Jump to content
TorGuard
  • 0
DummyNic

wireguard needs 1 exception

Rate this question

Question

DummyNic

I have torguard VPN, and on my linux server I'm using wireguard to connect to this. 

All traffic appears to be routing in/out via wg0, which is great.

But I'd now like to create 1 hole, port 3000. So all traffic continues on wg0, but anything on 3000 will use ens192.

I need a ip rule but cannot figure this out. 

Currently wg-quick is executing the following, at boot. what do I have to add to make the 1 exception?

 

UP
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add redactied/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0
DummyNic

Got it. Incase anyone else runs into this I was able to get this done using info from this Howto

 

 

Share this post


Link to post
Share on other sites
  • 0
19807409

adding 0.0.0.0/0 means that all clients and all traffic is routed over wireguard, instead, you could specify only specific ips/clients to be routed. If this is not sufficient, you might look up this example of how to setup firewall rules.

If you have no clue about which routes there are and want in general to exclude local routes, then you could use what wireguards android app used (probably still uses):

AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32

Share this post


Link to post
Share on other sites
  • 0
DummyNic

Issue is all the applications that normally run and this "new" one are on the same server, so setting the allowedIP's wouldn't really work since it's all localhost traffic except this one specific port. At least I don't see a way to restrict to an IP segment(s). 

Wouldn't the firewall rules in the link provided just be for wireguard as a server? 

Using the link you gave I tried the following:

iptables -I INPUT 1 -i eth0 -p tcp --dport 3000 -j ACCEPT

But I don't think that's helping re-route the traffic to port 3000, it just makes it so traffc CAN follow that port on that interface, but I could be completely missing this.

Share this post


Link to post
Share on other sites
  • 0
19807409
6 minutes ago, DummyNic said:

Wouldn't the firewall rules in the link provided just be for wireguard as a server?

yes

13 minutes ago, DummyNic said:

Using the link you gave I tried the following:

iptables -I INPUT 1 -i eth0 -p tcp --dport 3000 -j ACCEPT

run

iptables man

for full manual. Here are some redirect examples as well as here.

Not sure if this is what you want, this will redirect packets from localhost to another machine:

iptables -t nat -A OUTPUT -o lo -d 127.0.0.1 -p tcp --dport 3000 -j DNAT  --to-destination 10.1.2.3:1234
# this requires kernel setting, otherwise it will not work
sysctl -w net.ipv4.conf.all.route_localnet=1

Share this post


Link to post
Share on other sites
  • 0
DummyNic

I've gone over the man for iptables, but I"m still not understanding something.

I don't have a wireguard server at all. I"m running wireguard client and connecting to torguard.

I want all traffic EXCEPT port 3000 to go in/out the VPN connection (wg0).

But all traffic on port 3000 to go in/out the normal host adapter ens192. 

Share this post


Link to post
Share on other sites
  • 0
DummyNic

When wg-quick is connecting it's running

[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820

if I understand correct this is marking all traffic on 51820 and telling it than anything not on this port should go on wg0, as 51820 is the port to establish the connection. 

Would it be possible to just add a second port to this?

 

Share this post


Link to post
Share on other sites
  • 0
19807409
7 hours ago, DummyNic said:

Would it be possible to just add a second port to this?

actually no, but second interface: yes

Share this post


Link to post
Share on other sites
  • 0
DummyNic

If I try to change the address to something else I wouldn't know what to put in there. It's not IP's that I want to allow/not allow it's just the port traffic itself. 

I want all traffic able to go in/out wg0. But I want port 3000 to be able to go out the normal interface without the VPN.

Tried using the link, and it's likely the direction I need but I'm still not getting it to work. 

I entered the following:

iptables -A PREROUTING -i ens192 -t mangle -p tcp --dport 3000 -j MARK --set-mark 1
echo 201 oneport.out >> /etc/iproute2/rt_tables - this didn't actually work so I used nano to edit rt_tables and added the 201 entry at the top.
ip rule add fwmark 1 table oneport.out
 

When I then looked at ip rule ls I had

0:      from all lookup local
32763:  from all fwmark 0x1 lookup oneport.out
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default

/sbin/ip route add default via 192.168.1.84 dev ppp0 table oneport.out - then said that it couldn't find the table or interface ppp0... 

