Are ACLs validated serverside or is it possible for a client to overwrite a synched configuration?

[suiluj]

Hello,

I am interested in netmaker because auf the ACLs (Access Control Lists).

At the moment I am not sure if the communication permissions are configured client-side or serverside so it would be great if someone give some clarification.

I have this question because in the normal wireguard confs there is a "Allowed IPs" entry which can be changed client side. (my setup is not using netmaker yet).

So does netmaker only change this "allowed ips" settings for every client and the netmaker client pull these settings?
This would be bad because then someone could manually change the setting client-side and still reach devices which were denied in the netmaker UI.

I hope my explanation was understandable. :)
Just wanted to be sure that netmaker restricts connections serverside independet of configurations on the client side.

[mattkasun]

Netmaker sets up peer to peer networks, disregarding gateways for the moment. Once the peers have recieved their configuration the server is not involved in peer to peer communications, so there is no way for the server to block comms.

If as you said, someone modified their allowed ips to add a node it would work temporarily. Netmaker sends updates to the peers periodically, so the change made to get around the acl would have to be reapplied everytime the server sends a periodic peer update

[mattkasun]

setting iptables rules in postup/postdown suffers from the same problem.... the user can change them

[suiluj]

Well the iptable blocks are on the server

[mattkasun]

which are included in the wireguard config file sent to a node.

[suiluj]

Are you sure?
In the description of this link is sent before there are a few example on how to restrict different users to specific IPs. And as I understand these commands block the traffic on the wireguard interface in the server which forwards between the different peers. So I would think that it makes no difference what the user does on his client system the server will block unwanted traffic nervertheless.

[mattkasun]

That gist describes a different network setup where all peer to peer traffic is routed through the server.
Netmaker creates mesh networks by default where peer to peer traffic is direct and the server is not involved.