Comment on Help with iptables, using nixos setting up a wiregaurd server for friends

<- View Parent
Steamymoomilk@sh.itjust.works ⁨5⁩ ⁨days⁩ ago

so my friends wiregaurd config is

“[Interface] Address = 10.0.0.3/24 ListenPort = 51820 PrivateKey = magic numbers

[Peer] PublicKey = magic numbers PresharedKey = magic numbers AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = magic numbers”

So if i understand the article correctly, i need to change it to

"[Interface] Address = 10.0.0.3/24 ListenPort = 51820 PrivateKey = magic numbers

[Peer] PublicKey = magic numbers PresharedKey = magic numbers AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = magic numbers"

Split tunneling: Exclude certain traffic from the VPN

PostUp = ip rule add from 192.168.50.0/24 table main PostDown = ip rule delete from 192.168.50.0/24 table main

my friends LAN is 192.168.50.0/0 so im assuming were just trying to tell wireguard that anything within my friends subnet doesnt get routed? which means he will still be able to reach HigherGround@192.168.8.170? and all of his other traffic will be local to him and go through his router?

im confused what “table” and “main” are im assuming its apart of iptables rules? im pretty new to IP tables so forgive me for my lack of understanding. i know its basically a linux purest firewall LMAO,

Then on my server i would edit

This allows the wireguard server to route your traffic to the internet and hence be like a VPN

  postUp = ''
    ${pkgs.iptables}/bin/iptables -A FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
  '';

  # Undo the above
  preDown = ''
    ${pkgs.iptables}/bin/iptables -D FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
  '';

And make it like this?

This allows the wireguard server to route your traffic to the internet and hence be like a VPN

  postUp = ''
    ${pkgs.iptables}/bin/iptables -A FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
    ${pkgs.busybox/bin/ip rule add from 192.168.50.0/24 table main
  '';

  # Undo the above
  preDown = ''
    ip rule add from 192.168.1.0/24 table main
    ${pkgs.iptables}/bin/iptables -D FORWARD -i cavein0 -j ACCEPT
    ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
    ${pkgs.busybox/bin/ip rule delete from 192.168.50.0/24 table main
  '';

Right? or is step 4 on the client still? its not very clear in the article thanks for helping out!

source
Sort:hotnewtop