itry 0 Posted ... Hello, I've got a little confused in my routing configuration. Let me explain. I have my router which acts as a VPN server => it runs WireGuard and everything works OK - I receive connections, can browse the web. Now, I'd like to route all VPN traffic to the internet through my AirVPN subscription, and also using wireguard. I'll try to illustrate bellow.PC <=> WG server <=> WG client <=> AirVpn servers <=> Internet My setup ( I'll skip my wireguard server setup as that works OK ) 1. create an interface "vpnout", type wireguard, with IP (10.163.57.56/32) => This is provided by my AirVPN configuration 2. wg setconf airvpn.conf : [Interface] PrivateKey = privatekeyhere [Peer] PublicKey = publickeyhere PresharedKey = presharedkeyhere Endpoint = br.vpn.airdns.org:1637 AllowedIPs = 0.0.0.0/0, ::/0 PersistentKeepalive = 15 3. ip link set dev vpnout up At this point, everything is working, tested using curl and ping, I'm able to use the client like this and also by default nothing is routed using this "vpnout" interface. Now comes the tricky part, lets say my WireGuard server has an interface named "vpnin", let's try to route everything that comes in through "vpnin" to "vpnout" My VPN server has a range of ips 10.10.10.0/24My attempt: 1. create a new rule echo 200 vpn >> /etc/iproute2/rt_tables 2. try to route the server subnet through the new rule" ip rule add from 10.10.10.0/24 table vpn 3. Add a default route to the vpn table: ip route add default via 10.163.57.56 dev vpnout table vpn == So, I can see traffic going out on the "vpnout" interface ( using tcpdump ) ... what I can't see is reply from remote host/sites I'm trying to contact. So, question is, how can I route everything that comes in on interface 1 to go out on interface 2. Is ip route suitable for this? Maybe I need some firewall rules and NAT? Forwarding is enabled. If anybody can help, I'd be very grateful. Quote Share this post Link to post
Staff 9972 Posted ... Hello! Check the following thread and see whether it helps:https://www.reddit.com/r/WireGuard/comments/ejxkm3/wireguard_as_both_client_and_server/ Kind regards Quote Share this post Link to post
cheapsheep 6 Posted ... Make sure you masquerade correctly. PostUp/PostDown should do the trick as mentioned in link Staff posted. It's not specific to WireGuard. 1 itry reacted to this Quote Share this post Link to post
itry 0 Posted ... If someone would like to do this: route incomming traffic through selected interface create a route echo 200 <table_name> >> /etc/iproute2/rt_tables ip rule add from <wireguard_client_ip> table <table_name> ip route add default via <vpn_client_ip> dev <link> table <table_name> firewall rules (iptables) iptables -A POSTROUTING -o <selected_interface> -j MASQUERADE iptables -A FORWARD -i <wireguard_server_interface> -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ** Enable forwarding: ** echo 1 > /proc/sys/net/ipv4/ip_forward test with tshark, tcpdump or vpn client .. Quote Share this post Link to post