Comment by cobertos
16 hours ago
Any idea on how to segment a VPN between friends? I have a few critical servers on my VPN I only want one or two devices to access, but no other devices. Mostly so that in case a rogue device enters or a friend gets hacked, there's no access to my sensitive services.
In my case I simply create two wireguard tunnels (one called "vpn", the other called "guest") and use firewall rules to block all traffic from the "guest" tunnel to all service except the one that should be "public" (in my case a minecraft server).
I think you could technically do it with a single tunnel by using firewall rules that refer to the IP address of the single peer but it's less convenient.
NOTE: I also added a dedicated dnsmasq instance only for the "guest" tunnel so that they have DNS working and can use hostnames instead of IP address.
This setup is trivial with both OpenWrt and OpnSense, but it should be doable also with manual setup
You can do this on tailscale with their ACL. It is super flexible for nailing down exactly which users/devices can talk to what on your network.