Jump to content
TorGuard
  • 0
DummyNic

wireguard needs 1 exception

Rate this question

Question

DummyNic

I have torguard VPN, and on my linux server I'm using wireguard to connect to this. 

All traffic appears to be routing in/out via wg0, which is great.

But I'd now like to create 1 hole, port 3000. So all traffic continues on wg0, but anything on 3000 will use ens192.

I need a ip rule but cannot figure this out. 

Currently wg-quick is executing the following, at boot. what do I have to add to make the 1 exception?

 

UP
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add redactied/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0
DummyNic

I did try 192.168.1.84/24. It takes it but nothing goes out the wg0 interface.

10.13.128.85/32 is the wg interface on 192.168.1.84 so I will take that out.

I don't need any other devices on the network to go through wireguard, just this one server minus the single port.

my server is all set static, with the main interface ens192 using 192.168.1.1 as the gateway. I' m already using 1.1.1.1 as the dns too. 

In reading more I'm still not seeing how the allow line is going to help here. This is usually used to filter out incomming connections, in my case that's the entire internet. 

For example I set 68.0.0.0/0 in the allow field and now I was behind wg0 again, however my new IP was too as it was ALL traffic comming in from that IP was being routed, not all traffic minus 3000....

 

 

Share this post


Link to post
Share on other sites
  • 0
19807409
On 10/10/2020 at 4:05 AM, DummyNic said:

10.13.128.85/32 is the wg interface on 192.168.1.84 so I will take that out.

exactly

On 10/10/2020 at 4:05 AM, DummyNic said:

In reading more I'm still not seeing how the allow line is going to help here. This is usually used to filter out incomming connections, in my case that's the entire internet. 

you create locally new interface, lets say with the IP address 192.168.1.85 where you bound your service for your port 3000 and 192.168.1.85, where full traffic of that service (port 3000) would not go over your wireguard interface as 192.168.1.85 is not in your allowed ip's and so will not be routed over wireguard

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...