nat – WireGuard: cannot delete iptables rule for default route


since I don’t want friends and colleagues in my VPN to use my VPN server as a proxy VPN for “anonymous” surfing, I want to disable the default route for the VPN. In a nutshell:

  • LAN (10.20.0.0/24) must be accessible
  • WAN (0.0.0.0/0) must be inaccessible

I was unable to find a WireGuard setting to do this except configuring the AllowedIPs directive in the client config. But what kind of security does that provide?? Anyone can easily edit his/her config, replace 10.20.0.0/24 with 0.0.0.0/0, and use my VPN as a proxy…

My next approach was to delete the iptables rule that permitts the forwarding from the VPN subnet to the WAN. But somehow I cannot delete the affected rule. If I create a similar rule (same subnet, same policy) I can delete it, but I am prevented from deleting the WireGuard rule somehow.

The rule in question has been marked with --> in the following output:

root@(...):~# iptables -L FORWARD

    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ...
    ACCEPT     all  --  anywhere             10.6.0.0/24          ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
--> ACCEPT     all  --  10.6.0.0/24          anywhere             /* wireguard-forward-rule */

Commands that I have tried to get rid of this rule:

root@(...):~# iptables -D FORWARD -s 10.6.0.0/24 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).

If I add the same rule again (without the comment):

root@(...):~# iptables -L FORWARD

    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ...
    ACCEPT     all  --  anywhere             10.6.0.0/24          ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
--> ACCEPT     all  --  10.6.0.0/24          anywhere             /* wireguard-forward-rule */
--> ACCEPT     all  --  10.6.0.0/24          anywhere

root@(...):~# iptables -D FORWARD -s 10.6.0.0/24 -j ACCEPT
root@(...):~#

No problem… 😐

Note: If you need further logs/output, please let me know. Thanks in advance!


FINAL ANSWER:
WireGuard also specifies interfaces and a comment. These have to be an exact match when deleting rules. You can see the full list of arguments using iptables with the -v option.

The command that finally removed the rule was:

iptables -D FORWARD -i wg0 -o wlan0 -s 10.6.0.0/24 -m comment --comment "wireguard-forward-rule" -j ACCEPT