On 1/9/19 2:57 PM, Tom Eastep wrote: > On 1/9/19 1:25 PM, C. Cook wrote: >> I guess I don't understand the concept of SNATting, or whether I in fact >> need it. Seems like it's the reverse of DNAT, for going -out-. >> >> I have a KVM VM which is a WireGuard server. It's working fine with the >> tunnel VPN going out. But I also want all the other machines in the LAN >> to send their unknown web references out the tunnel as well. >> >> Seems like I need to set the LAN machines so their gateway is the WG >> server. And it seems like I need to set up dnsmasq and chrony so the WG >> server can use the special DNS server of my VPN provider and share that >> with the LAN. >> >> Now I -thought- that allowing in rules, source traffic from zone >> net{LANIP}, to zone outWG would do it, but LAN traffic doesn't go out. >> I think I'm missing something in the snat file, and maybe rules. >> >> Any suggestions? >> > Not without the output of 'shorewall dump' > > -Tom
Oh that silly thing again... :j I got it. I was missing a snat MASQUERADE entry on the WG server. WireGuard service for my LAN is now fully functional. The VM running WG server has channels for in from my phone, etc, and out through AzireVPN. Soon I'll set up another out channel to serve websites and email. The Spain PoP looks like it's going to be slow.
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users