* Exempting two things from WireGuard tunneling
@ 2018-03-02 0:33 Nicholas Joll
2018-03-05 18:59 ` Update: exempting " Nicholas Joll
0 siblings, 1 reply; 5+ messages in thread
From: Nicholas Joll @ 2018-03-02 0:33 UTC (permalink / raw)
To: wireguard
Dear List
I'd like to exempt two things from WG: (1) some samba shares, accessed
via autofs, which give me enough trouble without having VPN dropouts
(courtesy of my VPN provider and/or my ISP) as well, (2) Netflix (which
I run via a Chrome app). The samba shares all have fixed IPs and most of
them are on a single Windows machine, on my home network, and another
share is to router-attached USB storage (and only works on Samba
protocol version 1, for some reason; the other shares work on version 3).
I imagine many people will want to do each of these things. There was
something on the list a long time back, I think, about 2, but it was too
technical for me to understand. (My VPN and Wireguard knowledge is
minimal, though I have Bash scripts that put WG up and take it down, and
tell it which servers(s) to use.)
With thanks,
N
^ permalink raw reply [flat|nested] 5+ messages in thread
* Update: exempting two things from WireGuard tunneling
2018-03-02 0:33 Exempting two things from WireGuard tunneling Nicholas Joll
@ 2018-03-05 18:59 ` Nicholas Joll
2018-03-05 19:42 ` Kalin KOZHUHAROV
0 siblings, 1 reply; 5+ messages in thread
From: Nicholas Joll @ 2018-03-05 18:59 UTC (permalink / raw)
To: wireguard
[-- Attachment #1: Type: text/plain, Size: 1456 bytes --]
Dear List
I've tried all sorts of things to answer my own question (the
question I asked the list a little while ago; my initial e-mail is
appended below) but to no avail. However, I've found something, on the
Wireguard list itself, which looks as though it may help - but I do not
understand it well enough. Might anyone help? The material I found is
located here: https://marc.info/?l=wireguard&m=148813372820847&w=2
Yours
Nicholas
-------- Forwarded Message --------
Subject: Exempting two things from WireGuard tunneling
Date: Fri, 2 Mar 2018 00:33:25 +0000
From:
To: wireguard@lists.zx2c4.com
Dear List
I'd like to exempt two things from WG: (1) some samba shares, accessed
via autofs, which give me enough trouble without having VPN dropouts
(courtesy of my VPN provider and/or my ISP) as well, (2) Netflix (which
I run via a Chrome app). The samba shares all have fixed IPs and most of
them are on a single Windows machine, on my home network, and another
share is to router-attached USB storage (and only works on Samba
protocol version 1, for some reason; the other shares work on version 3).
I imagine many people will want to do each of these things. There was
something on the list a long time back, I think, about 2, but it was too
technical for me to understand. (My VPN and Wireguard knowledge is
minimal, though I have Bash scripts that put WG up and take it down, and
tell it which servers(s) to use.)
With thanks,
N
[-- Attachment #2: Type: text/html, Size: 2654 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Update: exempting two things from WireGuard tunneling
2018-03-05 18:59 ` Update: exempting " Nicholas Joll
@ 2018-03-05 19:42 ` Kalin KOZHUHAROV
2018-03-05 19:43 ` Jason A. Donenfeld
2018-03-06 9:56 ` Saeid Akbari
0 siblings, 2 replies; 5+ messages in thread
From: Kalin KOZHUHAROV @ 2018-03-05 19:42 UTC (permalink / raw)
To: Nicholas Joll; +Cc: WireGuard mailing list
On Mon, Mar 5, 2018 at 7:59 PM, Nicholas Joll <najoll@posteo.net> wrote:
> I've tried all sorts of things to answer my own question (the questio=
n I asked the list a little while ago; my initial e-mail is appended below)=
but to no avail. However, I've found something, on the Wireguard list itse=
lf, which looks as though it may help - but I do not understand it well eno=
ugh. Might anyone help? The material I found is located here: https://marc.=
info/?l=3Dwireguard&m=3D148813372820847&w=3D2
>
May be it was too vague of a question/statement...
