WireGuard Archive on lore.kernel.org
 help / Atom feed
* Access to existing services on host, Wireguard for new outbound connections
@ 2018-12-17  4:25 Paul Chambers
  0 siblings, 0 replies; 1+ messages in thread
From: Paul Chambers @ 2018-12-17  4:25 UTC (permalink / raw)
  To: wireguard

Sorry if this has been asked and answered - List archives and Googling
have turned up all kinds of semi-related information, but frankly,
taken en masse it's more confusing than helpful.

I have a VPS running services that I continue to need to access (ssh,
zabbix agent, etc.) while any new outbound connections originating on
that host should go out over the wireguard VPN interface.

In other words, established/related traffic to inbound connections to
the public IP of the host should go back out the interface it arrived
on (not the default route), while new outbound connections originating
on the host should follow the default route (i.e. exit via the
wireguard interface)

My experiments are complicated by not being able to SSH into the VPS
when wg-quick switches the default route, kind of a circular
problem... I'm resorting to writing scripts that bring up the VPN, try
something, then log information into files, then bring down the VPN
connection again. Pretty tedious.

One idea I haven't tried yet is if I use an iptables match for
'related,established' traffic in the outbound table to set a fwmark,
and use an 'ip route' rule to use that fwmark to switch to a table
that's a copy of the routes/default route before wg-quick changed the
routing.

I've seen examples that use an 'ip rule' to set a fwmark on outbound
traffic originating from the public wan interface, and 'ip route'
rules to switch to another table for that traffic, which contains a
copy of the ip routes before the default route was switched. But that
technique doesn't seem to be working for me, and given the debugging
challenges, I'm having a hard time figuring out why.

Doesn't seem like a strange thing to want to do; any advice would be
much appreciated.

- Paul
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 1+ messages in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-17  4:25 Access to existing services on host, Wireguard for new outbound connections Paul Chambers

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox