From: Bzzzz <lazyvirus@gmx.com>
To: wireguard@lists.zx2c4.com
Subject: Re: Can't seem to split tunnel using tables the way I can in OpenVPN
Date: Thu, 25 May 2017 19:13:37 +0200 [thread overview]
Message-ID: <20170525191337.696cd9d5@msi.defcon1> (raw)
In-Reply-To: <CAL+S5MVFd9Z=70X67E69-XcEq7hO76UT6vmzLGj+0YS8vhfedA@mail.gmail.com>
On Wed, 24 May 2017 19:04:38 -0400
Text Editor <texteditor.si@gmail.com> wrote:
> Trying to replicate my OpenVPN routing setup, tunnel is split to go
> to /24 subnet inside OpenVPN without the default traffic going through
> it.
Hi Text Editor,
=E2=80=A6
> I can ping the
> endpoints inside the Wireguard VPN,
So your WG VPN is acting good, giving you access your server from
another place than your LAN, ie: through a phone tethering or from
a friend's connection.
Your setup seems overly complicated, as touching network I/F confs isn't
a requirement, neither w/ OVPN or WG.
ie: for the server, I took a copy of /etc/init.d/rmnologin (because it
was the last one to be enabled into /etc/rc2.d and I want my VPN to be
the last one to be activated), then I modified it, testing and using the
presence of 'wg-quick' that is far more usable than modifying the
network I/F confs or manually use 'wg' instead; on clients, scripts are
manual, but also use 'wg-quick'.
A quick run of chkconfig and the links are created in the right places,
starting your VPN server at boot and allowing to start/stop it manually.
I won't say it is the best way to do that, but it has the advantage not
to scatter configurations in all the server corners.
> but trying to reach the internet
> via the internet seems to not work
>=20
>=20
>=20
> Configuration files on the Server side:
>=20
> https://pastebin.com/raw/TJvKazSL
IIRC, using 0.0.0.0 means _all_ traffic is routed through the VPN;
IMHO, your server setup should otherwise use something like:
[Peer]
=E2=80=A6
192.168.2.0/24
(/24 IF you intend to use WG to unite 2 LAN; for a roadwarrior, it
might be better to restrict more stricly to it's IP,
eg: 192.168.2.253/32)
> Configuration files on the Server side:
>=20
> https://pastebin.com/raw/2t760WvY
>=20
>=20
> This same concept works on OpenVPN without issue, not sure what is
> happening
AFAIK, given you formerly authorize packets forward (either indefinitely
into /etc/syctl.conf or temporarily by:
echo 1 >/proc/sys/net/ipv4/ip_forward), the only iptables rules you need
(into the server conf file) are:
PostUp =3D iptables -t nat -I POSTROUTING -s <VPN IP segment>/24
-o eth0 -j MASQUERADE
PostDown =3D iptables -t nat -D POSTROUTING -s <VPN IP segment>/24 -o
eth0 -j MASQUERADE
remember that any kind of testing on packets, ie: established, related,
etc) can be a huge loss of time (it has to be computed for _each_
packet), hence, a loss of throughput in your VPN.
And BTW, it is much more dangerous to reveal your keys on the Ternet
than your endpoint IP address=E2=80=A6
Jean-Yves
next prev parent reply other threads:[~2017-05-25 17:01 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-24 23:04 Text Editor
2017-05-25 17:13 ` Bzzzz [this message]
2017-05-25 17:58 ` Kalin KOZHUHAROV
2017-05-25 18:11 ` Bzzzz
2017-05-25 19:14 ` Kalin KOZHUHAROV
2017-05-25 19:28 ` Bzzzz
2017-05-25 19:32 ` David Woodhouse
2017-05-25 19:45 ` Bzzzz
2017-05-25 19:50 ` David Woodhouse
2017-05-25 20:03 ` Bzzzz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170525191337.696cd9d5@msi.defcon1 \
--to=lazyvirus@gmx.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).