0

I need to separate my Wireguard clients into groups/subnets, but I need one "master-group" (subnet) that can reach all clients.

10.11.2.0/24 BestPizzaShop-Town1
10.11.3.0/24 PepperoniPizzaShop-Town2
...
10.11.133.0/24 xxxxShop-Town133

10.11.1.0/16 MASTER group for my own PCs << to rule them all ;-)

The problem:

  • Can not ping/reach any other groups from 10.11.1.x except it's own subnet.

Question:

  • How do I configure that on a Debian 11 VPS using Wireguard-UI?
    (And webmin for iptables firewall configuration.)
  • Is 10.11.252.0/16 better for the "master-group" than 10.11.1.0/16?
  • Or should I list all subnet on server side one by one and create some routes manually?

Plus Requirements:

  • None of the peers should be able to reach internet through the Wireguard server!
  • Peers should be able to reach only each other in the same subnet, no others. (Even if the peer is editing it's own .conf file.)
  • Peers should be able to reach SQL on the server on a localhost port.
  • If possible: the sub-clients should not be able to connect to my master-PCs, only I should be able to start connecting to them.
SzakiLaci
  • 101
  • 3
  • Questions seeking installation, configuration or diagnostic help must include the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions. Questions without a clear problem statement are not useful to other readers and are unlikely to get good answers please read word by word, not all has been already included in your question – djdomi May 31 '23 at 05:44
  • @djdomi It is better this way? – SzakiLaci May 31 '23 at 10:55
  • 1
    This is a *very* basic networking questions. Your problem ain't wireguards; it's that you don't understand the role of the network mask. To solve your problem you need routing and a firewall; you can't solve it through netmasks. – vidarlo May 31 '23 at 11:29

0 Answers0