ANSWERED Route incoming packets from WireGuard server to AirVPN Wireguard Client

[itry 0]

Hello,

I've got a little confused in my routing configuration. Let me explain.

I have my router which acts as a VPN server => it runs WireGuard and everything works OK - I receive connections, can browse the web.
Now, I'd like to route all VPN traffic to the internet through my AirVPN subscription, and also using wireguard. I'll try to illustrate bellow.

PC <=>  WG server  <=>  WG client <=> AirVpn servers <=> Internet


My setup ( I'll skip my wireguard server setup as that works OK )

1. create an interface "vpnout", type wireguard,  with IP (10.163.57.56/32)     => This is provided by my AirVPN configuration
2. wg setconf airvpn.conf :

[Interface]
PrivateKey = privatekeyhere

[Peer]
PublicKey = publickeyhere
PresharedKey = presharedkeyhere
Endpoint = br.vpn.airdns.org:1637
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 15

3. ip link set dev vpnout up

At this point, everything is working, tested using curl and ping, I'm able to use the client like this and also by default nothing is routed using this "vpnout" interface.

Now comes the tricky part, lets say my WireGuard server has an interface named "vpnin", let's try to route everything that comes in through "vpnin" to "vpnout"

My VPN server has a range of ips 10.10.10.0/24


My attempt:
1. create a new rule
  echo 200 vpn >> /etc/iproute2/rt_tables
2. try to route the server subnet through the new rule"
  ip rule add from 10.10.10.0/24 table vpn 

3. Add a default route to the vpn table:
ip route add default via 10.163.57.56 dev vpnout table vpn
==

So, I can see traffic going out on the "vpnout" interface ( using tcpdump ) ... what I can't see is reply from remote host/sites I'm trying to contact.



So, question is, how can I route everything that comes in on interface 1 to go out on interface 2. Is ip route suitable for this?  Maybe I need some firewall rules and NAT?
Forwarding is enabled.

If anybody can help, I'd be very grateful.
 

[Staff 9764]

Hello!

Check the following thread and see whether it helps:
https://www.reddit.com/r/WireGuard/comments/ejxkm3/wireguard_as_both_client_and_server/

Kind regards
 

[cheapsheep 6]

Make sure you masquerade correctly. PostUp/PostDown should do the trick as mentioned in link Staff posted. It's not specific to WireGuard.

[itry 0]

If someone would like to do this:

route incomming traffic through selected interface

create a route

echo 200 <table_name> >> /etc/iproute2/rt_tables
ip rule add from <wireguard_client_ip> table <table_name>
ip route add default via <vpn_client_ip> dev <link> table <table_name>

firewall rules (iptables)

iptables -A POSTROUTING -o <selected_interface> -j MASQUERADE
iptables -A FORWARD -i <wireguard_server_interface> -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

** Enable forwarding: ** echo 1 > /proc/sys/net/ipv4/ip_forward

• test with tshark, tcpdump or vpn client ..