0

I have several Wireguard servers hosted on Ubuntu VPS servers. There are peers setup on each VPN server. I have the servers setup in "mesh" configuration and they're all able to ping each other directly. The servers have ipv4 forwarding enabled. I can connect to each server as a peer and have my internet connection routed through that server.

I would like to forward some peers through multiple Wireguard servers (multi-hop) while also leaving some peers to connect to the internet via the first Wireguard hop. Eventually I intend to control this dynamically with a node app executing the relevant iptables rules as required (or whatever the solution may be)

For example:

Peer 1 > Server 1 > Server 2 > Internet

Peer 2 > Server 1 > Internet

Peer 3 > Server 3 > Internet

Peer 4 > Server 2 > Server 1 > Internet

Would this be possible with iptables rules? I have spent a couple of days reading similar posts and trying things. The closest I have come is setting the following on Server1:

iptables -t nat -A PREROUTING -s 10.42.1.4(Peer1) -j DNAT --to-destination 10.42.1.2(Server2)
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

Using tcpdump -n -v -i wg0 I can see packets being passed from Server1 to Server2 but it looks like the MAQUERADE rule is altering the destination IP? I tried adding iptables -t nat -A POSTROUTING -d 10.42.1.2 -j SNAT --to-source 10.42.1.4 too.

Diagram of the setup

computerguy1
  • 1
  • 1
  • I found a solution to my problem: [Chaining WireGuard Servers: Can ping both from client, but can't access internet. IP routing issue?](https://serverfault.com/questions/1080901/chaining-wireguard-servers-can-ping-both-from-client-but-cant-access-internet) — see if it helps! – its_me Oct 20 '21 at 16:07
  • Thanks that was a big help. I replied to your question. Hopefully someone out there knows a way to expand upon your configuration to enable per peer routing. – computerguy1 Oct 21 '21 at 06:53
  • Have a look there too, it's in addition to routing and more restricting (no overlap allowed): https://www.wireguard.com/#cryptokey-routing . The DNAT rule is altering the destination (always 10.42.1.2 from peer1) why would you expect it differently? – A.B Oct 21 '21 at 06:58
  • Actually I guess why: iptables is often mistakenly taken as the tool doing routing, but it's not. If for some reason the packet isn't routed to the WireGuard interface, altering its destination is probably not the correct way to get the packet routed there. Use the adequate tool(s): `ip route` (and sometimes `ip rule`). – A.B Oct 21 '21 at 08:37
  • I took a look at this problem. To me a solution would: 1/ avoid useless (and here harmful) use of iptables 2/ require policy routing 3/ require on some systems multiple WireGuard interfaces to overcome limitations inherent to WireGuard: no overlapping of addresses for peer selection (contrary to routes where one can override a route with a narrower route). – A.B Oct 21 '21 at 09:56
  • Considering my experience with WG and limited technical know-how, I'd create different WG interfaces (wg0, wg1, etc.) for different chains. Never tried it myself though. It's simpler that way. – its_me Oct 21 '21 at 10:39
  • I added another answer to my question that *might* be easier to modify for your needs. Just a heads-up! . See if it helps. – its_me Oct 21 '21 at 15:46

0 Answers0