2

I have a Wireguard VPN setup that basically looks like this:

P1 ---- S ---- P ---- LAN
Px -----|
  • S (ip 192.168.60.1) is a WG server running on Ubuntu 20.04 with ufw enabled, with a public IP (using wg0 interface).
  • P (ip 192.168.60.2) is a WG peer running behind CGNAT, without a public IP, connected to its own LAN.
  • P1..Px are other WG peers (ip 192.168.60.1x).

Ufw has the following configuration:

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
51820/udp                  ALLOW       Anywhere

Anywhere on eth0           ALLOW FWD   Anywhere on wg0
Anywhere on wg0            ALLOW FWD   Anywhere on eth0
Anywhere on wg0            ALLOW FWD   Anywhere on wg0

I want to achieve that all traffic originating from P1..Px peers is routed through P.

I tried the following, but without success:

  • On P1, I set AllowedIPs for S to 0.0.0.0/0. On S I set AllowedIPs for P to 0.0.0.0/0. - This configuration renders S inaccessible through eth0 (and still doesn't route anything to P).

  • On P1, I set AllowedIPs for S to 0.0.0.0/0. On S I tried configuring policy based routing based on source IP:

     sudo ip rule add from 192.168.60.0/24 lookup 200
 sudo ip route add default via 192.168.60.2 dev wg0 table 200

    This prevents P1 connecting to anything other than 192.168.60.0/24.

Andrija Kovačević
  • 23
  • 1
  • 3

2 Answers2

2

You should probably start with using Table=off in the wg-quick conf on both S and P. The value of AllowedIPs= will not cause changes to the routes / policy routing rules on them then.

EDIT: Actually it should be fine to leave Table= untouched on P unless you need AllowedIPs= of S on it to be 0.0.0.0/0 instead of 192.168.60.0/24 for some reasons, e.g. need traffics originates from itself to be routed S. You don't need to mess with the routes and routing rules on P yourself since even the prefix in Address=192.168.60.2/24 should get the necessary route configured. The next paragraph probably does not apply to what you need -- although it might gives you some extra insights on how things work.

And you should probably use an additional IP subnet for S and P, e.g. 192.168.59.0/30. This will save you the hassle of needing extra ip rule. Remember to add the subnet route for 192.168.60.0/24 on P though, as with Table=off, only prefix routes will be added by the kernel for the prefix(es) in the Address= field(s). Make good use of PostUp= (and PreDown=) btw.

I don't suppose you want to route traffics that originates from S itself to P, so you probably want the following ip rule instead:

# ip rule add iif wg0 from 192.168.60.0/24 lookup 200

If you really need want to route e.g. traffics other than the ssh and wireguard server replies to P, you can additionally have:

# ip rule add iif lo lookup 200
# ip rule add iif lo ipproto tcp sport 22 lookup main
# ip rule add iif lo ipproto udp sport 51820 lookup main

Note: you can't just match with from 192.168.60.1 added in the first rule and omit the other two, because for non-replying traffics, the source address is often (if not always) chosen based on the decided route -- it's not set yet at this point.

Note that the order of the command normally determines the priority, so make sure you add the "superset" rule before the "subset" rules, otherwise the latter will be overridden by the former.

Also it's best to keep table 200 empty until all the desire rules are in position, otherwise remote access of the host could be cut off.

Finally nexthop makes no sense in route to an L3 tunnel:

# ip route add default dev wg0 table 200

P.S. Make sure you didn't just allow IP forwarding in the firewall but also enable it with sysctl.

Tom Yan
  • 715
  • 2
  • 9
  • Thanks, for the tips - I managed to get it working with the following configuration (everything done on S): - add Table = off to wg0.conf - set AllowedIPs = 0.0.0.0/0, for P (not sure if this was actually needed) - add the following to PostUp: ip rule add iif wg0 from 192.168.60.0/24 lookup 200; ip route add default via 192.168.60.2 dev wg0 table 200; - add the following to PostDown: ip rule delete iif wg0 from 192.168.60.0/24 lookup 200; ip route delete default via 192.168.60.2 dev wg0 table 200; – Andrija Kovačević Aug 18 '21 at 17:18
  • I made some edit to the answer. See if it made things clearer to you. – Tom Yan Aug 19 '21 at 04:25
0

I'm unable to comment due to too-low reputation, but I came across this post when trying to accomplish a similar goal.

It's not entirely clear if the OP would prefer to keep local traffic local (i.e. accessing a network printer) or if the setup actually wishes to send ALL traffic to Wireguard.

If trying to achieve the former, see How do I route all public traffic through Wireguard but not local traffic?

cmjordan
  • 1
  • 3