> I'd like to exempt two things from WG:
>
What does exempt mean?
You can "NOT route" packets via a wg interface (fix your routing,
subnets, etc.), or BLOCK packets with a firewall (e.g. nftables,
iptables). 1st is better if possible (requires redesign), 2nd may be
easier. Combining both is the best.
> (1) some samba shares, accessed
> via autofs, which give me enough trouble without having VPN dropouts
> (courtesy of my VPN provider and/or my ISP) as well,
>
"samba shares" is like "red car"...
there are quite a few protocols involved with them, most of them run
atop UDP and TCP or both.
> (2) Netflix (which I run via a Chrome app).
... cannot help you much here, but I guess it is some tcp, udp and rtp
mix to some large cloud of IPs.
> The samba shares all have fixed IPs and most of
> them are on a single Windows machine, on my home network, and another
> share is to router-attached USB storage (and only works on Samba
> protocol version 1, for some reason; the other shares work on version 3).
>
draw a map (on paper) or ascii art or something, put some IP
addresses, fake if you are worried.
> I imagine many people will want to do each of these things. There was
> something on the list a long time back, I think, about 2, but it was too
> technical for me to understand. (My VPN and Wireguard knowledge is
> minimal, though I have Bash scripts that put WG up and take it down, and
> tell it which servers(s) to use.)
>
Those are some (aadvanced) routing rules, you probably can live with
standard, if you can choose the IP addresses/networks you connect to
(home).
Really, try to draw a diagram. If you cannot - then it is probably too
complex and wireguard is not gonna help you.
Cheers,
Kalin.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Update: exempting two things from WireGuard tunneling
2018-03-05 19:42 ` Kalin KOZHUHAROV
@ 2018-03-05 19:43 ` Jason A. Donenfeld
2018-03-06 9:56 ` Saeid Akbari
1 sibling, 0 replies; 5+ messages in thread
From: Jason A. Donenfeld @ 2018-03-05 19:43 UTC (permalink / raw)
To: Kalin KOZHUHAROV; +Cc: WireGuard mailing list
Use the ipset= feature of dnsmasq, and then use policy routing on that ipset.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Update: exempting two things from WireGuard tunneling
2018-03-05 19:42 ` Kalin KOZHUHAROV
2018-03-05 19:43 ` Jason A. Donenfeld
@ 2018-03-06 9:56 ` Saeid Akbari
1 sibling, 0 replies; 5+ messages in thread
From: Saeid Akbari @ 2018-03-06 9:56 UTC (permalink / raw)
To: wireguard
On Monday, March 5, 2018 11:12:25 PM +0330 Kalin KOZHUHAROV wrote:
> On Mon, Mar 5, 2018 at 7:59 PM, Nicholas Joll <najoll@posteo.net> wrote:
>
> > (2) Netflix (which I run via a Chrome app).
>
> ... cannot help you much here, but I guess it is some tcp, udp and rtp
> mix to some large cloud of IPs.
>
> Cheers,
> Kalin.
On Monday, March 5, 2018 11:13:41 PM +0330 Jason A. Donenfeld wrote:
> Use the ipset= feature of dnsmasq, and then use policy routing on that
> ipset.
Or this link might help: http://www.evolware.org/?p=369
I personally prefer cgroups when I occasionally need to use some website or
software with different routing needs. So I just simply start a new instance
of my browser in that cgroup to have its traffic bypassed the wireguard. (or
bypassing wg? not sure about the grammar :)
PS: I think iptables version 1.6.0(?) and onwards has cgroup match built in;
so no need to use the binary provided by the website.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-03-06 9:47 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-02 0:33 Exempting two things from WireGuard tunneling Nicholas Joll
2018-03-05 18:59 ` Update: exempting " Nicholas Joll
2018-03-05 19:42 ` Kalin KOZHUHAROV
2018-03-05 19:43 ` Jason A. Donenfeld
2018-03-06 9:56 ` Saeid Akbari
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).