On Fri, Jul 22, 2016 at 13:05:27 -0500, Bruno Wolff III <[email protected]> wrote:
So for a real example that appears to be working, my systemd service
I had another issue and that is the proxy server was used for some other services and I didn't want to connect to those from outside the tunnel. So I wanted some traffic to the proxy server to go direct and some to go through the tunnel. This involves marking packets. But the guessed source addresses don't use the marks, so you need to rewrite (SNAT) the source address for some of the outgoing packets. If you want static rules to do this you need to have the incorrect guesses be to use normal routing and then rewrite the source address for packets going over the tunnel. As the tunnel address is fixed, but the normal gateway address will change when moving between networks or possibly when dhcp leases expire. The explanations for marking and policy routing aren't explicit about how you need to handle the source address issue and why it happens, though there are lots of mentions that there are problems related to the source address. Another gotcha is that ip rule can't negate a test for fwmark and testing for fwmark equal to zero is a flag not to test it at all. So you need to do more complicated packet marking. I'm attaching the real systemd service file (with the routing policy commands and other wireguard setup) and the iptables information.
[Unit] Description=WireGuard Server [Service] Type=oneshot RemainAfterExit=yes ExecStart=-/usr/sbin/ip link del dev wg0 ExecStart=/usr/sbin/ip rule flush ExecStart=/usr/sbin/ip rule add from all lookup default priority 32767 ExecStart=/usr/sbin/ip rule add from all lookup main priority 32766 ExecStart=/usr/sbin/ip route flush table 200 ExecStart=/usr/sbin/ip link add dev wg0 type wireguard ExecStart=/usr/sbin/ip address add dev wg0 192.168.7.3 peer 192.168.7.1/32 ExecStart=/usr/bin/wg setconf wg0 /etc/wireguard/config ExecStart=/usr/sbin/ip link set up dev wg0 ExecStart=/usr/sbin/ip route add default dev wg0 table 200 ExecStart=/usr/sbin/ip rule add suppress_prefixlength 0 lookup main priority 101 ExecStart=/usr/sbin/ip rule add fwmark 2 lookup 200 priority 102 ExecStart=/usr/sbin/ip route flush cache ExecStopPost=/usr/sbin/ip link del dev wg0 ExecStopPost=/usr/sbin/ip rule flush ExecStopPost=/usr/sbin/ip rule add from all lookup default priority 32767 ExecStopPost=/usr/sbin/ip rule add from all lookup main priority 32766 ExecStopPost=/usr/sbin/ip route flush table 200 ExecStopPost=/usr/sbin/ip route flush cache [Install] WantedBy=multi-user.target
*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING ! -s 192.168.7.3/32 -o wg0 -j SNAT --to-source 192.168.7.3 COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A OUTPUT -j MARK --set-xmark 0x2/0xffffffff -A OUTPUT -d 98.103.208.27 -p udp -m udp --dport 992 -j MARK --set-xmark 0x1/0xffffffff -A OUTPUT -d 192.168.1.2 -p udp -m udp --dport 992 -j MARK --set-xmark 0x1/0xffffffff COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i wg0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 98.103.208.24/29 -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 992 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
_______________________________________________ WireGuard mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/wireguard
