From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6897C4727C for ; Thu, 1 Oct 2020 11:14:40 +0000 (UTC) Received: from krantz.zx2c4.com (krantz.zx2c4.com [192.95.5.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0A1FC2137B for ; Thu, 1 Oct 2020 11:14:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SoAm6Eax" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0A1FC2137B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=wireguard-bounces@lists.zx2c4.com Received: by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 1344250f; Thu, 1 Oct 2020 10:40:46 +0000 (UTC) Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [2607:f8b0:4864:20::102d]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTPS id ade4371e (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Wed, 30 Sep 2020 22:10:35 +0000 (UTC) Received: by mail-pj1-x102d.google.com with SMTP id b17so703255pji.1 for ; Wed, 30 Sep 2020 15:42:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=reply-to:to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=FPlBRoXuGhsiCgLm6OfLkCs+3eDwQbRcxyIASRb7hJw=; b=SoAm6EaxxNyyrpA5M5bdkbfH+7g0xu/5WHX91GTTUfFx/7Y5IyYufRylLahq8LE89v Vl5GFUM8aJJcmgp112Fh57MpvaFi7EwEnQyCW/ujzK8zASs0T6qNcNyLFQCPRZJglpY0 toHVyMDmYNLy6BQ4/JtocdFy1FygBW48TXYku3G9aMO2oMoz02QM8+qbCad53sOEpmRi qR5jqHXUNmK/2IMzsz6O28cQ9sUf9N/aWj97ivF5/uPKJybpe37Pp/URXnNtvbZC6uE9 VoCro5/Y89ijfESEQLOQHuQIJc/2rjMUq3yb4lP4rDIC+U9h928e57g5fwEw+Dx5Cy6N JKow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:to:from:subject:message-id:date :user-agent:mime-version:content-language:content-transfer-encoding; bh=FPlBRoXuGhsiCgLm6OfLkCs+3eDwQbRcxyIASRb7hJw=; b=mUC1IEilhHZw9dwRtc8O1IcUby0hqH3YhlbbxkqS7+I/QTU3d0Z8CtO74o1sm78grv IAOLt0BEL8VnqxL+LCGNdeHm7gXLnu2UdqExzAVT3kWRQn43h4NWyaJwjg2F/kpKn78m NACB25Qqu0a7+VOCp/Txc2Fmtr3Gd0a9F0BUpBO+NoZrs7/eGLg31EYW/YeiEe2nLEZ6 pcBQv4D2m54+h9tUt9hDYUbqfNjMWhkPSqywRGF9acnkpd6PTmgHj2rI7r3zCrdn0TU3 LONmLTPnKBCGXGemJdgx7cdLS4aeggnvTinFj2MmPkqvbn45uc3KYBOiWI+4T7gaEZgz I/5Q== X-Gm-Message-State: AOAM533mwvFNjEoIUAJGUqtfvRt5lLXZ9rPCmuIxHFXw9oKJ3D1nOGQi aRqlVUXcWGfWPFkeahJV5U4ykhA0AVQ= X-Google-Smtp-Source: ABdhPJz9d7RaGuybrsbXbhk6jC9YU9DV0RxPYmhOjy9jh1yjtdNXQZDJINqH2vscybinRC4Cqy6iOQ== X-Received: by 2002:a17:90a:c255:: with SMTP id d21mr4563332pjx.212.1601505740654; Wed, 30 Sep 2020 15:42:20 -0700 (PDT) Received: from mua.localhost (99-7-172-215.lightspeed.snmtca.sbcglobal.net. [99.7.172.215]) by smtp.gmail.com with ESMTPSA id r4sm3274843pjf.4.2020.09.30.15.42.20 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 30 Sep 2020 15:42:20 -0700 (PDT) To: wireguard@lists.zx2c4.com From: PGNet Dev Subject: more specific routes for IPs added to "AllowedIPs =" ? Message-ID: <8e81c9fc-b43c-235f-5c6a-335c736d9f5e@gmail.com> Date: Wed, 30 Sep 2020 15:42:19 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 01 Oct 2020 12:40:42 +0200 X-BeenThere: wireguard@lists.zx2c4.com X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: pgnet.dev@gmail.com Errors-To: wireguard-bounces@lists.zx2c4.com Sender: "WireGuard" I've two linux machines connected with wg. Machine #1 is a remote VM, & connects to the public 'net. Machine #2 is local, on my LAN. To date, they've only routed internal traffic. Nice -n- easy. I'm adding forwarding of specific EXTERNAL traffic from the 'net, received at Machine #1, to port-specific services, on the LAN. E.g. a 'listener' on a local lan machine, @ ip 10.0.0.1 port 11111 On the local end of the VPN, for any external IP that needs to traverse the VPN link, adding the specific IP to AllowedIPs = ... X.X.X.X works. Traffic flows. BUT, that adds a local route X.X.X.X dev wg0 scope link so ALL local traffic from local lan to that IP, e.g. an ssh session, gets routed BACK via that new route over the VPN. I'd like to limit that -- so that ONLY traffic from the 'net to that local listener on ip 10.0.0.1 port 11111 is routed back via the VPN; all _other_ traffic to the originating IP (e.g., that ssh connection), gets routed over my normal default route. What's the cleanest way -- in wireguard config -- to (a) allow any/all IPs over the VPN (b) limit the route to the specific ip target/port So far, I seem to _need_ that originating IP in the "allowedips ="; which creates the 'overreaching' route ... I'm guessing some judicious use of PostUp/Down routes set?