Comment

Comment on Help with iptables, using nixos setting up a wiregaurd server for friends

tinkling4938@lemmynsfw.com ⁨5⁩ ⁨days⁩ ago

Is your friends client config setup for split tunneling?

If the client config installs a default route to the VPN you will get all their traffic.

The server config can refuse to forward traffic to the internet, but then your friends will be effectively on your LAN but otherwise appear to have no internet access.

Its a good idea to restrict which IPs on your LAN they can access, but the client config also needs route only those IPs over the VPN.

privateproxyguide.com/how-to-set-up-split-tunneli…

source

Sort:hotnew top

Steamymoomilk@sh.itjust.works ⁨5⁩ ⁨days⁩ ago
so my friends wiregaurd config is

“[Interface] Address = 10.0.0.3/24 ListenPort = 51820 PrivateKey = magic numbers

[Peer] PublicKey = magic numbers PresharedKey = magic numbers AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = magic numbers”

So if i understand the article correctly, i need to change it to

"[Interface] Address = 10.0.0.3/24 ListenPort = 51820 PrivateKey = magic numbers

[Peer] PublicKey = magic numbers PresharedKey = magic numbers AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = magic numbers"

Split tunneling: Exclude certain traffic from the VPN

PostUp = ip rule add from 192.168.50.0/24 table main PostDown = ip rule delete from 192.168.50.0/24 table main

my friends LAN is 192.168.50.0/0 so im assuming were just trying to tell wireguard that anything within my friends subnet doesnt get routed? which means he will still be able to reach HigherGround@192.168.8.170? and all of his other traffic will be local to him and go through his router?

im confused what “table” and “main” are im assuming its apart of iptables rules? im pretty new to IP tables so forgive me for my lack of understanding. i know its basically a linux purest firewall LMAO,

Then on my server i would edit

This allows the wireguard server to route your traffic to the internet and hence be like a VPN

postUp = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i cavein0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE ''; # Undo the above preDown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i cavein0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE '';

And make it like this?

This allows the wireguard server to route your traffic to the internet and hence be like a VPN

postUp = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i cavein0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE ${pkgs.busybox/bin/ip rule add from 192.168.50.0/24 table main ''; # Undo the above preDown = '' ip rule add from 192.168.1.0/24 table main ${pkgs.iptables}/bin/iptables -D FORWARD -i cavein0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE ${pkgs.busybox/bin/ip rule delete from 192.168.50.0/24 table main '';

Right? or is step 4 on the client still? its not very clear in the article thanks for helping out!
source

Split tunneling: Exclude certain traffic from the VPN

This allows the wireguard server to route your traffic to the internet and hence be like a VPN

This allows the wireguard server to route your traffic to the internet and hence be like a VPN