0

Say I have node1 and node2, connected over the internet. An application server on node1 has an IP acl for the IP of node2.

For security reasons I open a Wireguard tunnel between the nodes. I'd like to keep the configs of the application the same(hence the "transparent" in the question title), however I run into the following problem:

Node2 uses its vpn source address when communicating with the application server on node1, which does not have that IP in its ACL.

Is this a common problem in VPN setups, or just a implementation choice of Wireguard? Does anyone know of an elegant solution? Extra config on network level would be fine. Changing the ACL on application level is not an option in this case

What I tried so far is using the public address of node1 as vpn address by introducing a policy source-nat , but that fails horribly in case of wireguard, which adds a static route of the remote tunnel endpoint to the routing table; resulting in the following:

  • Node2 successfully uses its existing IP to communicate to node1
  • Node1's application server sees the packet coming in and replies
  • Node1's IP stack routes packet over wan, instead of over the Wireguard tunnel.
hbogert
  • 411
  • 1
  • 4
  • 18

1 Answers1

0

if you want to use your 'normal' host IP for outgoing traffic which goes over the tunnel, it sufficed in my case to do the following :

[Interface]
Address = 10.102.0.1/24
PostUp = iptables -t nat -A POSTROUTING -s 10.102.0.1/32 -o wg-p2p -j SNAT --to-source 1.2.3.4
PostDown = iptables -t nat -D POSTROUTING -s 10.102.0.1/32 -o wg-p2p -j SNAT --to-source 1.2.3.4
...

[Peer]
AllowedIPs = 10.102.0.0/24, 1.2.3.4/32
...

So basically you set up a straightforward wireguard tunnel, and only with iptables magic, you change your source address, if it is the tunnel source ip, to your 'normal' IP address at the latest moment (POSTROUTING)

hbogert
  • 411
  • 1
  • 4
  • 18