 

Share this post


Link to post
Share on other sites
  • 0
19807409

it was about netfilter, which is stateless firewall, which would be I guess exactly about what you are trying to approach, you might read more there with more examples if it helps.

I would assume you also need corresponding postrouting for your rule as well as you might require also a forward rule.

If it can not find the interface ppp0 then I would think it is not existing. Do you have ppp0 interface and if what role has it in this setup?

Share this post


Link to post
Share on other sites
  • 0
DummyNic

I only have 2 interfaces on this VM.

ens192 - this is the physical interface

wg0 - the wireguard VPN - this goes through ens192.

 

I have a website(ombi) living on port 3000. In my firewall(a different vm completely) there is a reverse proxy so I can get https connections in. It works perfect when the wireguard is turned off (wg-quick down wg0) but I bring it back up and the traffic is not going in/out ens192. I know it is actually going out that interface, but only after going into wg0 first... I just want this 1 port to be moved outside of wg0's reach. 

Share this post


Link to post
Share on other sites
  • 0
19807409

could you please try it also with set up ip's instead of using 0.0.0.0/0 as it plays role here, as example, you could run also locally privoxy or use your existing proxy to which you could redirect all traffic on that port and it would use non wirguard interface, however, stateless solution is of course much better.

Share this post


Link to post
Share on other sites
  • 0
DummyNic

I'm not against using setup IP's. But I don't know what to put... the application on port 3000 is on the same VM as the applications I want going through wg0 so how am I going to tell wireguard to bind to an IP? 

ens192 has a static iP of 192.168.1.84

wg is using internal ip of 10.13.128.85

If I set

AllowedIPs = 10.13.128.85/32

How do I then direct traffic out different interfaces? Or would I then change my ombi config to use the ens IP maybe? If so I might be seeing how this works

Share this post


Link to post
Share on other sites
  • 0
19807409
12 minutes ago, DummyNic said:

the application on port 3000 is on the same VM as the applications I want going through wg0 so how am I going to tell wireguard to bind to an IP

you could as example add additional ip address to your non wg interface, which you bind then in your server or whatever you use and do not add then this specific IP to which you bind to allowed ip's in wireguard config, by that its traffic would not go over wireguard (assuming you bounded only the service which does use the port you want), very simple actually which would not involve any additional rules or firwall configuration.

Share this post


Link to post
Share on other sites
  • 0
19807409

If you set allowed ip's 0.0.0.0/0 then all traffic is routed and routes overwritten, you can take then care about postup and postdown commands for extended firewall setups.

You can set multiple IP's in that line, not just one.

Share this post


Link to post
Share on other sites
  • 0
19807409

Allowed IPs should be actually those IP's in your internal network, I kinda think it is wrong if you set it to the interface address (it looks like that to me), instead, add ListenAddress your 192.168.1.84 which then should go over wg interface, if you set only this IP then only that IP will be routed. By that, set your local net IP's (by subnet or each single) which you want to be routed, normally you would route all dhcp server ranges as those static are normally few which you can add manually.

Share this post


Link to post
Share on other sites
  • 0
DummyNic

I tried setting 

AllowedIPs = 10.13.128.85/32

in the PEERs section but it's not routing any traffic via Wireguard.

I then tried 

 

AllowedIPs = 192.168.1.84/32

Same issue no traffic goes out WG to Torguard... 

 

Adding a second IP to the primary adapter is easy enough, did that without issue. 

Share this post


Link to post
Share on other sites
  • 0
DummyNic

I succesfully have added a second IP to my primary interface - 172.16.100.84

I have "bound" Ombi to this IP

my proxy is working with the new IP. 

 

I just need to figure out how to use Allowed IP's here and I should be all good.

Under Allowed IP's I've tried my regular internal - 192.168.1.84 and my wireguard internal - 10.13.128.85. But it seems to not send any traffic out the wireguard WG0 interface still.

