* Route all traffic to one IP _only_ via wireguard
[not found] <570542680.2946509.1524910065103.ref@mail.yahoo.com>
@ 2018-04-28 10:07 ` reiner otto
2018-04-28 13:49 ` Eric Light
0 siblings, 1 reply; 5+ messages in thread
From: reiner otto @ 2018-04-28 10:07 UTC (permalink / raw)
To: wireguard
My basic setup of wg works, I can ssh from/to server or client.
But the real goal is to tunnel only traffic with a specific destination IP
via wireguard from client to server.
I.e. a local router, which allows direct access to the web,
_BUT_ all traffic going to the corporate server using wireguard only.
Corporate server (public 1.2.3.4) == wireguard server (172.16.0.1).
I tried various settings on my client, like
ip route 1.2.3.4 dev wg0
ip route 1.2.3.4 via 172.16.0.1
etc.
but nothing worked.
Any help really appreciated.
---
wg0.conf on server (1.2.3.4):
[Interface]
ListenPort = 1234
PrivateKey = secret
[Peer]
PublicKey = secret
AllowedIPs = 172.16.0.0/16
-
wg0.conf on client (172.16.18.31):
[Interface]
PrivateKey = secret
ListenPort = 1234
[Peer]
PublicKey = secret
AllowedIPs = 0.0.0.0/0
Endpoint = 1.2.3.4:1234
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Route all traffic to one IP _only_ via wireguard
2018-04-28 10:07 ` Route all traffic to one IP _only_ via wireguard reiner otto
@ 2018-04-28 13:49 ` Eric Light
2018-04-28 19:07 ` Eddie
0 siblings, 1 reply; 5+ messages in thread
From: Eric Light @ 2018-04-28 13:49 UTC (permalink / raw)
To: reiner otto, wireguard
Hi Reiner!
I think the problem here is your client's AllowedIPs section. If you only want to access one address, you only enter that target IP - not the whole internet space (0.0.0.0/0). That's why everything is being routed out via your wg0.
So you should change that client AllowedIPs to 172.16.0.1/32, and that'll fix it. Alternatively, set it to /24 if you also want access to other devices within the corporate LAN... That's how I do it.
I think that's all you need. Sorry if I've missed something! :)
E
--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
On Sat, 28 Apr 2018, at 22:07, reiner otto wrote:
> My basic setup of wg works, I can ssh from/to server or client.
> But the real goal is to tunnel only traffic with a specific destination IP
> via wireguard from client to server.
> I.e. a local router, which allows direct access to the web,
> _BUT_ all traffic going to the corporate server using wireguard only.
> Corporate server (public 1.2.3.4) == wireguard server (172.16.0.1).
>
> I tried various settings on my client, like
> ip route 1.2.3.4 dev wg0
> ip route 1.2.3.4 via 172.16.0.1
> etc.
> but nothing worked.
>
> Any help really appreciated.
>
> ---
> wg0.conf on server (1.2.3.4):
> [Interface]
> ListenPort = 1234
> PrivateKey = secret
> [Peer]
> PublicKey = secret
> AllowedIPs = 172.16.0.0/16
> -
> wg0.conf on client (172.16.18.31):
> [Interface]
> PrivateKey = secret
> ListenPort = 1234
> [Peer]
> PublicKey = secret
> AllowedIPs = 0.0.0.0/0
> Endpoint = 1.2.3.4:1234
>
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Route all traffic to one IP _only_ via wireguard
2018-04-28 13:49 ` Eric Light
@ 2018-04-28 19:07 ` Eddie
2018-04-29 15:19 ` Eric Light
0 siblings, 1 reply; 5+ messages in thread
From: Eddie @ 2018-04-28 19:07 UTC (permalink / raw)
To: Eric Light, reiner otto, wireguard
I didn't think that AllowedIPs would filter traffic like that. But
could be wrong. :-)
Here's my take on your problem:
Add "Table = off" and "FwMark = 1234 (or other value)" to the wg config,
which will stop the routing tables being updated and add the routing
mark to all encrypted packets.
Then you will need a new ip rule table, that runs ahead of "main" that
selects all traffic with the fwmark from wg and routes that directly to
your external interface. Something like:
from all fwmark 1234 lookup net
net:
default via <gateway ip> dev <external interface>
Then add a new rule to main, that routes ip 1.2.3.4 out via the wg
interface.
