From: Eric Light <eric@ericlight.com>
To: Eddie <stunnel@attglobal.net>,
reiner otto <augustus_meyer@yahoo.de>,
wireguard@lists.zx2c4.com
Subject: Re: Route all traffic to one IP _only_ via wireguard
Date: Mon, 30 Apr 2018 03:19:54 +1200 [thread overview]
Message-ID: <1525015194.2266395.1354633912.19433C3F@webmail.messagingengine.com> (raw)
In-Reply-To: <f59b002a-21df-6218-db70-bfb8398092c1@attglobal.net>
Hi Eddie and Reiner,=20
I might be misunderstanding the request, but...=20
> the real goal is to tunnel only traffic with a specific destination IP vi=
a wireguard from client to server.
Isn't this just asking the same as:
> I only want to use wg0 for x.x.x.x/32, and I want to use eth0 for everyth=
ing else
If I'm reading that right, I believe it's a simple matter of changing the s=
cope of his AllowedIPs, so his traffic is routed via the correct interfaces=
. No iptables or packet marks required.=20
Reiner - have I misunderstood your question? I've assumed you're using wg-q=
uick?=20
E
--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
On Sun, 29 Apr 2018, at 07:07, Eddie wrote:
> I didn't think that AllowedIPs would filter traffic like that.=C2=A0 But=
=20
> could be wrong.=C2=A0 :-)
>=20
> Here's my take on your problem:
>=20
> Add "Table =3D off" and "FwMark =3D 1234 (or other value)" to the wg conf=
ig,=20
> which will stop the routing tables being updated and add the routing=20
> mark to all encrypted packets.
>=20
> Then you will need a new ip rule table, that runs ahead of "main" that=20
> selects all traffic with the fwmark from wg and routes that directly to=20
> your external interface.=C2=A0 Something like:
>=20
> from all fwmark 1234 lookup net
>=20
> net:
> default via <gateway ip> dev <external interface>
>=20
> Then add a new rule to main, that routes ip 1.2.3.4 out via the wg=20
> interface.
>=20
> Cheers.
>=20
>=20
> On 4/28/2018 6:49 AM, Eric Light wrote:
> > Hi Reiner!
> >
> > I think the problem here is your client's AllowedIPs section. If you on=
ly want to access one address, you only enter that target IP - not the whol=
e internet space (0.0.0.0/0). That's why everything is being routed out via=
your wg0.
> >
> > So you should change that client AllowedIPs to 172.16.0.1/32, and that'=
ll fix it. Alternatively, set it to /24 if you also want access to other de=
vices within the corporate LAN... That's how I do it.
> >
> > I think that's all you need. Sorry if I've missed something! :)
> >
> > E
> >
> > --------------------------------------------
> > Q: Why is this email five sentences or less?
> > A: http://five.sentenc.es
> >
> > On Sat, 28 Apr 2018, at 22:07, reiner otto wrote:
> >> My basic setup of wg works, I can ssh from/to server or client.
> >> But the real goal is to tunnel only traffic with a specific destinatio=
n IP
> >> via wireguard from client to server.
> >> I.e. a local router, which allows direct access to the web,
> >> _BUT_ all traffic going to the corporate server using wireguard only.
> >> Corporate server (public 1.2.3.4) =3D=3D wireguard server (172.16.0.1).
> >>
> >> I tried various settings on my client, like
> >> ip route 1.2.3.4 dev wg0
> >> ip route 1.2.3.4 via 172.16.0.1
> >> etc.
> >> but nothing worked.
> >>
> >> Any help really appreciated.
> >>
> >> ---
> >> wg0.conf on server (1.2.3.4):
> >> [Interface]
> >> ListenPort =3D 1234
> >> PrivateKey =3D secret
> >> [Peer]
> >> PublicKey =3D secret
> >> AllowedIPs =3D 172.16.0.0/16
> >> -
> >> wg0.conf on client (172.16.18.31):
> >> [Interface]
> >> PrivateKey =3D secret
> >> ListenPort =3D 1234
> >> [Peer]
> >> PublicKey =3D secret
> >> AllowedIPs =3D 0.0.0.0/0
> >> Endpoint =3D 1.2.3.4:1234
> >>
> >>
> >> _______________________________________________
> >> WireGuard mailing list
> >> WireGuard@lists.zx2c4.com
> >> https://lists.zx2c4.com/mailman/listinfo/wireguard
> > _______________________________________________
> > WireGuard mailing list
> > WireGuard@lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/wireguard
> >
> >
>=20
next prev parent reply other threads:[~2018-04-29 15:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <570542680.2946509.1524910065103.ref@mail.yahoo.com>
2018-04-28 10:07 ` reiner otto
2018-04-28 13:49 ` Eric Light
2018-04-28 19:07 ` Eddie
2018-04-29 15:19 ` Eric Light [this message]
[not found] <1277744751.3560998.1525035892916.ref@mail.yahoo.com>
2018-04-29 21:04 ` reiner otto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1525015194.2266395.1354633912.19433C3F@webmail.messagingengine.com \
--to=eric@ericlight.com \
--cc=augustus_meyer@yahoo.de \
--cc=stunnel@attglobal.net \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).