Wireguard VPN Outbound and Inbound

Question

I am trying to setup a Wireguard tunnel so that A uses the IP of B for outbound and inbound traffic (like a proxy, not a std VPN config). Both boxes are Ubuntu 16.04.

A is eth0, behind a router with NAT and on DMZ, with IP A

B has two public IPs: a main one (ens3 aka B1) and a secondary one (ens3:0 aka B2). The secondary one should be dedicated to the WG tunnel.

WG on A:

Interface Address = 10.200.1.2/24 SaveConfig = true ListenPort = 50614 FwMark = 0xca6c PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [Peer] PublicKey = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy AllowedIPs = 0.0.0.0/0 Endpoint = <B2>:51820 PersistentKeepalive = 10

WG on B:

[Interface] Address = 10.200.1.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww [Peer] PublicKey = zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz AllowedIPs = 10.200.1.0/24 Endpoint = A:50614

Route on A:

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

Route on B:

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 B1.B1.B1.1 0.0.0.0 UG 0 0 0 ens3 B2.B2.B2.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3 B1.B1.B1.0 0.0.0.0 255.255.254.0 U 0 0 0 ens3 169.254.169.254 B1.B1.B1.1 255.255.255.255 UGH 0 0 0 ens3

Which route do I need to add so that every outbound packet from A goes out via B2 and every packet inbound to B2 gets sent to A?

Answer 1

I got a lot of help from the Wireguard community, and here's what works.

A (client)

[Interface]
Address = B2/32
PrivateKey = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0
Endpoint = B2:51820
PersistentKeepalive = 10

B (server)

[Interface]
ListenPort = 51820
PrivateKey = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = B2/32

Don't forget about the usual steps (on B)

• open 51820/udp in the firewall
• set net.ipv4.ip_forward = 1

If the wg0 interface on B is showing constantly growing error count, you might want to disable DMZ for A or restrict inbound on ports which are in use at B2 that also might have traffic via A to the WG interface. This might be the case if you are running peer based services.