[WireGuard] Using wireguard link as a proxy?

Baptiste Jonglez baptiste at bitsofnetworks.org
Fri Jul 22 10:18:21 CEST 2016 

Hi,

On Thu, Jul 21, 2016 at 03:57:42PM -0500, Bruno Wolff III wrote:
> I am trying to test using a wireguard link as a proxy and I am having
> trouble. On the source machine I am trying to route packets through wg0
> using a routing entry that has the remote end point tunnel address on a via
> command. The idea is to have the packets sent through the tunnel and then to
> do source nat on the remote side of the tunnel. The packets go to the
> interface, but do not come out the other end. Ping reports:
> From 192.168.7.2 icmp_seq=69 Destination Host Unreachable
> ping: sendmsg: Required key not available
> 
> So I think the destination address in the packet is being used to find the
> tunnel key to use rather than the immediate next destination for the packet.

Yes, the notion of "immediate next destinaton" does not make sense for
Wireguard.  It encapsulates plain IP, not Ethernet.

> Has anyone else played with something like this an gotten it to work?
> 
> Some info on what I was trying:
> ip route
> default via 129.89.248.129 dev em1  proto static  metric 100
> 98.103.208.26 via 192.168.7.1 dev wg0

The "via 192.168.7.1" doesn't really make sense, because a wireguard
interface is a layer-3 device, not an Ethernet device.  You can include it
but the kernel will just ignore that part, so the route above is equivalent to:

  98.103.208.26 dev wg0

> 129.89.248.128/27 dev em1  proto kernel  scope link src 129.89.248.147 metric 100
> 192.168.7.1 dev wg0  proto kernel  scope link src 192.168.7.2
> 
> wg source machine
>  endpoint: 98.103.208.27:992
>  allowed ips: 192.168.7.1/32

You need "allowed ips 0.0.0.0/0" here.  Your situation is just a regular
client/server tunneling setup, there's nothing special about "proxying",
whatever that means.

Basically, you want your client to be able to reach the whole Internet via
the wireguard interface, so any destination IP address should be routed
through the server (and conversely, any source IP address should be
allowed from the server).

> wg proxy machine
>  endpoint: 129.89.248.147:992
>  allowed ips: 192.168.7.2/32
> 
> tcpdump output from wg0
> 15:54:34.129798 IP 192.168.7.2 > 98.103.208.26: ICMP echo request, id 25371, seq 1, length 64
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20160722/9b13211e/attachment.asc>

More information about the WireGuard mailing list