From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: chm.duquesne@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 0057cd78 for ; Mon, 7 May 2018 13:21:45 +0000 (UTC) Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 753366f0 for ; Mon, 7 May 2018 13:21:44 +0000 (UTC) Received: by mail-io0-x234.google.com with SMTP id r9-v6so33590071iod.6 for ; Mon, 07 May 2018 06:24:06 -0700 (PDT) MIME-Version: 1.0 Sender: chm.duquesne@gmail.com In-Reply-To: <586e6364-d143-2b9b-8ea0-940072a9db9a@gmx.net> References: <586e6364-d143-2b9b-8ea0-940072a9db9a@gmx.net> From: Christophe-Marie Duquesne Date: Mon, 7 May 2018 15:23:45 +0200 Message-ID: Subject: Re: WG endpoint node exit to inet and DNS resolver To: vtol , wireguard@lists.zx2c4.com Content-Type: multipart/alternative; boundary="0000000000007fe725056b9d952d" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --0000000000007fe725056b9d952d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Re-adding the ML that I removed from my response by mistake On Mon, May 7, 2018 at 3:12 PM, =D1=BD=D2=89=E1=B6=AC=E1=B8=B3=E2=84=A0 wrote: > Thank you for the instant response. > >> >> Wireguard does not mess with the DNS (afaik) so whatever is already >> configured on the client is used. >> > > Had hoped there would a way for the clients to utilize the endpoint node'= s > DNS resolver. > > There are many ways to do that. You could setup post-up scripts that modify resolv.conf when the wg interface is up. You could run a caching dns server on your lan that talks to your gateway dns resolver. >> If you want to route ipv4 traffic of "clients" through your "server" >> (using quotes here because wireguard is peer to peer, so it does not rea= lly >> makes sense to say that), you probably need to enable ipv4 forwarding in >> the kernel, and have postrouting rules that look like "iptables -t nat -= A >> POSTROUTING -o eth0 -j MASQUERADE". >> > > forwarding is enabled in the kernel. Currently I am trying to set it up > with the name space solution (https://www.wireguard.com/netns/) which > perhaps do not require iptable rules, at least there is no mentioning of = it. > I have not played with netns, so I cannot comment on that. > > Being a of peer-to-peer concept WG is then not really suited as VPN > gateway? > > It certainly is suited for tunneling all traffic through the tunnel. There are a few blog posts around describing how to do this. --0000000000007fe725056b9d952d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Re-adding the ML that I removed from my response by mistak= e

On Mon,= May 7, 2018 at 3:12 PM, =D1=BD=D2=89=E1=B6=AC=E1=B8=B3=E2=84=A0 <vtol@gmx.net= > wrote:
Thank you for the instant response.

Wireguard does not mess with the DNS (afaik) so whatever is already configu= red on the client is used.

 Had hoped there would a way for the clients to utilize the endpoint node= 9;s DNS resolver.


There are many ways to do that.= You could setup post-up scripts that modify resolv.conf when the wg interf= ace is up. You could run a caching dns server on your lan that talks to you= r gateway dns resolver.


If you want to route ipv4 traffic of "clients" through your "= ;server" (using quotes here because wireguard is peer to peer, so it d= oes not really makes sense to say that), you probably need to enable ipv4 f= orwarding in the kernel, and have postrouting rules that look like "ip= tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE".

 forwarding is enabled in the kernel. Currently I am trying to set it up=C2= =A0 with the name space solution (https://www.wireguard.com/net= ns/) which perhaps do not require iptable rules, at least there is no m= entioning of it.

I have not played with= netns, so I cannot comment on that.
=C2=A0

Being a of peer-to-peer concept WG is then not really suited as VPN gateway= ?


It certainly is suited for tunneling a= ll traffic through the tunnel. There are a few blog posts around describing= how to do this.

--0000000000007fe725056b9d952d--