Feature Request: Wireguard templates and different configurations about subspace HOT 7 OPEN

The admin would be able to create multiple configuration templates.

The user would then be able to choose between the different configs (provided by the admin) just like selecting their platform.

from subspace.

Who would make the decision on who gets split vs full routed configurations? The end user or settings based on user information on the server side?

from subspace.

I just discovered this project and tested, works like a charm. It would be nice to have this feature.

• Different configurations based on templates defined by admin
• Be able to give access to different subnets depending on users (Is it possible on Wireguard ?)

from subspace.

So in terms of different configurations:

• Wireguard is designed to provide a secure tunnel from point A to point B
• Subspace provides Config files which can be used by a peer to connect to the server and become the server (IP Masquerade)

An end user can edit THEIR config client side to push whatever traffic they want to the Server. The server "AllowedIP" piece is to dictate that if i see PublicKey x, it must also have PrivateIP y. Subspace currently does very little in terms of controlling the flow of what goes where other than masquerading the entire Wireguard Interface as the server itself, thus all traffic exiting Subspace appears to be the Server and not a Peer.

If you wanted different routes etc, then you would have to control ip tables on the serverside based on information about a clients PublicKey or `Email

from subspace.

@jack1902 , currently on client side I have default route over wireguard interface. I suppose that generally it is admin responsibilities to manage such routes. It will save a lot of time for admins if there would be an ability to advertise only specific routes for group of users over UI( some kind of simple RBAC on network layer ).

from subspace.

The server "AllowedIP" piece is to dictate that if i see PublicKey x, it must also have PrivateIP y. Subspace currently does very little in terms of controlling the flow of what goes where other than masquerading the entire Wireguard Interface as the server itself, thus all traffic exiting Subspace appears to be the Server and not a Peer.

If you wanted different routes etc, then you would have to control ip tables on the serverside based on information about a clients PublicKey or `Email

Wouldn't it be possible to create different PrivateIP subnets per group/config template? Because wireguard ensures that the client is using an IP from that subnet, it would be easy to generate a ip tables rule set, that only allows the routes the admin wants for this config.

However I don't think that is necessary, because I would see it like stepan111 as an option to easily advertise specific routes. Sometimes I just don't want to route everything through wireguard, just the IPs of my company.

from subspace.

Currently, due to the way this project is layed out, it literally generates some configs and adds a rule to iptables to allow the whole subnet access. In order to achieve what you are asking it would need a major overhaul (something i currently don't have the time to achieve, unless others are willing to create a PR as a POC of what you are asking for)

Wireguard doesn't "ensure" that a client is using an IP from a specific subnet, you can actually assign the same PrivateIP to two clients and wireguard will work (it will cause all sorts of network packet loss, but thats besides the point). Subspace is ensuring that each client gets a unique IP Address to ensure that never happens. if you wanted to create different routes based on IP Address using a single Wireguard interface you would need to configure iptables (something that isn't currently done outside of a few simple commands in the docker containers entrypoint)

Ideally all these commands would be executed by something like go-iptables but that requires changes to subspace which I currently don't have the time to dedicate (it requires frontend additions aswell to support the features you are asking for, and this project doesn't use any Javascript which makes this really frustrating to add)

from subspace.