I have a Wireguard VPN setup that basically looks like this:
P1 ---- S ---- P ---- LAN
Px -----|
- S (ip 192.168.60.1) is a WG server running on Ubuntu 20.04 with ufw enabled, with a public IP (using wg0 interface).
- P (ip 192.168.60.2) is a WG peer running behind CGNAT, without a public IP, connected to its own LAN.
- P1..Px are other WG peers (ip 192.168.60.1x).
Ufw has the following configuration:
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
51820/udp ALLOW Anywhere
Anywhere on eth0 ALLOW FWD Anywhere on wg0
Anywhere on wg0 ALLOW FWD Anywhere on eth0
Anywhere on wg0 ALLOW FWD Anywhere on wg0
I want to achieve that all traffic originating from P1..Px peers is routed through P.
I tried the following, but without success:
On P1, I set AllowedIPs for S to 0.0.0.0/0. On S I set AllowedIPs for P to 0.0.0.0/0. - This configuration renders S inaccessible through eth0 (and still doesn't route anything to P).
On P1, I set AllowedIPs for S to 0.0.0.0/0. On S I tried configuring policy based routing based on source IP:
sudo ip rule add from 192.168.60.0/24 lookup 200 sudo ip route add default via 192.168.60.2 dev wg0 table 200
This prevents P1 connecting to anything other than 192.168.60.0/24.