Re: Prevent all traffic from going through the WG tunnel

Wed, 11 Jan 2023 16:40:38 -0800
Thank you for all who answered. This is working as expected now and I have a better understanding of how the AllowedIPs config works as well. 

-jeremy

On 2023-01-04 06:47, cont...@nagel-mail.com wrote:

Hello,
As I understand your question, you are trying to accomplish, that only
your WireGuard network ( extracted from your config some 10.0.0.0/8
network. The 192.168.128.0/17 would be a home network?)
Will be routed from your client to your WireGuard server. The rest
should just leave your client network card and routed from your local
network. For that you simply have to set: AllowedIPs = 10.10.10.1/32
Or the whole 10.x/x Network you are using.
Hope I understood your question correctly.

Mit freundlichen Grüßen / best regards

J. Nagel
Fachinformatiker Systemintegration

cont...@nagel-mail.com


Am 04.01.2023 um 14:47 schrieb Jeremy Hansen <jer...@skidrow.la>:


I have a remote network that I've tied in to my WG server.  I'm 
noticing that all traffic from this remote network that goes outbound 
to the internet is getting routed through my wireguard server.


Client config:
[Interface]
PrivateKey = XXXX
Address = 10.10.10.10/32
ListenPort = 51821

[Peer]
PublicKey = XXXX
Endpoint = 11.11.11.11:51821 <- IP of the WG server.
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepAlive=25


Server config:
[Interface]
PrivateKey = XXXX
Address = 10.10.10.1/32
ListenPort = 51821


PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o 
%i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o 
%i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE


# IP forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1

[Peer]
PublicKey = XXXX

AllowedIPs = 10.10.10.10/32, 192.168.128.0/17 <- Client's internal 
network.




My goal is that regular outbound traffic just goes out the client 
node's outside routable interface and traffic between the internal 
networks goes through wireguard.



For example, I'm seeing email being sent through the MTA I have 
configured on the "client" is showing up as originating from the 
outbound IP of the "server".


Thanks!
<0x1BF1B863.asc>



Attachment:
0x1BF1B863.asc

Description: application/pgp-keys



Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to