Wireguard Wireguard policy rules

[PiCkLeS76]

Glad that Wireguard showed you its best side!


Curious, what scripting did you need for your setup? From the setup you describe there shouldnt need to be any custom scripting?

Yes, very happy indeed now

Well I read a bit further in your guide and if I just did this

peer wg21 passthru add wg11 all

.. it didnt do anything. The devices connecting thru the private server was still going out with their traffic on the wan-if (checked with traceroute). But if I added two scripts (wg-up and wg-down in the addons-folder) with up having this in it

#!/bin/bash
iptables -t nat -I POSTROUTING -s 10.50.1.1/24 -o wg11 -j MASQUERADE -m comment --comment "WireGuard 'client'"

.. and of course the opposite, removing that table, in thedown-script, I now got traffic from the road warriors that goes out with all the traffic the produce via the wg11 (clientside) tunnel. Ie, its protected.

Which means that not only can I now play around with my LAN-devices, I can have my phone for example connected and running its traffic via my own private server out through my VPN-provider connection on my home router.

But I read all of this, an excerpt from your text:

"
Note
The same function as the passthru function could be accomplished by adding a policy route, i.e:

E:Option ==> peer wg11 rule add vpn 10.50.1.2/32 comment ServerClientToWg11
But a snag is that the server ips are not included in wg11 MASQUARADE rule (the firewall rule that translates the source addresses to match outgoing interface) and this is needed for the vpn supplier only accepts this source address otherwise the packages will be dropped. The passthru feature automatically adds added wg21 clients to the MASQUARADE rule but if you for example use the rules for DESTINATION routing (like you wish to only connect TO certains web addresses through VPN) you might find that your server clients have broken connection to these pages. This is because the DESTINATION rule is typically set src=Any, which also includes the WG server clients. So the choices are either remake the rule to only be used on your lan, so set src=192.168.1.1/24, but this will make your server client access these addresses via WAN. If you want your server clients to also access these pages via VPN, the server needs to be included in the MASQUARADE rule:
"

Im not sure this all makes sense, I'm swedish ;-)

//Niclas

 

[ZebMcKayhan]

if I just did this

peer wg21 passthru add wg11 all

.. it didnt do anything. The devices connecting thru the private server was still going out with their traffic on the wan-if (checked with traceroute).

Was not aware that the passthru feature did not work. Did you restart wg11 after adding the pasthru rule? Are you on latest stable wgm? Did the command pull through without error messages? Dont know if there are any dependencies on peer start order for the passthru feature to work. Wgm start server peer first and client peers later if it has any impact.

Anyhow, now that you went through the hazzle of adding the MASQUARADE rule you could just use ordinary policy routes to accomplish the same thing. I actually find this more natural anyway.

Im not sure this all makes sense, I'm swedish

So am I, and its quite clear.

 

[PiCkLeS76]

Was not aware that the passthru feature did not work. Did you restart wg11 after adding the pasthru rule? Are you on latest stable wgm? Did the command pull through without error messages? Dont know if there are any dependencies on peer start order for the passthru feature to work. Wgm start server peer first and client peers later if it has any impact.

Sorry for the late reply. I started pondering this morning.. could I have messed this up? Did I in fact check during the correct circumstances (stuff connected as they should be) and under the right assumptions? Well probably not since I have a very faint idea of what Im really doing.

So with that in mind I re-checked, this time more thoroughly and in the right sequence. I was in such a hurry getting all of this to work that I didnt the last time.

I re-read what you had wrote and that I myself had cut'n pasted:

The passthru feature automatically adds added wg21 clients to the MASQUARADE rule but if you for example use the rules for DESTINATION routing (like you wish to only connect TO certains web addresses through VPN) you might find that your server clients have broken connection to these pages.

Ah. Yes, I messed up. There is absolutely no need for me to add those scripts - which I just tested and confirmed that the passthru rule does all the work without needing those scripts. The little "BUT" had completely fallen away in my hasty reading.

Sorry about that, the scripts are now removed and all is working just fine. Im obviously not concerned with specific sites/addresses, only a full routing of the complete traffic through the tunnel.

The only silver lining is that you are swedish too, so you understand me when I write skit också.

Anyway, thanks. Again

//Niclas

Anyhow, now that you went through the hazzle of adding the MASQUARADE rule you could just use ordinary policy routes to accomplish the same thing. I actually find this more natural anyway.


So am I, and its quite clear.

 

[greenspanner]

Just a side note on CG-NAT, I encountered this issue myself and only picked it up when I noticed that my DDNS IP was different from my WAN IP even though it refreshed and registered successfully and I could ping it. I had changed ISPs and din't realise that they enabled it by default. Turned it off and it worked as expected. Maybe CG-NAT is becoming more widely used these days because I had never had that issue in the past with VPN remote connections.