[WireGuard] Using wireguard link as a proxy?

Bruno Wolff III bruno at wolff.to
Sat Jul 23 18:36:37 CEST 2016

On Fri, Jul 22, 2016 at 13:05:27 -0500,
  Bruno Wolff III <bruno at wolff.to> wrote:
>So for a real example that appears to be working, my systemd service 

I had another issue and that is the proxy server was used for some 
other services and I didn't want to connect to those from outside the 
tunnel. So I wanted some traffic to the proxy server to go direct and 
some to go through the tunnel. This involves marking packets. But the 
guessed source addresses don't use the marks, so you need to rewrite 
(SNAT) the source address for some of the outgoing packets. If you 
want static rules to do this you need to have the incorrect guesses 
be to use normal routing and then rewrite the source address for 
packets going over the tunnel. As the tunnel address is fixed, but 
the normal gateway address will change when moving between networks or 
possibly when dhcp leases expire.
The explanations for marking and policy routing aren't explicit about 
how you need to handle the source address issue and why it happens, though 
there are lots of mentions that there are problems related to the source 
Another gotcha is that ip rule can't negate a test for fwmark and testing 
for fwmark equal to zero is a flag not to test it at all. So you need to 
do more complicated packet marking.
I'm attaching the real systemd service file (with the routing policy 
commands and other wireguard setup) and the iptables information.
-------------- next part --------------
Description=WireGuard Server

ExecStart=-/usr/sbin/ip link del dev wg0
ExecStart=/usr/sbin/ip rule flush
ExecStart=/usr/sbin/ip rule add from all lookup default priority 32767
ExecStart=/usr/sbin/ip rule add from all lookup main priority 32766
ExecStart=/usr/sbin/ip route flush table 200
ExecStart=/usr/sbin/ip link add dev wg0 type wireguard
ExecStart=/usr/sbin/ip address add dev wg0 peer
ExecStart=/usr/bin/wg setconf wg0 /etc/wireguard/config
ExecStart=/usr/sbin/ip link set up dev wg0
ExecStart=/usr/sbin/ip route add default dev wg0 table 200
ExecStart=/usr/sbin/ip rule add suppress_prefixlength 0 lookup main priority 101
ExecStart=/usr/sbin/ip rule add fwmark 2 lookup 200 priority 102
ExecStart=/usr/sbin/ip route flush cache
ExecStopPost=/usr/sbin/ip link del dev wg0
ExecStopPost=/usr/sbin/ip rule flush
ExecStopPost=/usr/sbin/ip rule add from all lookup default priority 32767
ExecStopPost=/usr/sbin/ip rule add from all lookup main priority 32766
ExecStopPost=/usr/sbin/ip route flush table 200
ExecStopPost=/usr/sbin/ip route flush cache

-------------- next part --------------
-A POSTROUTING ! -s -o wg0 -j SNAT --to-source
-A OUTPUT -j MARK --set-xmark 0x2/0xffffffff
-A OUTPUT -d -p udp -m udp --dport 992 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -d -p udp -m udp --dport 992 -j MARK --set-xmark 0x1/0xffffffff
-A INPUT -i lo -j ACCEPT
-A INPUT -i wg0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 992 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

More information about the WireGuard mailing list