There is an Ubuntu VPS used as Firezone server that is intented to bypass state censorship content blocking for a relatively large group of devices (say, 50).
So here is the question: is there a way to configure split tunelling on the server itself rather than on the clients?
E.g., to force server pushing correct routes to the clients on the event of connect and/or re-route traffic back to the clients’ default gateway except for the certain list of IPs
The reason is that our VPS tariff is limited with the certain amount of traffic, so the goal we would like to achieve is to avoid exceeding the limits and to route traffic through VPN for the blocked recources only, however with no need for the clients to disconnect VPN every time they need to access the recourses available without VPN. I aware of the fact it’s achieveable via AllowedIPs section on the client, but this way the client is able to edit the config and so it may lead to traffic overuse. Also, if the list of allowedips changes for some reason, all the client configs should be recreated and installed on the client side, and that’s a quite resource-intensive task.
I aware of the fact it’s achieveable via AllowedIPs section on the client, but this way the client is able to edit the config and so it may lead to traffic overuse.
If a client sends you traffic that you don’t want to allow then you should block (or rejectl) it in the firewall of the server
I don’t know of any way to achieve what you’re asking without having some sort of route management on the client’s side with WireGuard. It’s possible to push routes from server with OpenVPN though, because the client handles installing them for you.
You will need to configure the clients to have rules for blocked ip subnets to route through WireGuard interface. I’m not aware of any solutions, which can do it for you, especially dynamically, because I assume rules may change in the future.
You could potentially keep updating your clients WireGuard configs (add more routing rules in allowedips) and ask your clients to manually update, but that might be too much work for them.
Agreed. But I would like to also set it the way the clients wouldn’t disconnect from VPN every time they need to access the recources available without the VPN
Well I can but besides the fact the client is able to edit the config (which is actually not that problematic), there is another issue with that: if the list of allowedips changes for some reason, all the client configs should be recreated. Thanks for your advice anyway
Wireguard doesn’t want to step into the area of managing configuration deployment, but these problems are solvable with other tools. Since wireguard client setup is just a file, you could restrict its write permissions and use a configuration management tool like Ansible to maintain all clients consistency centrally. Or set a sync task on each client that pulls its config from a central location.