From: Jeremy Hansen <jeremy@skidrow.la>
To: "Contact@nagel-mail.com" <contact@nagel-mail.com>,
Wireguard <wireguard@lists.zx2c4.com>
Subject: Re: Prevent all traffic from going through the WG tunnel
Date: Wed, 04 Jan 2023 09:01:18 -0800 [thread overview]
Message-ID: <d57da2b0589d47af917132a1342a9480@skidrow.la> (raw)
In-Reply-To: <C52E1F98-95C4-41C4-BF67-10618CDF0AEB@nagel-mail.com>
[-- Attachment #1.1: Type: text/plain, Size: 2365 bytes --]
Thank you for all who answered. This is working as expected now and I
have a better understanding of how the AllowedIPs config works as well.
-jeremy
On 2023-01-04 06:47, Contact@nagel-mail.com wrote:
> Hello,
> As I understand your question, you are trying to accomplish, that only
> your WireGuard network ( extracted from your config some 10.0.0.0/8
> network. The 192.168.128.0/17 would be a home network?)
> Will be routed from your client to your WireGuard server. The rest
> should just leave your client network card and routed from your local
> network. For that you simply have to set: AllowedIPs = 10.10.10.1/32
> Or the whole 10.x/x Network you are using.
> Hope I understood your question correctly.
>
> Mit freundlichen Grüßen / best regards
>
> J. Nagel
> Fachinformatiker Systemintegration
>
> Contact@Nagel-Mail.com
>
>> Am 04.01.2023 um 14:47 schrieb Jeremy Hansen <jeremy@skidrow.la>:
>>
>> I have a remote network that I've tied in to my WG server. I'm
>> noticing that all traffic from this remote network that goes outbound
>> to the internet is getting routed through my wireguard server.
>>
>> Client config:
>> [Interface]
>> PrivateKey = XXXX
>> Address = 10.10.10.10/32
>> ListenPort = 51821
>>
>> [Peer]
>> PublicKey = XXXX
>> Endpoint = 11.11.11.11:51821 <- IP of the WG server.
>> AllowedIPs = 0.0.0.0/0, ::/0
>> PersistentKeepAlive=25
>>
>>
>> Server config:
>> [Interface]
>> PrivateKey = XXXX
>> Address = 10.10.10.1/32
>> ListenPort = 51821
>>
>> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>> %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
>> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o
>> %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
>>
>> # IP forwarding
>> PreUp = sysctl -w net.ipv4.ip_forward=1
>>
>> [Peer]
>> PublicKey = XXXX
>> AllowedIPs = 10.10.10.10/32, 192.168.128.0/17 <- Client's internal
>> network.
>>
>>
>> My goal is that regular outbound traffic just goes out the client
>> node's outside routable interface and traffic between the internal
>> networks goes through wireguard.
>>
>> For example, I'm seeing email being sent through the MTA I have
>> configured on the "client" is showing up as originating from the
>> outbound IP of the "server".
>>
>> Thanks!
>> <0x1BF1B863.asc>
[-- Attachment #1.2: 0x1BF1B863.asc --]
[-- Type: application/pgp-keys, Size: 3959 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2023-01-12 0:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-04 6:44 Jeremy Hansen
2023-01-04 16:41 ` Szymon Nowak
[not found] ` <C52E1F98-95C4-41C4-BF67-10618CDF0AEB@nagel-mail.com>
2023-01-04 17:01 ` Jeremy Hansen [this message]
2023-01-04 23:41 ` Omkhar Arasaratnam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d57da2b0589d47af917132a1342a9480@skidrow.la \
--to=jeremy@skidrow.la \
--cc=contact@nagel-mail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).