WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* more specific routes for IPs added to "AllowedIPs =" ?
@ 2020-09-30 22:42 PGNet Dev
       [not found] ` <CAHwJnhEt0=uBBNmtK2GtTrq-QRvvBMOxPwHu+yUJg=Pwm7g0wA@mail.gmail.com>
  2020-10-01 16:51 ` Roman Mamedov
  0 siblings, 2 replies; 3+ messages in thread
From: PGNet Dev @ 2020-09-30 22:42 UTC (permalink / raw)
  To: wireguard

I've two linux machines connected with wg.

 Machine #1 is a remote VM, & connects to the public 'net.

 Machine #2 is local, on my LAN.

To date, they've only routed internal traffic. Nice -n- easy.

I'm adding forwarding of specific EXTERNAL traffic from the 'net, received at Machine #1, to port-specific services, on the LAN.

E.g. a 'listener' on a local lan machine, @ ip 10.0.0.1 port 11111

On the local end of the VPN, for any external IP that needs to traverse the VPN link, adding the specific IP to

	AllowedIPs = ... X.X.X.X

works.  Traffic flows.

BUT, that adds a local route

	X.X.X.X dev wg0 scope link

so ALL local traffic from local lan to that IP, e.g. an ssh session, gets routed BACK via that new route over the VPN.

I'd like to limit that -- so that ONLY traffic from the 'net to that local listener on ip 10.0.0.1 port 11111 is routed back via the VPN; all _other_ traffic to the originating IP (e.g., that ssh connection), gets routed over my normal default route.

What's the cleanest way -- in wireguard config -- to

	(a) allow any/all IPs over the VPN
	(b) limit the route to the specific ip target/port

So far, I seem to _need_ that originating IP in the "allowedips ="; which creates the 'overreaching' route ...

I'm guessing some judicious use of PostUp/Down routes set?




^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: more specific routes for IPs added to "AllowedIPs =" ?
       [not found] ` <CAHwJnhEt0=uBBNmtK2GtTrq-QRvvBMOxPwHu+yUJg=Pwm7g0wA@mail.gmail.com>
@ 2020-10-01 14:38   ` PGNet Dev
  0 siblings, 0 replies; 3+ messages in thread
From: PGNet Dev @ 2020-10-01 14:38 UTC (permalink / raw)
  To: B K E; +Cc: wireguard

On 10/1/20 6:07 AM, B K E wrote:
>  it's probably the easiest to let wg-quick do its work, then by hand modify the routes so they are correct, and then put the necessary route commands in a PostUp script.

yep.

Once I figured out that on _linux_, turning OFF auto-route generation is done with

	Table = off

not

	route-allowed-ips = false

turning it OFF, then simply generating _required_ routes, and adding fw restrictions, in PostUp/PostDown works well enough.

It's a _bit_ messy, but seems the most straighforward.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: more specific routes for IPs added to "AllowedIPs =" ?
  2020-09-30 22:42 more specific routes for IPs added to "AllowedIPs =" ? PGNet Dev
       [not found] ` <CAHwJnhEt0=uBBNmtK2GtTrq-QRvvBMOxPwHu+yUJg=Pwm7g0wA@mail.gmail.com>
@ 2020-10-01 16:51 ` Roman Mamedov
  1 sibling, 0 replies; 3+ messages in thread
From: Roman Mamedov @ 2020-10-01 16:51 UTC (permalink / raw)
  To: PGNet Dev; +Cc: wireguard

On Wed, 30 Sep 2020 15:42:19 -0700
PGNet Dev <pgnet.dev@gmail.com> wrote:

> I've two linux machines connected with wg.
> 
>  Machine #1 is a remote VM, & connects to the public 'net.
> 
>  Machine #2 is local, on my LAN.
> 
> To date, they've only routed internal traffic. Nice -n- easy.
> 
> I'm adding forwarding of specific EXTERNAL traffic from the 'net, received at Machine #1, to port-specific services, on the LAN.
> 
> E.g. a 'listener' on a local lan machine, @ ip 10.0.0.1 port 11111
> 
> On the local end of the VPN, for any external IP that needs to traverse the VPN link, adding the specific IP to
> 
> 	AllowedIPs = ... X.X.X.X
> 
> works.  Traffic flows.
> 
> BUT, that adds a local route
>
> 	X.X.X.X dev wg0 scope link
> 

"That" is called wg-quick. For any sort of non-basic usage, I suggest going
with "wg" directly. "wg" does not add any routes or IPs, it only sets up the
encrypted tunnel. The rest is completely up to you. Make your own wrapper
around it, that only does exactly what you need and nothing more.


> so ALL local traffic from local lan to that IP, e.g. an ssh session, gets routed BACK via that new route over the VPN.
> 
> I'd like to limit that -- so that ONLY traffic from the 'net to that local listener on ip 10.0.0.1 port 11111 is routed back via the VPN; all _other_ traffic to the originating IP (e.g., that ssh connection), gets routed over my normal default route.
> 
> What's the cleanest way -- in wireguard config -- to
> 
> 	(a) allow any/all IPs over the VPN
> 	(b) limit the route to the specific ip target/port
> 
> So far, I seem to _need_ that originating IP in the "allowedips ="; which creates the 'overreaching' route ...
> 
> I'm guessing some judicious use of PostUp/Down routes set?
> 
> 


-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-30 22:42 more specific routes for IPs added to "AllowedIPs =" ? PGNet Dev
     [not found] ` <CAHwJnhEt0=uBBNmtK2GtTrq-QRvvBMOxPwHu+yUJg=Pwm7g0wA@mail.gmail.com>
2020-10-01 14:38   ` PGNet Dev
2020-10-01 16:51 ` Roman Mamedov

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git