Re: Prevent all traffic from going through the WG tunnel

[Jeremy Hansen <jeremy@skidrow.la>]

[-- Attachment #1.1: Type: text/plain, Size: 2365 bytes --]


Thank you for all who answered.  This is working as expected now and I 
have a better understanding of how the AllowedIPs config works as well.

-jeremy

On 2023-01-04 06:47, Contact@nagel-mail.com wrote:
> Hello,
> As I understand your question, you are trying to accomplish, that only
> your WireGuard network ( extracted from your config some 10.0.0.0/8
> network. The 192.168.128.0/17 would be a home network?)
> Will be routed from your client to your WireGuard server. The rest
> should just leave your client network card and routed from your local
> network. For that you simply have to set: AllowedIPs = 10.10.10.1/32
> Or the whole 10.x/x Network you are using.
> Hope I understood your question correctly.
> 
> Mit freundlichen Grüßen / best regards
> 
> J. Nagel
> Fachinformatiker Systemintegration
> 
> Contact@Nagel-Mail.com
> 
>> Am 04.01.2023 um 14:47 schrieb Jeremy Hansen <jeremy@skidrow.la>:
>> 
>> I have a remote network that I've tied in to my WG server.  I'm 
>> noticing that all traffic from this remote network that goes outbound 
>> to the internet is getting routed through my wireguard server.
>> 
>> Client config:
>> [Interface]
>> PrivateKey = XXXX
>> Address = 10.10.10.10/32
>> ListenPort = 51821
>> 
>> [Peer]
>> PublicKey = XXXX
>> Endpoint = 11.11.11.11:51821 <- IP of the WG server.
>> AllowedIPs = 0.0.0.0/0, ::/0
>> PersistentKeepAlive=25
>> 
>> 
>> Server config:
>> [Interface]
>> PrivateKey = XXXX
>> Address = 10.10.10.1/32
>> ListenPort = 51821
>> 
>> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o 
>> %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
>> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o 
>> %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
>> 
>> # IP forwarding
>> PreUp = sysctl -w net.ipv4.ip_forward=1
>> 
>> [Peer]
>> PublicKey = XXXX
>> AllowedIPs = 10.10.10.10/32, 192.168.128.0/17 <- Client's internal 
>> network.
>> 
>> 
>> My goal is that regular outbound traffic just goes out the client 
>> node's outside routable interface and traffic between the internal 
>> networks goes through wireguard.
>> 
>> For example, I'm seeing email being sent through the MTA I have 
>> configured on the "client" is showing up as originating from the 
>> outbound IP of the "server".
>> 
>> Thanks!
>> <0x1BF1B863.asc>

[-- Attachment #1.2: 0x1BF1B863.asc --]
[-- Type: application/pgp-keys, Size: 3959 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]