* Exempting two things from WireGuard tunneling @ 2018-03-02 0:33 Nicholas Joll 2018-03-05 18:59 ` Update: exempting " Nicholas Joll 0 siblings, 1 reply; 5+ messages in thread From: Nicholas Joll @ 2018-03-02 0:33 UTC (permalink / raw) To: wireguard Dear List I'd like to exempt two things from WG: (1) some samba shares, accessed via autofs, which give me enough trouble without having VPN dropouts (courtesy of my VPN provider and/or my ISP) as well, (2) Netflix (which I run via a Chrome app). The samba shares all have fixed IPs and most of them are on a single Windows machine, on my home network, and another share is to router-attached USB storage (and only works on Samba protocol version 1, for some reason; the other shares work on version 3). I imagine many people will want to do each of these things. There was something on the list a long time back, I think, about 2, but it was too technical for me to understand. (My VPN and Wireguard knowledge is minimal, though I have Bash scripts that put WG up and take it down, and tell it which servers(s) to use.) With thanks, N ^ permalink raw reply [flat|nested] 5+ messages in thread
* Update: exempting two things from WireGuard tunneling 2018-03-02 0:33 Exempting two things from WireGuard tunneling Nicholas Joll @ 2018-03-05 18:59 ` Nicholas Joll 2018-03-05 19:42 ` Kalin KOZHUHAROV 0 siblings, 1 reply; 5+ messages in thread From: Nicholas Joll @ 2018-03-05 18:59 UTC (permalink / raw) To: wireguard [-- Attachment #1: Type: text/plain, Size: 1456 bytes --] Dear List I've tried all sorts of things to answer my own question (the question I asked the list a little while ago; my initial e-mail is appended below) but to no avail. However, I've found something, on the Wireguard list itself, which looks as though it may help - but I do not understand it well enough. Might anyone help? The material I found is located here: https://marc.info/?l=wireguard&m=148813372820847&w=2 Yours Nicholas -------- Forwarded Message -------- Subject: Exempting two things from WireGuard tunneling Date: Fri, 2 Mar 2018 00:33:25 +0000 From: To: wireguard@lists.zx2c4.com Dear List I'd like to exempt two things from WG: (1) some samba shares, accessed via autofs, which give me enough trouble without having VPN dropouts (courtesy of my VPN provider and/or my ISP) as well, (2) Netflix (which I run via a Chrome app). The samba shares all have fixed IPs and most of them are on a single Windows machine, on my home network, and another share is to router-attached USB storage (and only works on Samba protocol version 1, for some reason; the other shares work on version 3). I imagine many people will want to do each of these things. There was something on the list a long time back, I think, about 2, but it was too technical for me to understand. (My VPN and Wireguard knowledge is minimal, though I have Bash scripts that put WG up and take it down, and tell it which servers(s) to use.) With thanks, N [-- Attachment #2: Type: text/html, Size: 2654 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Update: exempting two things from WireGuard tunneling 2018-03-05 18:59 ` Update: exempting " Nicholas Joll @ 2018-03-05 19:42 ` Kalin KOZHUHAROV 2018-03-05 19:43 ` Jason A. Donenfeld 2018-03-06 9:56 ` Saeid Akbari 0 siblings, 2 replies; 5+ messages in thread From: Kalin KOZHUHAROV @ 2018-03-05 19:42 UTC (permalink / raw) To: Nicholas Joll; +Cc: WireGuard mailing list On Mon, Mar 5, 2018 at 7:59 PM, Nicholas Joll <najoll@posteo.net> wrote: > I've tried all sorts of things to answer my own question (the questio= n I asked the list a little while ago; my initial e-mail is appended below)= but to no avail. However, I've found something, on the Wireguard list itse= lf, which looks as though it may help - but I do not understand it well eno= ugh. Might anyone help? The material I found is located here: https://marc.= info/?l=3Dwireguard&m=3D148813372820847&w=3D2 > May be it was too vague of a question/statement... > I'd like to exempt two things from WG: > What does exempt mean? You can "NOT route" packets via a wg interface (fix your routing, subnets, etc.), or BLOCK packets with a firewall (e.g. nftables, iptables). 1st is better if possible (requires redesign), 2nd may be easier. Combining both is the best. > (1) some samba shares, accessed > via autofs, which give me enough trouble without having VPN dropouts > (courtesy of my VPN provider and/or my ISP) as well, > "samba shares" is like "red car"... there are quite a few protocols involved with them, most of them run atop UDP and TCP or both. > (2) Netflix (which I run via a Chrome app). ... cannot help you much here, but I guess it is some tcp, udp and rtp mix to some large cloud of IPs. > The samba shares all have fixed IPs and most of > them are on a single Windows machine, on my home network, and another > share is to router-attached USB storage (and only works on Samba > protocol version 1, for some reason; the other shares work on version 3). > draw a map (on paper) or ascii art or something, put some IP addresses, fake if you are worried. > I imagine many people will want to do each of these things. There was > something on the list a long time back, I think, about 2, but it was too > technical for me to understand. (My VPN and Wireguard knowledge is > minimal, though I have Bash scripts that put WG up and take it down, and > tell it which servers(s) to use.) > Those are some (aadvanced) routing rules, you probably can live with standard, if you can choose the IP addresses/networks you connect to (home). Really, try to draw a diagram. If you cannot - then it is probably too complex and wireguard is not gonna help you. Cheers, Kalin. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Update: exempting two things from WireGuard tunneling 2018-03-05 19:42 ` Kalin KOZHUHAROV @ 2018-03-05 19:43 ` Jason A. Donenfeld 2018-03-06 9:56 ` Saeid Akbari 1 sibling, 0 replies; 5+ messages in thread From: Jason A. Donenfeld @ 2018-03-05 19:43 UTC (permalink / raw) To: Kalin KOZHUHAROV; +Cc: WireGuard mailing list Use the ipset= feature of dnsmasq, and then use policy routing on that ipset. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Update: exempting two things from WireGuard tunneling 2018-03-05 19:42 ` Kalin KOZHUHAROV 2018-03-05 19:43 ` Jason A. Donenfeld @ 2018-03-06 9:56 ` Saeid Akbari 1 sibling, 0 replies; 5+ messages in thread From: Saeid Akbari @ 2018-03-06 9:56 UTC (permalink / raw) To: wireguard On Monday, March 5, 2018 11:12:25 PM +0330 Kalin KOZHUHAROV wrote: > On Mon, Mar 5, 2018 at 7:59 PM, Nicholas Joll <najoll@posteo.net> wrote: > > > (2) Netflix (which I run via a Chrome app). > > ... cannot help you much here, but I guess it is some tcp, udp and rtp > mix to some large cloud of IPs. > > Cheers, > Kalin. On Monday, March 5, 2018 11:13:41 PM +0330 Jason A. Donenfeld wrote: > Use the ipset= feature of dnsmasq, and then use policy routing on that > ipset. Or this link might help: http://www.evolware.org/?p=369 I personally prefer cgroups when I occasionally need to use some website or software with different routing needs. So I just simply start a new instance of my browser in that cgroup to have its traffic bypassed the wireguard. (or bypassing wg? not sure about the grammar :) PS: I think iptables version 1.6.0(?) and onwards has cgroup match built in; so no need to use the binary provided by the website. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-03-06 9:47 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-03-02 0:33 Exempting two things from WireGuard tunneling Nicholas Joll 2018-03-05 18:59 ` Update: exempting " Nicholas Joll 2018-03-05 19:42 ` Kalin KOZHUHAROV 2018-03-05 19:43 ` Jason A. Donenfeld 2018-03-06 9:56 ` Saeid Akbari
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).