Re: [Astlinux-users] Wireguard VPN Security

Sun, 08 Sep 2019 20:59:13 -0700 

Thanks Lonnie.

Just wondering how I could use Deny LAN->Local when I actually want to allow 
onsite local LAN traffic to access the system admin interface? 
I really need a Pass LAN->Local to do this!

Regards
Michael Knill

On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:

    
    
    > On Sep 8, 2019, at 8:46 PM, Michael Knill 
<michael.kn...@ipcsolutions.com.au> wrote:
    > 
    > Hi Group
    >  
    > I am seeing lots of hacking attempts on my systems as they have found my 
non standard SSH port. Although there is no issue as I have SSH Key access 
only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm 
thinking I should be adding another line of defence in my security anyway.
    > As such, along with implementing Geoblocking Netset files (next release), 
I also want to use a Jump box for management. This server would connect to each 
system via Wireguard VPN allowing management also when in a failover condition 
through NAT e.g. 4G backup, firewall managed by others.
    >  
    > With this architecture in mind, I was wondering how I would go about 
restricting access to a single port only from this Wireguard VPN tunnel to the 
local interface e.g. wg0 address. I think is completely open currently.
    >  
    > Is it easy to do?
    >  
    > Regards
    > Michael Knill
    
    If SSH access can only occur within a WireGuard tunnel, no port filtering 
is required since access is secured by WireGuard.
    
    As such, only allow remote user access to the management VPN via a 
WireGuard tunnel.
    
    But, if you want to filter SSH from wg0 to the local device by source IP 
address, try 
    
    Firewall Rules:
    Action: [ Deny LAN->Local ]
    
    keeping in mind that the wg0 interface is treated as an isolated LAN subnet 
from any other LAN subnet.
    
    Lonnie
    
    
    
    _______________________________________________
    Astlinux-users mailing list
    Astlinux-users@lists.sourceforge.net
    https://lists.sourceforge.net/lists/listinfo/astlinux-users
    
    Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.
    


_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to