0

I have a wireguard vpn connection to access certain private services hosted on private ec2 instances. But I want to be able to use my default internet connection for remaining traffic and only route those certain domain names via the wireguard interface. From my knowledge this can only be done iptables rules. Can someone please help me with providing an example iptables rule defining outgoing traffic for a certain domain must be forwarding to a certain wireguard vpn interface and all other traffic must be routed through the default network interface.

Edit #1 Please mention any other tool that's better suited for my purpose.

Edit #2 Since the mentioned services are running on private instances and are only accessible through the domain names hitting the AWS application load balancer, I cannot make use of IPs here.

adityabhuvanraj
  • 1
  • 2
  • Please don't re-post the question again. Please update the original question if you need to add more details. – Tero Kilkanen Jul 25 '22 at 15:31
  • @TeroKilkanen Hey, I've received comments previously in similar situations from reputed users that they are 2 different questions and so please ask separately. Since my other question is for any possible configurations or options within Wireguard and this question is possibly anything to do with iptables domain routing. – adityabhuvanraj Jul 25 '22 at 19:47
  • All using names would do is resolve the name to an IP address at the time the command is run. Even if you find a way to do this with iptables, the same is true, iptables only resolves the name once when the command is run. – user9517 Jul 26 '22 at 07:55
  • @user9517 I understand what you're trying to say, but since I'm making use of AWS ALB, I don't have a public IP. So would be helpful if you can suggest me some alternative tools to use for domain name routing. – adityabhuvanraj Jul 26 '22 at 11:28

1 Answers1

1

You need to set up your routing on your client in the way you want.

In your case, you need to set up default route via your normal internet connection, and then route the IP addresses you want via the VPN.

For example, assuming the following addresses:

Your home gateway is at 192.168.1.1 Your VPN tunnel's endpoint is at 10.0.8.1 Your EC2 instances are in 172.25.0.0/24 subnet

ip route add default via 192.168.1.1 # default route via your gateway
ip route add 172.25.0.0/24 via 10.0.8.1 # route EC2 subnet via VPN endpoint

Wireguard most likely has some methods of automatically updating the routes on the client once it connects. You need to look in its documentation how to set up the routes.

Notice that you cannot use domain names here, because everything works internally with IP addresses. If IP addresses are updated, then you need to update the configuration.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • @TeroKikanen I want a solution with domain names. My ec2 instances are private, and services running on them are accessible via public domains hitting the alb and being routed to it's corresponding target groups, so can't make use of ips to route. Any solution where I can restrict certain domains through certain network interface(wireguard) and remaining traffic through the default network interface? – adityabhuvanraj Jul 26 '22 at 04:55
  • No. You need to set up routing, and it works on IP addresses / address ranges only. Before setting up the routes, you can of course resolve the domain names to IP addresses and then set up routes for those IP addresses. – Tero Kilkanen Jul 26 '22 at 13:39