I am using Wireguard (interface wg0) for a VPN on a server, where all connected clients have IPv6 addresses assigned by the server (controlled by AllowedIPs).
Let's say we have three clients:
- Client A, with 7767:1::a
- Client B, with 7767:2::b
- Client C, with 7767:2::c
I want to configure the server (i.e. using something like iptables) to allow forwarding between client B and C (since they are on the same subnet, /32), and deny forwarding between client A and B/C (since they are on a different subnet, /32). And I don't want to have to worry about specifying the subnet explicitly, everytime a new subnet is used.
Something like this would work (untested):
prefix="7767"
ip6tables -A FORWARD -i wg0 -m state --state INVALID -j DROP
ip6tables -A FORWARD -i wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
for ((i=0;i<65536;++i))
do
subnet="$(printf "$prefix:%x" $i)"
ip6tables -A FORWARD -i wg0 -s $subnet::/32 -d $subnet::/32 -j ACCEPT
done
ip6tables -A FORWARD -i wg0 -j DROP
Is there some generic rule that can be used for this scenario? Or maybe another tool than iptables is better suited for this?
