ::/0` but set Firewall IPs to `10.0.0.0/8, 192.168.0.0/16` ## Server Allowed IPs