Share this post


Link to post
Share on other sites
  • 0
DummyNic

I think I'm getting closer.

Now I have my wg0.conf file to show

AllowedIPs = 10.13.128.0/24
 

The wireguard interface connects, my other non-wireguard stuff still works - great.

However when I do simple checks - speedtest to see what my external IP is for example I'm getting my actual external IP, not the torguard. This tells me my actual internal traffic (192.168.1.0/24) is NOT being send out the wg0 interface. When I add 192.168.1.0/24 to the conf I get

 ip -4 route add 192.168.1.0/24 dev wg0
RTNETLINK answers: File exists
 

So I'm still missing something since it seems to think I'm using multiple gateways, which I actually am kinda...

Share this post


Link to post
Share on other sites
  • 0
19807409
15 minutes ago, DummyNic said:

The wireguard interface connects, my other non-wireguard stuff still works - great.

;)

15 minutes ago, DummyNic said:

However when I do simple checks - speedtest to see what my external IP is for example I'm getting my actual external IP, not the torguard. This tells me my actual internal traffic (192.168.1.0/24) is NOT being send out the wg0 interface. When I add 192.168.1.0/24 to the conf I get

By setting allowed IP's you actually say that those should be routed, meaning that if you have settings:

AllowedIPs = 10.13.128.0/24

then range 10.13.128.1 - 10.13.128.254 would be routed over wireguard but nothing else. Simply adding also the wished range of 192.168.1.0./24 should route those IP's on request. You have to ensure of course that those both interfaces can communicate with both mentioned ranges which I assume they do in forefront.

You try to add later a route, instead, add 192.168.1.x to your listen address which would be the IP of your test pc on which you test, later you can then play with ranges and other settings.

You probably should also check how your DNS works etc if you say tests are different, but in general, I think you almost got it setup :)

Share this post


Link to post
Share on other sites
  • 0
DummyNic

I beleve I have the DNS all sorted already. I used https://github.com/macvk/dnsleaktest to check for leaking. 
It says I might have a leak, but it's only resolving the DNS servers I've told wireguard to use so that part seems ok.

Here is excatly what I have my wg0.conf allowed setup:
AllowedIPs = 10.13.128.0/24, 192.168.1.0/24, ::/0

when I try to connect I'm getting

[#] ip -4 route add 192.168.1.0/24 dev wg0
RTNETLINK answers: File exists

 

Haven't found a reason for this yet, but based on what i"ve read and what you stated above this SHOULD work. 

Share this post


Link to post
Share on other sites
  • 0
DummyNic

This issue seems to be because 192.168.1.1 is the default gateway on ens192 it's creating a conflict to have it be the gateway for wg0 too...

So I used /32 but it's still not sending anything out wg0

AllowedIPs = 10.13.128.85/32, 192.168.1.84/32, ::/0

This does connect to WG but it's sending traffic out the wg0 interface yet. 

 

 

Share this post


Link to post
Share on other sites
  • 0
DummyNic

I did confirm that sysctl -w net.ipv4.ip_forward=1 is set. So traffic should be able to forward I think but it just doesn't go...

I change it back to 0.0.0.0/0 and WG0 works great, but blocks the other addresses as well.

Share this post


Link to post
Share on other sites
  • 0
19807409

did you make sure that your dhcp server is sending gateway and dns and make sure 192.168.1.1 is sent to clients which should have it? If you have another gateway too (which you did not say you have, as wg0 still goes over your gateway), then you could also use multiwan. Here is the list if you need more than just those two: http://www.networksorcery.com/enp/protocol/bootp/options.htm

If you did not set it properly or you got confused at all to what I asked, then simply set your IP manually and use 192.168.1.1 as a gateway and set 1.1.1.1,1.0.0.1 as your dns server (you can add additional too if you have some local).

Where the IP address of the device on which you run wireguard actually can be set as gateway for other IP's in your local network if you need that at all.

As well, could you explain what exactly 10.13.128.85/32 is? is that the address of the wg interface on 192.168.1.84? If yes, then you should not have it in allowed IP's, it is wireguard's address.

Maybe you could try 192.168.1.84/24 too

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...