Prevent all traffic from going through the WG tunnel
Jeremy Hansen
jeremy at skidrow.la
Wed Jan 4 17:01:18 UTC 2023
Thank you for all who answered. This is working as expected now and I
have a better understanding of how the AllowedIPs config works as well.
-jeremy
On 2023-01-04 06:47, Contact at nagel-mail.com wrote:
> Hello,
> As I understand your question, you are trying to accomplish, that only
> your WireGuard network ( extracted from your config some 10.0.0.0/8
> network. The 192.168.128.0/17 would be a home network?)
> Will be routed from your client to your WireGuard server. The rest
> should just leave your client network card and routed from your local
> network. For that you simply have to set: AllowedIPs = 10.10.10.1/32
> Or the whole 10.x/x Network you are using.
> Hope I understood your question correctly.
>
> Mit freundlichen Grüßen / best regards
>
> J. Nagel
> Fachinformatiker Systemintegration
>
> Contact at Nagel-Mail.com
>
>> Am 04.01.2023 um 14:47 schrieb Jeremy Hansen <jeremy at skidrow.la>:
>>
>> I have a remote network that I've tied in to my WG server. I'm
>> noticing that all traffic from this remote network that goes outbound
>> to the internet is getting routed through my wireguard server.
>>
>> Client config:
>> [Interface]
>> PrivateKey = XXXX
>> Address = 10.10.10.10/32
>> ListenPort = 51821
>>
>> [Peer]
>> PublicKey = XXXX
>> Endpoint = 11.11.11.11:51821 <- IP of the WG server.
>> AllowedIPs = 0.0.0.0/0, ::/0
>> PersistentKeepAlive=25
>>
>>
>> Server config:
>> [Interface]
>> PrivateKey = XXXX
>> Address = 10.10.10.1/32
>> ListenPort = 51821
>>
>> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>> %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
>> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o
>> %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
>>
>> # IP forwarding
>> PreUp = sysctl -w net.ipv4.ip_forward=1
>>
>> [Peer]
>> PublicKey = XXXX
>> AllowedIPs = 10.10.10.10/32, 192.168.128.0/17 <- Client's internal
>> network.
>>
>>
>> My goal is that regular outbound traffic just goes out the client
>> node's outside routable interface and traffic between the internal
>> networks goes through wireguard.
>>
>> For example, I'm seeing email being sent through the MTA I have
>> configured on the "client" is showing up as originating from the
>> outbound IP of the "server".
>>
>> Thanks!
>> <0x1BF1B863.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x1BF1B863.asc
Type: application/pgp-keys
Size: 3959 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20230104/41e01fc5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20230104/41e01fc5/attachment.sig>
More information about the WireGuard
mailing list