Prevent all traffic from going through the WG tunnel

Jeremy Hansen jeremy at skidrow.la
Wed Jan 4 17:01:18 UTC 2023


Thank you for all who answered.  This is working as expected now and I 
have a better understanding of how the AllowedIPs config works as well.

-jeremy

On 2023-01-04 06:47, Contact at nagel-mail.com wrote:
> Hello,
> As I understand your question, you are trying to accomplish, that only
> your WireGuard network ( extracted from your config some 10.0.0.0/8
> network. The 192.168.128.0/17 would be a home network?)
> Will be routed from your client to your WireGuard server. The rest
> should just leave your client network card and routed from your local
> network. For that you simply have to set: AllowedIPs = 10.10.10.1/32
> Or the whole 10.x/x Network you are using.
> Hope I understood your question correctly.
> 
> Mit freundlichen Grüßen / best regards
> 
> J. Nagel
> Fachinformatiker Systemintegration
> 
> Contact at Nagel-Mail.com
> 
>> Am 04.01.2023 um 14:47 schrieb Jeremy Hansen <jeremy at skidrow.la>:
>> 
>> I have a remote network that I've tied in to my WG server.  I'm 
>> noticing that all traffic from this remote network that goes outbound 
>> to the internet is getting routed through my wireguard server.
>> 
>> Client config:
>> [Interface]
>> PrivateKey = XXXX
>> Address = 10.10.10.10/32
>> ListenPort = 51821
>> 
>> [Peer]
>> PublicKey = XXXX
>> Endpoint = 11.11.11.11:51821 <- IP of the WG server.
>> AllowedIPs = 0.0.0.0/0, ::/0
>> PersistentKeepAlive=25
>> 
>> 
>> Server config:
>> [Interface]
>> PrivateKey = XXXX
>> Address = 10.10.10.1/32
>> ListenPort = 51821
>> 
>> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o 
>> %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
>> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o 
>> %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
>> 
>> # IP forwarding
>> PreUp = sysctl -w net.ipv4.ip_forward=1
>> 
>> [Peer]
>> PublicKey = XXXX
>> AllowedIPs = 10.10.10.10/32, 192.168.128.0/17 <- Client's internal 
>> network.
>> 
>> 
>> My goal is that regular outbound traffic just goes out the client 
>> node's outside routable interface and traffic between the internal 
>> networks goes through wireguard.
>> 
>> For example, I'm seeing email being sent through the MTA I have 
>> configured on the "client" is showing up as originating from the 
>> outbound IP of the "server".
>> 
>> Thanks!
>> <0x1BF1B863.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x1BF1B863.asc
Type: application/pgp-keys
Size: 3959 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20230104/41e01fc5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20230104/41e01fc5/attachment.sig>


More information about the WireGuard mailing list