Prevent all traffic from going through the WG tunnel

Omkhar Arasaratnam omkhar at gmail.com
Wed Jan 4 23:41:04 UTC 2023


Are your NAT rules necessary? They seem to be forcing *everything* through

--oa


--oa


On Wed, Jan 4, 2023 at 8:50 AM Jeremy Hansen <jeremy at skidrow.la> wrote:
>
> I have a remote network that I've tied in to my WG server.  I'm noticing
> that all traffic from this remote network that goes outbound to the
> internet is getting routed through my wireguard server.
>
> Client config:
> [Interface]
> PrivateKey = XXXX
> Address = 10.10.10.10/32
> ListenPort = 51821
>
> [Peer]
> PublicKey = XXXX
> Endpoint = 11.11.11.11:51821 <- IP of the WG server.
> AllowedIPs = 0.0.0.0/0, ::/0
> PersistentKeepAlive=25
>
>
> Server config:
> [Interface]
> PrivateKey = XXXX
> Address = 10.10.10.1/32
> ListenPort = 51821
>
> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i
> -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o
> %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
>
> # IP forwarding
> PreUp = sysctl -w net.ipv4.ip_forward=1
>
> [Peer]
> PublicKey = XXXX
> AllowedIPs = 10.10.10.10/32, 192.168.128.0/17 <- Client's internal
> network.
>
>
> My goal is that regular outbound traffic just goes out the client node's
> outside routable interface and traffic between the internal networks
> goes through wireguard.
>
> For example, I'm seeing email being sent through the MTA I have
> configured on the "client" is showing up as originating from the
> outbound IP of the "server".
>
> Thanks!


More information about the WireGuard mailing list