I want to make outbound requests through wireguard while provide web services on the same server. It means if there is a request reach ens3 , the response will return the same way. But if I make a request on the server, it will through wireguard.
Below is my wg0.conf file, I didn't do anything else, just a clean vultr vps installed wireguard then use wg-qucik up wg0 to start wireguard but I will lose ssh connection and have to restart server.
network before start wireguard.
[Interface]
PrivateKey = =====================================
Address = 172.16.0.2
DNS = 1.1.1.1
Table = off
PostUp = iptables -t mangle -A PREROUTING -i ens3 -j MARK --set-mark 51820
PostUp = iptables -t mangle -A PREROUTING -i ens3 -j CONNMARK --save-mark
PostUp = iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
PostUp = wg set wg0 fwmark 51820
PostUp = ip -4 route add 0.0.0.0/0 dev wg0 table 51820
PostUp = ip -4 rule add not fwmark 51820 table 51820
PostUp = ip -4 rule add table main suppress_prefixlength 0
PostUp = sysctl -q net.ipv4.conf.all.src_valid_mark=1
PostDown = iptables -t mangle -D PREROUTING -i ens3 -j MARK --set-mark 51820
PostDown = iptables -t mangle -D PREROUTING -i ens3 -j CONNMARK --save-mark
PostDown = iptables -t mangle -D OUTPUT -j CONNMARK --restore-mark
PostDown = ip -4 rule del not fwmark 51820 table 51820
PostDown = ip -4 rule del table main suppress_prefixlength 0
[Peer]
PublicKey = ====================================
Endpoint = 111.111.111.111:1111
AllowedIPs = 0.0.0.0/0
network before start wireguard, unable to provide ip route show table 51820 information because of ssh connection loss
root@vultr:~# ip -br link
lo UNKNOWN 00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
ens3 UP 56:00:02:a2:21:7b <BROADCAST,MULTICAST,UP,LOWER_UP>
root@vultr:~# ip -br address
lo UNKNOWN 127.0.0.1/8 ::1/128
ens3 UP 139.180.155.252/23 fe80::5400:2ff:fea2:217b/64
root@vultr:~# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@vultr:~# ip route
default via 139.180.154.1 dev ens3 proto dhcp src 139.180.155.252 metric 100
139.180.154.0/23 dev ens3 proto kernel scope link src 139.180.155.252
169.254.169.254 via 139.180.154.1 dev ens3 proto dhcp src 139.180.155.252 metric 100
Local vm test after start wireguard
root@Ubuntu:/etc/wireguard# ip -br link
lo UNKNOWN 00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
enp0s5 UP 00:1c:42:33:19:d9 <BROADCAST,MULTICAST,UP,LOWER_UP>
wg0 UNKNOWN <POINTOPOINT,NOARP,UP,LOWER_UP>
root@Ubuntu:/etc/wireguard# ip -br address
lo UNKNOWN 127.0.0.1/8
enp0s5 UP 192.168.123.6/24
wg0 UNKNOWN 172.16.0.2/32
root@Ubuntu:/etc/wireguard# ip rule
0: from all lookup local
32764: from all lookup main suppress_prefixlength 0
32765: not from all fwmark 0xca6c lookup 51820
32766: from all lookup main
32767: from all lookup default
root@Ubuntu:/etc/wireguard# ip route
default via 192.168.123.1 dev enp0s5 proto dhcp metric 20100
169.254.0.0/16 dev enp0s5 scope link metric 1000
192.168.123.0/24 dev enp0s5 proto kernel scope link src 192.168.123.6 metric 100
root@Ubuntu:/etc/wireguard# ip route show table 51820
default dev wg0 scope link