Cheers.
On 4/28/2018 6:49 AM, Eric Light wrote:
> Hi Reiner!
>
> I think the problem here is your client's AllowedIPs section. If you only want to access one address, you only enter that target IP - not the whole internet space (0.0.0.0/0). That's why everything is being routed out via your wg0.
>
> So you should change that client AllowedIPs to 172.16.0.1/32, and that'll fix it. Alternatively, set it to /24 if you also want access to other devices within the corporate LAN... That's how I do it.
>
> I think that's all you need. Sorry if I've missed something! :)
>
> E
>
> --------------------------------------------
> Q: Why is this email five sentences or less?
> A: http://five.sentenc.es
>
> On Sat, 28 Apr 2018, at 22:07, reiner otto wrote:
>> My basic setup of wg works, I can ssh from/to server or client.
>> But the real goal is to tunnel only traffic with a specific destination IP
>> via wireguard from client to server.
>> I.e. a local router, which allows direct access to the web,
>> _BUT_ all traffic going to the corporate server using wireguard only.
>> Corporate server (public 1.2.3.4) == wireguard server (172.16.0.1).
>>
>> I tried various settings on my client, like
>> ip route 1.2.3.4 dev wg0
>> ip route 1.2.3.4 via 172.16.0.1
>> etc.
>> but nothing worked.
>>
>> Any help really appreciated.
>>
>> ---
>> wg0.conf on server (1.2.3.4):
>> [Interface]
>> ListenPort = 1234
>> PrivateKey = secret
>> [Peer]
>> PublicKey = secret
>> AllowedIPs = 172.16.0.0/16
>> -
>> wg0.conf on client (172.16.18.31):
>> [Interface]
>> PrivateKey = secret
>> ListenPort = 1234
>> [Peer]
>> PublicKey = secret
>> AllowedIPs = 0.0.0.0/0
>> Endpoint = 1.2.3.4:1234
>>
>>
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Route all traffic to one IP _only_ via wireguard
2018-04-28 19:07 ` Eddie
@ 2018-04-29 15:19 ` Eric Light
0 siblings, 0 replies; 5+ messages in thread
From: Eric Light @ 2018-04-29 15:19 UTC (permalink / raw)
To: Eddie, reiner otto, wireguard
Hi Eddie and Reiner,=20
I might be misunderstanding the request, but...=20
> the real goal is to tunnel only traffic with a specific destination IP vi=
a wireguard from client to server.
Isn't this just asking the same as:
> I only want to use wg0 for x.x.x.x/32, and I want to use eth0 for everyth=
ing else
If I'm reading that right, I believe it's a simple matter of changing the s=
cope of his AllowedIPs, so his traffic is routed via the correct interfaces=
. No iptables or packet marks required.=20
Reiner - have I misunderstood your question? I've assumed you're using wg-q=
uick?=20
E
--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
On Sun, 29 Apr 2018, at 07:07, Eddie wrote:
> I didn't think that AllowedIPs would filter traffic like that.=C2=A0 But=
=20
> could be wrong.=C2=A0 :-)
>=20
> Here's my take on your problem:
>=20
> Add "Table =3D off" and "FwMark =3D 1234 (or other value)" to the wg conf=
ig,=20
> which will stop the routing tables being updated and add the routing=20
> mark to all encrypted packets.
>=20
> Then you will need a new ip rule table, that runs ahead of "main" that=20
> selects all traffic with the fwmark from wg and routes that directly to=20
> your external interface.=C2=A0 Something like:
>=20
> from all fwmark 1234 lookup net
>=20
> net:
> default via <gateway ip> dev <external interface>
>=20
> Then add a new rule to main, that routes ip 1.2.3.4 out via the wg=20
> interface.
>=20
> Cheers.
>=20
>=20
> On 4/28/2018 6:49 AM, Eric Light wrote:
> > Hi Reiner!
> >
> > I think the problem here is your client's AllowedIPs section. If you on=
ly want to access one address, you only enter that target IP - not the whol=
e internet space (0.0.0.0/0). That's why everything is being routed out via=
your wg0.
> >
> > So you should change that client AllowedIPs to 172.16.0.1/32, and that'=
ll fix it. Alternatively, set it to /24 if you also want access to other de=
vices within the corporate LAN... That's how I do it.
