Route all traffic to one IP _only_ via wireguard

reiner otto augustus_meyer at yahoo.de
Sun Apr 29 23:04:52 CEST 2018 

Hi Eric, yes,

> I only want to use wg0 for x.x.x.x/32, and I want to use eth0 for everything else<
this is correct.

No wg-quick used, as client-OS is openwrt.

I suspect a problem, that the IP of my endpoint is the IP, too, the traffic for I want to route via wg0.

Or, in other words, Endpoint=1.2.3.4, and I want all traffic to 1.2.3.4 from my router to be routed via wg0.



I have found a working version, still under investigation/test:

wg0-client, wireguard_up.sh:
#!/bin/sh
ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip address add 172.16.18.31/16 dev wg0
ip link set mtu 1420 dev wg0
ip link set wg0 up
sleep 10 #sometimes helps with async ops
iptables -t nat -I POSTROUTING -o wg0 -j MASQUERADE
sleep 10 #sometimes helps with async ops
ping -c 3 172.16.0.1 #To force some traffic to server, persistent connection to be established (??)
iptables -t nat -A OUTPUT -d 1.2.3.4 -j DNAT --to-destination 172.16.0.1 #wg0 on server has 172.16.0.1
ping -c 3 1.2.3.4


wg0-client, wg0.conf:
[Interface]
PrivateKey = ....
ListenPort = 5555
[Peer]
PublicKey = ....
AllowedIPs = 172.16.0.0/16
Endpoint = 1.2.3.4:5555
PersistentKeepalive = 25


--------------------------------------------
Eric Light <eric at ericlight.com> schrieb am So, 29.4.2018:

 Betreff: Re: Route all traffic to one IP _only_ via wireguard
 An: "Eddie" <stunnel at attglobal.net>, "reiner otto" <augustus_meyer at yahoo.de>, wireguard at lists.zx2c4.com
 Datum: Sonntag, 29. April, 2018 17:19 Uhr
 
 Hi Eddie and Reiner, 
 
 I might be misunderstanding
 the request, but... 
 
 >
 the real goal is to tunnel only traffic with a specific
 destination IP via wireguard from client to server.
 
 Isn't this just asking the
 same as:
 
 > I only want
 to use wg0 for x.x.x.x/32, and I want to use eth0 for
 everything else
 
 If I'm
 reading that right, I believe it's a simple matter of
 changing the scope of his AllowedIPs, so his traffic is
 routed via the correct interfaces. No iptables or packet
 marks required. 
 
 Reiner -
 have I misunderstood your question? I've assumed
 you're using wg-quick? 
 
 E
 
 --------------------------------------------
 Q: Why is this email five sentences or less?
 A: http://five.sentenc.es
 
 On Sun, 29 Apr 2018, at 07:07, Eddie wrote:
 > I didn't think that AllowedIPs would
 filter traffic like that.  But 
 > could
 be wrong.  :-)
 > 
 >
 Here's my take on your problem:
 > 
 > Add "Table = off" and
 "FwMark = 1234 (or other value)" to the wg config,
 
 > which will stop the routing tables
 being updated and add the routing 
 > mark
 to all encrypted packets.
 > 
 > Then you will need a new ip rule table,
 that runs ahead of "main" that 
 > selects all traffic with the fwmark from
 wg and routes that directly to 
 > your
 external interface.  Something like:
 >
 
 > from all fwmark 1234 lookup net
 > 
 > net:
 > default via <gateway ip> dev
 <external interface>
 > 
 > Then add a new rule to main, that routes
 ip 1.2.3.4 out via the wg 
 >
 interface.
 > 
 >
 Cheers.
 > 
 > 
 > On 4/28/2018 6:49 AM, Eric Light wrote:
 > > Hi Reiner!
 >
 >
 > > I think the problem here is
 your client's AllowedIPs section. If you only want to
 access one address, you only enter that target IP - not the
 whole internet space (0.0.0.0/0). That's why everything
 is being routed out via your wg0.
 >
 >
 > > So you should change that
 client AllowedIPs to 172.16.0.1/32, and that'll fix it.
 Alternatively, set it to /24 if you also want access to
 other devices within the corporate LAN... That's how I
 do it.
 > >
 > > I
 think that's all you need. Sorry if I've missed
 something! :)
 > >
 >
 > E
 > >
 > >
 --------------------------------------------
 > > Q: Why is this email five sentences
 or less?
 > > A: http://five.sentenc.es
 > >
 > > On Sat, 28
 Apr 2018, at 22:07, reiner otto wrote:
 >
 >> My basic setup of wg works, I can ssh from/to
 server or client.
 > >> But the real
 goal is to tunnel only traffic with a specific destination
 IP
 > >> via wireguard from client
 to server.
 > >> I.e. a local
 router, which allows direct access to the web,
 > >> _BUT_ all traffic going to the
 corporate server using wireguard only.
 >
 >> Corporate server (public 1.2.3.4) == wireguard
 server (172.16.0.1).
 > >>
 > >> I tried various settings on my
 client, like
 > >> ip route 1.2.3.4
 dev wg0
 > >> ip route 1.2.3.4 via
 172.16.0.1
 > >> etc.
 > >> but nothing worked.
 > >>
 > >> Any
 help really appreciated.
 > >>
 > >> ---
 > >>
 wg0.conf on server (1.2.3.4):
 > >>
 [Interface]
 > >> ListenPort =
 1234
 > >> PrivateKey = secret
 > >> [Peer]
 >
 >> PublicKey = secret
 > >>
 AllowedIPs = 172.16.0.0/16
 > >>
 -
 > >> wg0.conf on client
 (172.16.18.31):
 > >> [Interface]
 > >> PrivateKey = secret
 > >> ListenPort = 1234
 > >> [Peer]
 >
 >> PublicKey = secret
 > >>
 AllowedIPs = 0.0.0.0/0
 > >>
 Endpoint = 1.2.3.4:1234
 > >>
 > >>
 > >>
 _______________________________________________
 > >> WireGuard mailing list
 > >> WireGuard at lists.zx2c4.com
 > >> https://lists.zx2c4.com/mailman/listinfo/wireguard
 > >
 _______________________________________________
 > > WireGuard mailing list
 > > WireGuard at lists.zx2c4.com
 > > https://lists.zx2c4.com/mailman/listinfo/wireguard
 > >
 > >
 >

More information about the WireGuard mailing list