Issue with wireguard and advance routing

Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ by ⁨Shimitar@downonthestreet.eu⁩ to ⁨selfhosted@lemmy.world⁩

I have a remote VPS that acts as a wireguard server (keys omitted):

[Interface]
Address = 10.0.0.2/24
[Peer] # self host server
#Endpoint = 
AllowedIPs = 10.0.0.1/32

(The VPS is configured to be a router)

And i have another server, my self-host server, which connects to the VPS trough wireguard because it acts as a port-forwarder with some nft glue on the VPS side to “port forward” my 443 port:

[Interface]
Address = 10.0.0.1/24
[Peer]
AllowedIPs = 10.70.0.2/24

(omitted the nft glue)

My self-hosted server default route goes trough my home ISP and that must remain the case.

Now, on the self-host server i have one specific user that i need to route trough the wireguard tunnel for it’s outgoing traffic, because i need to make sure it’s traffic seems to originate from the VPS.

The way i usually handle this is with a couple of nft commands to create a user-specific routing table and assign a different default route to it (uid=1070):

 ip rule add uidrange  1070-1070 lookup 1070
ip route add default via 10.70.0.2 dev eno1 table 1070

(this is the case, and works, to use eno1 as default gateway for user 1070)

If i try the same using the wg0 interface, it doesn’t work.

 ip rule add uidrange  1070-1070 lookup 1070
ip route add default via 10.70.0.2 dev wg0 table 1070

This doesnt work, wireguard refuses to allow packets trough.

I tried to change my self-host server AllowedIps like this:

[Interface]
Address = 10.0.0.1/24
[Peer]
AllowedIPs = 10.70.0.2/24, 0.0.0.0/0

and it works! User 1070 can route trough wireguard. BUT… now this works just too much… because all my self-host server traffic goes trough the wg0, which is not what i want.

So i tried to disable the WireGuard messing with routing tables:

[Interface]
Address = 10.0.0.1/24
Table = off
[Peer]
AllowedIPs = 10.70.0.2/24, 0.0.0.0/0

and manually added the routes for user 1070 like above…

The default route now doesnt get replaced, but now, without any error, the packers for user 1070 just don’t get routed.

I am at a loss… Any suggestions?

source

Comments

Sort:hotnew top

InnerScientist@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
Did you add the vps IP to the routing table of your user? ip r add 10.0.0.2/32 dev wg0 table 1070?

source
- Shimitar@downonthestreet.eu ⁨3⁩ ⁨weeks⁩ ago
  
  ip r add 10.0.0.2/32 dev wg0 table 1070
  
  All the IPs behind wg0 can be pinged by user 1070 without issue, but nothing else
  
  source
  - InnerScientist@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    Do a ping of 8.8.8.8 from your user, then open a new console and run tcpdump -i <interface> with first your uplink, then wg0. The packets should be seen on wg0 if they’re routed correctly and the problem then is on the vps side. Otherwise it’s a problem on your local config.
    
    source
    -> View More Comments