> >
> > I think that's all you need. Sorry if I've missed something! :)
> >
> > E
> >
> > --------------------------------------------
> > Q: Why is this email five sentences or less?
> > A: http://five.sentenc.es
> >
> > On Sat, 28 Apr 2018, at 22:07, reiner otto wrote:
> >> My basic setup of wg works, I can ssh from/to server or client.
> >> But the real goal is to tunnel only traffic with a specific destinatio=
n IP
> >> via wireguard from client to server.
> >> I.e. a local router, which allows direct access to the web,
> >> _BUT_ all traffic going to the corporate server using wireguard only.
> >> Corporate server (public 1.2.3.4) =3D=3D wireguard server (172.16.0.1).
> >>
> >> I tried various settings on my client, like
> >> ip route 1.2.3.4 dev wg0
> >> ip route 1.2.3.4 via 172.16.0.1
> >> etc.
> >> but nothing worked.
> >>
> >> Any help really appreciated.
> >>
> >> ---
> >> wg0.conf on server (1.2.3.4):
> >> [Interface]
> >> ListenPort =3D 1234
> >> PrivateKey =3D secret
> >> [Peer]
> >> PublicKey =3D secret
> >> AllowedIPs =3D 172.16.0.0/16
> >> -
> >> wg0.conf on client (172.16.18.31):
> >> [Interface]
> >> PrivateKey =3D secret
> >> ListenPort =3D 1234
> >> [Peer]
> >> PublicKey =3D secret
> >> AllowedIPs =3D 0.0.0.0/0
> >> Endpoint =3D 1.2.3.4:1234
> >>
> >>
> >> _______________________________________________
> >> WireGuard mailing list
> >> WireGuard@lists.zx2c4.com
> >> https://lists.zx2c4.com/mailman/listinfo/wireguard
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard@lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/wireguard
> >
> >
>=20
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Route all traffic to one IP _only_ via wireguard
[not found] <1277744751.3560998.1525035892916.ref@mail.yahoo.com>
@ 2018-04-29 21:04 ` reiner otto
0 siblings, 0 replies; 5+ messages in thread
From: reiner otto @ 2018-04-29 21:04 UTC (permalink / raw)
To: Eddie, reiner otto, wireguard, Eric Light
Hi Eric, yes,
> I only want to use wg0 for x.x.x.x/32, and I want to use eth0 for everyth=
ing else<
this is correct.
No wg-quick used, as client-OS is openwrt.
I suspect a problem, that the IP of my endpoint is the IP, too, the traffic=
for I want to route via wg0.
Or, in other words, Endpoint=3D1.2.3.4, and I want all traffic to 1.2.3.4 f=
rom my router to be routed via wg0.
I have found a working version, still under investigation/test:
wg0-client, wireguard_up.sh:
#!/bin/sh
ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip address add 172.16.18.31/16 dev wg0
ip link set mtu 1420 dev wg0
ip link set wg0 up
sleep 10 #sometimes helps with async ops
iptables -t nat -I POSTROUTING -o wg0 -j MASQUERADE
sleep 10 #sometimes helps with async ops
ping -c 3 172.16.0.1 #To force some traffic to server, persistent connectio=
n to be established (??)
iptables -t nat -A OUTPUT -d 1.2.3.4 -j DNAT --to-destination 172.16.0.1 #w=
g0 on server has 172.16.0.1
ping -c 3 1.2.3.4
wg0-client, wg0.conf:
[Interface]
PrivateKey =3D ....
ListenPort =3D 5555
[Peer]
PublicKey =3D ....
AllowedIPs =3D 172.16.0.0/16
Endpoint =3D 1.2.3.4:5555
PersistentKeepalive =3D 25
--------------------------------------------
Eric Light <eric@ericlight.com> schrieb am So, 29.4.2018:
Betreff: Re: Route all traffic to one IP _only_ via wireguard
An: "Eddie" <stunnel@attglobal.net>, "reiner otto" <augustus_meyer@yahoo.d=
e>, wireguard@lists.zx2c4.com
Datum: Sonntag, 29. April, 2018 17:19 Uhr
=20
Hi Eddie and Reiner,=20
=20
I might be misunderstanding
the request, but...=20
=20
>
the real goal is to tunnel only traffic with a specific
destination IP via wireguard from client to server.
