I have a vm running wireguard on on node of a six node cluster. All my vm's have firewall turned on and we block and allow all the normal stuff and it works well, but...
On the vm that is running wireguard the packets on the wg0 interface are not available on the server firewall. If you want to drop or accept these packets you have to do it on the vm's iptables. This is find but I really like having the rules outside the vm as I feel it is more secure. I would guess this is not possible but I figured I would ask.
The rule that i have the trouble with is inbound ssh. I can block the forwarded ssh packets but not the inbound to ip's local to the wireguard vm.
Thanks for listening. Not a huge deal I can block on the vm but just wondering if there is a cool way to somehow add the wireguard interface to the proxmox firewall.
-Mark
On the vm that is running wireguard the packets on the wg0 interface are not available on the server firewall. If you want to drop or accept these packets you have to do it on the vm's iptables. This is find but I really like having the rules outside the vm as I feel it is more secure. I would guess this is not possible but I figured I would ask.
The rule that i have the trouble with is inbound ssh. I can block the forwarded ssh packets but not the inbound to ip's local to the wireguard vm.
Thanks for listening. Not a huge deal I can block on the vm but just wondering if there is a cool way to somehow add the wireguard interface to the proxmox firewall.
-Mark