[FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?

David Kerr david at kerr.net
Fri Oct 9 16:08:58 CEST 2020

Do you have a linux-based gateway you can manage yourself?  And that
gateway has dnsmasq and iptables/netfilter available?  If yes then you
can selectively route traffic over a wireguard interface and leave the
rest to go to default.

Warning... this is expert stuff...

in dnsmasq.static set list of all the domains you want to send over wireguard...


Export some environment variables...

And execute the following to create the wireguard interface, setup the
network routing and iptables rules, etc...
Note that your system may use just "iptables" for IPv4 rather than
"ip4tables" and that your firewall netfilter chains might be named
differently from mine.  But if you are familiar enough with
iptables/netfilter then you should be able to figure it out...

# =============================================================================
# Route traffic to select domains over $VPN2IF
# Start by creating a wireguard VPN interface
if ! ip link show dev $VPN2IF >/dev/null 2>&1; then
  ip link add dev $VPN2IF type wireguard
  ip address add dev $VPN2IF $VPN2IP/32
  wg setconf $VPN2IF /etc/wireguard/$VPN2IF.conf
  ip link set up dev $VPN2IF
# route DNS IP address over the VPN in default routing table
ip route add $VPN2DNS dev $VPN2IF
# create a new routing table (400) with default route to VPN interface
# and send all packets marked with 0x8 bit to that table
ip route add default dev $VPN2IF table 400
ip rule add from $INTIP/24 fwmark 0x8/0x8 table 400 priority 2000
# create an ipset hash which dnsmasq will save all IP addresses for the domains
# and add the 0x8 firewall mark to all traffic going to those destinations
ipset -exist create VPN_LIST_IPV4 hash:ip family inet
ip4tables -t mangle -A PREROUTING -i $INTIF -m set --match-set
VPN_LIST_IPV4 dst -j MARK --set-xmark 0x8/0x8
# make sure traffic from my internal interface is permitted to forward
to/from the VPN interface
# and NAT traffic over the VPN
ip4tables -t nat -A NAT_POSTROUTING_CHAIN -s $INTIP/24 ! -d $INTIP/24
# the VPN does not support IPv6 so drop all attempts to connect by IPv6
ipset -exist create VPN_LIST_IPV6 hash:ip family inet6
ip6tables -I FORWARD_CHAIN -i $INTIF -m set --match-set VPN_LIST_IPV6
dst -j DROP

On Fri, Oct 9, 2020 at 10:05 AM Roman Mamedov <rm at romanrm.net> wrote:
> On Fri, 9 Oct 2020 17:16:18 +0330
> Rudi C <rudiwillalwaysloveyou at gmail.com> wrote:
> > > On Fri, Oct 9, 2020 at 5:04 PM Roman Mamedov <rm at romanrm.net> wrote:
> > > Seems like you misunderstand what I mean. If you use the in-VPN (internal) IP
> > > of your VPS, all communication with the SOCKS proxy installed on the VPS will
> > > happen via the WireGuard tunnel. No DPI can look into that.
> >
> > You're right! Some questions:
> > 1. What should I do client-side so that wireguard only covers my VPS's
> > IP (and does not otherwise route traffic)? Will `AllowedIPs =
> > SERVER_IP/32` do it?
> SERVER_IP should be the in-VPN IP here, otherwise yes, and remove .0.0.0/0
> and ::/0 from AllowedIPs.
> > 2. How do I get the in-VPN IP of the server? Is it `Address` in `[Interface]`?
> Yes. You can confirm via "ip addr list dev wgX" on the server.
> > 3. I use ufw for the firewall on the server. Will ufw block my local
> > machine? If not, with what IP should I set ufw rules? (My local
> > machine doesn't have a static IP.) Of course, I could alternatively
> > expose the socks proxy to the world with a password; How secure will
> > that be?
> Sorry, not familiar with ufw; generally you need to allow only connections
> from the WG interface, or from the internal IP range (or just the "Address ="
> of the client), and block all others.
> --
> With respect,
> Roman

More information about the WireGuard mailing list