=20
Isn't this just asking the
same as:
=20
> I only want
to use wg0 for x.x.x.x/32, and I want to use eth0 for
everything else
=20
If I'm
reading that right, I believe it's a simple matter of
changing the scope of his AllowedIPs, so his traffic is
routed via the correct interfaces. No iptables or packet
marks required.=20
=20
Reiner -
have I misunderstood your question? I've assumed
you're using wg-quick?=20
=20
E
=20
--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
=20
On Sun, 29 Apr 2018, at 07:07, Eddie wrote:
> I didn't think that AllowedIPs would
filter traffic like that.=C2=A0 But=20
> could
be wrong.=C2=A0 :-)
>=20
>
Here's my take on your problem:
>=20
> Add "Table =3D off" and
"FwMark =3D 1234 (or other value)" to the wg config,
=20
> which will stop the routing tables
being updated and add the routing=20
> mark
to all encrypted packets.
>=20
> Then you will need a new ip rule table,
that runs ahead of "main" that=20
> selects all traffic with the fwmark from
wg and routes that directly to=20
> your
external interface.=C2=A0 Something like:
>
=20
> from all fwmark 1234 lookup net
>=20
> net:
> default via <gateway ip> dev
<external interface>
>=20
> Then add a new rule to main, that routes
ip 1.2.3.4 out via the wg=20
>
interface.
>=20
>
Cheers.
>=20
>=20
> On 4/28/2018 6:49 AM, Eric Light wrote:
> > Hi Reiner!
>
>
> > I think the problem here is
your client's AllowedIPs section. If you only want to
access one address, you only enter that target IP - not the
whole internet space (0.0.0.0/0). That's why everything
is being routed out via your wg0.
>
>
> > So you should change that
client AllowedIPs to 172.16.0.1/32, and that'll fix it.
Alternatively, set it to /24 if you also want access to
other devices within the corporate LAN... That's how I
do it.
> >
> > I
think that's all you need. Sorry if I've missed
something! :)
> >
>
> E
> >
> >
--------------------------------------------
> > Q: Why is this email five sentences
or less?
> > A: http://five.sentenc.es
> >
> > On Sat, 28
Apr 2018, at 22:07, reiner otto wrote:
>
>> My basic setup of wg works, I can ssh from/to
server or client.
> >> But the real
goal is to tunnel only traffic with a specific destination
IP
> >> via wireguard from client
to server.
> >> I.e. a local
router, which allows direct access to the web,
> >> _BUT_ all traffic going to the
corporate server using wireguard only.
>
>> Corporate server (public 1.2.3.4) =3D=3D wireguard
server (172.16.0.1).
> >>
> >> I tried various settings on my
client, like
> >> ip route 1.2.3.4
dev wg0
> >> ip route 1.2.3.4 via
172.16.0.1
> >> etc.
> >> but nothing worked.
> >>
> >> Any
help really appreciated.
> >>
> >> ---
> >>
wg0.conf on server (1.2.3.4):
> >>
[Interface]
> >> ListenPort =3D
1234
> >> PrivateKey =3D secret
> >> [Peer]
>
>> PublicKey =3D secret
> >>
AllowedIPs =3D 172.16.0.0/16
> >>
-
> >> wg0.conf on client
(172.16.18.31):
> >> [Interface]
> >> PrivateKey =3D secret
> >> ListenPort =3D 1234
> >> [Peer]
>
>> PublicKey =3D secret
> >>
AllowedIPs =3D 0.0.0.0/0
> >>
Endpoint =3D 1.2.3.4:1234
> >>
> >>
> >>
_______________________________________________
> >> WireGuard mailing list
> >> WireGuard@lists.zx2c4.com
> >> https://lists.zx2c4.com/mailman/listinfo/wireguard
> >
_______________________________________________
> > WireGuard mailing list
> > WireGuard@lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/wireguard
> >
> >
>=20
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-04-29 21:03 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <570542680.2946509.1524910065103.ref@mail.yahoo.com>
2018-04-28 10:07 ` Route all traffic to one IP _only_ via wireguard reiner otto
2018-04-28 13:49 ` Eric Light
2018-04-28 19:07 ` Eddie
2018-04-29 15:19 ` Eric Light
[not found] <1277744751.3560998.1525035892916.ref@mail.yahoo.com>
2018-04-29 21:04 ` reiner otto
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.