Prevent all traffic from going through the WG tunnel

Prevent all traffic from going through the WG tunnel

[Jeremy Hansen]

[-- Attachment #1.1: Type: text/plain, Size: 1284 bytes --]

I have a remote network that I've tied in to my WG server.  I'm noticing 
that all traffic from this remote network that goes outbound to the 
internet is getting routed through my wireguard server.

Client config:
[Interface]
PrivateKey = XXXX
Address = 10.10.10.10/32
ListenPort = 51821

[Peer]
PublicKey = XXXX
Endpoint = 11.11.11.11:51821 <- IP of the WG server.
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepAlive=25


Server config:
[Interface]
PrivateKey = XXXX
Address = 10.10.10.1/32
ListenPort = 51821

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i 
-j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o 
%i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE

# IP forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1

[Peer]
PublicKey = XXXX
AllowedIPs = 10.10.10.10/32, 192.168.128.0/17 <- Client's internal 
network.


My goal is that regular outbound traffic just goes out the client node's 
outside routable interface and traffic between the internal networks 
goes through wireguard.

For example, I'm seeing email being sent through the MTA I have 
configured on the "client" is showing up as originating from the 
outbound IP of the "server".

Thanks!

[-- Attachment #1.2: 0x1BF1B863.asc --]
[-- Type: application/pgp-keys, Size: 3959 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Prevent all traffic from going through the WG tunnel

[Szymon Nowak]

Correct settings

AllowedIPs = 10.10.10.10/32, 192.168.128.0/17, ::/1, 8000::/1

On Wed, Jan 4, 2023 at 2:48 PM Jeremy Hansen <jeremy@skidrow.la> wrote:
>
> I have a remote network that I've tied in to my WG server.  I'm noticing
> that all traffic from this remote network that goes outbound to the
> internet is getting routed through my wireguard server.
>
> Client config:
> [Interface]
> PrivateKey = XXXX
> Address = 10.10.10.10/32
> ListenPort = 51821
>
> [Peer]
> PublicKey = XXXX
> Endpoint = 11.11.11.11:51821 <- IP of the WG server.
> AllowedIPs = 0.0.0.0/0, ::/0
> PersistentKeepAlive=25
>
>
> Server config:
> [Interface]
> PrivateKey = XXXX
> Address = 10.10.10.1/32
> ListenPort = 51821
>
> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i
> -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o
> %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
>
> # IP forwarding
> PreUp = sysctl -w net.ipv4.ip_forward=1
>
> [Peer]
> PublicKey = XXXX
> AllowedIPs = 10.10.10.10/32, 192.168.128.0/17 <- Client's internal
> network.
>
>
> My goal is that regular outbound traffic just goes out the client node's
> outside routable interface and traffic between the internal networks
> goes through wireguard.
>
> For example, I'm seeing email being sent through the MTA I have
> configured on the "client" is showing up as originating from the
> outbound IP of the "server".
>
> Thanks!

Re: Prevent all traffic from going through the WG tunnel

[Jeremy Hansen]

[-- Attachment #1.1: Type: text/plain, Size: 2365 bytes --]


Thank you for all who answered.  This is working as expected now and I 
have a better understanding of how the AllowedIPs config works as well.

-jeremy

On 2023-01-04 06:47, Contact@nagel-mail.com wrote:
> Hello,
> As I understand your question, you are trying to accomplish, that only
> your WireGuard network ( extracted from your config some 10.0.0.0/8
> network. The 192.168.128.0/17 would be a home network?)
> Will be routed from your client to your WireGuard server. The rest
> should just leave your client network card and routed from your local
> network. For that you simply have to set: AllowedIPs = 10.10.10.1/32
> Or the whole 10.x/x Network you are using.
> Hope I understood your question correctly.
> 
> Mit freundlichen Grüßen / best regards
> 
> J. Nagel
> Fachinformatiker Systemintegration
> 
> Contact@Nagel-Mail.com
> 
>> Am 04.01.2023 um 14:47 schrieb Jeremy Hansen <jeremy@skidrow.la>:
>> 
>> I have a remote network that I've tied in to my WG server.  I'm 
>> noticing that all traffic from this remote network that goes outbound 
>> to the internet is getting routed through my wireguard server.
>> 
>> Client config:
>> [Interface]
>> PrivateKey = XXXX
>> Address = 10.10.10.10/32
>> ListenPort = 51821
>> 
>> [Peer]
>> PublicKey = XXXX
>> Endpoint = 11.11.11.11:51821 <- IP of the WG server.
>> AllowedIPs = 0.0.0.0/0, ::/0
>> PersistentKeepAlive=25
>> 
>> 
>> Server config:
>> [Interface]
>> PrivateKey = XXXX
>> Address = 10.10.10.1/32
>> ListenPort = 51821
>> 
>> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o 
>> %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
>> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o 
>> %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
>> 
>> # IP forwarding
>> PreUp = sysctl -w net.ipv4.ip_forward=1
>> 
>> [Peer]
>> PublicKey = XXXX
>> AllowedIPs = 10.10.10.10/32, 192.168.128.0/17 <- Client's internal 
>> network.
>> 
>> 
>> My goal is that regular outbound traffic just goes out the client 
>> node's outside routable interface and traffic between the internal 
>> networks goes through wireguard.
>> 
>> For example, I'm seeing email being sent through the MTA I have 
>> configured on the "client" is showing up as originating from the 
>> outbound IP of the "server".
>> 
>> Thanks!
>> <0x1BF1B863.asc>

[-- Attachment #1.2: 0x1BF1B863.asc --]
[-- Type: application/pgp-keys, Size: 3959 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Prevent all traffic from going through the WG tunnel

[Omkhar Arasaratnam]

Are your NAT rules necessary? They seem to be forcing *everything* through

--oa


--oa


On Wed, Jan 4, 2023 at 8:50 AM Jeremy Hansen <jeremy@skidrow.la> wrote:
>
> I have a remote network that I've tied in to my WG server.  I'm noticing
> that all traffic from this remote network that goes outbound to the
> internet is getting routed through my wireguard server.
>
> Client config:
> [Interface]
> PrivateKey = XXXX
> Address = 10.10.10.10/32
> ListenPort = 51821
>
> [Peer]
> PublicKey = XXXX
> Endpoint = 11.11.11.11:51821 <- IP of the WG server.
> AllowedIPs = 0.0.0.0/0, ::/0
> PersistentKeepAlive=25
>
>
> Server config:
> [Interface]
> PrivateKey = XXXX
> Address = 10.10.10.1/32
> ListenPort = 51821
>
> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i
> -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o
> %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
>
> # IP forwarding
> PreUp = sysctl -w net.ipv4.ip_forward=1
>
> [Peer]
> PublicKey = XXXX
> AllowedIPs = 10.10.10.10/32, 192.168.128.0/17 <- Client's internal
> network.
>
>
> My goal is that regular outbound traffic just goes out the client node's
> outside routable interface and traffic between the internal networks
> goes through wireguard.
>
> For example, I'm seeing email being sent through the MTA I have
> configured on the "client" is showing up as originating from the
> outbound IP of the "server".
>
> Thanks!