Jump to content
TorGuard
  • 0

WireGuard Implementation without VM / Multiple Gateways?

Rate this question


BukkakeBlaster
 Share

Question

Hi Guys!

So I've been researching for about 48 hours and I can not find a solution for my scenario:

Background

I recently configured a Intel Quad Core machine with Ubuntu Server 20.04 to connect to TorGuard's 10G WireGuard servers and everything was magic. All my traffic was over the VPN and I only recently came across these new issues:

1) T-Mobile no longer allows app access

2) XFinity Stream no longer allows streaming via Roku boxes.

Challenges

1) To allow XFinity Stream to work on Roku boxes I CAN'T reconfigure network settings for the Roku TV's or boxes to connect to a unique default gateway.

Half a Solution  - Two Devices

I figured based off this post on reddit: https://www.reddit.com/r/WireGuard/comments/kp7qf3/wireguard_client_to_vpn_provider_policybased/

That I can go back to using a traditional router OR set up a VM for "normal traffic" and have my Ubuntu Server box set up as a secondary gateway to VPN traffic as an "option".

The problem is I want a mac address or AT LEAST an IP address based solution for exceptions to Wireguard's wg0 interface done through some static routing so that everything else gets VPN'ed.

 

Is there any way to achieve this?

Link to comment
Share on other sites

10 answers to this question

Recommended Posts

  • 0

There are many ways how to resolve your issue, it can depend on several factors, for one how you split your own network, if you have some vlan capable router then things get easier as you can assign different settings like dns, routes, dhcp rules etc.. . Also, if it is just about devices (less than 4), then any openwrt capable router can be used to assing lan port to separate lan network.

Same result can be achieved by creating wireless interface which for same task.

Another, more simple way, would be to simply stop using 0.0.0.0/0 in your allowed interface, instead, define which client should use vpn and which should not. You already have quad core server and it would be stupid to use some cheap router, however, as long as your ISP is not provding more than 500Mbit/s any rpi4 device would get max. out.

About points which you wrote, if you mean T-Mobile application does not work, I do not know from which country, but T-Mobile outside US works without any issues with torguard, no matter which client you use.

About point two, I am also clueless what exactly you mean with no longer allows streaming via Roku Boxes and what it has to do with your wireguard connection?

Link to comment
Share on other sites

  • 0

So in the US:

XFinity is a internet and cable TV provider. 

To save money on the TV channels I use a special Roku box. 

 

This roku box does not allow custom default gateway or ip. Everything DHCP. 

 

I get gigabit from my provider and I am using Ubuntu Server 20.04 but I read Allowedips will only permit those packets and reject all others to WAN. 

 

Is there any way to configure my routes for only a few boxes outside the Torguard VPN on WAN? 

 

Edit:

 

In the US the Roku boxes will only work when streaming from the XFinity subscribers WAN

Edited by BukkakeBlaster
Clear confusion
Link to comment
Share on other sites

  • 0
11 hours ago, BukkakeBlaster said:

This roku box does not allow custom default gateway or ip. Everything DHCP. 

Then setup dhcp server to serve correct IP, subnet, gateway and dns and in that net/lan your wireguard connection should be used.

11 hours ago, BukkakeBlaster said:

I get gigabit from my provider and I am using Ubuntu Server 20.04 but I read Allowedips will only permit those packets and reject all others to WAN. 

Then it means you need a device which is capable of delivering 1Gbit, intel quad core is already ok. But as you say streaming, I doubt your provider offers you 1Gbit on upload too, as that is what matters when you are outside your home. In that case even cheap rpi4 would be more than sufficient

11 hours ago, BukkakeBlaster said:

Is there any way to configure my routes for only a few boxes outside the Torguard VPN on WAN?

yes and I think I replied it in first reply, but maybe it was uncler. The easiest is if you have somewhere some openwrt capable router, there set lets say port 4 to own vlan which uses wireguard interface as it's wan. There you set then dhcp server and everthing else and connect to lan port 4 either a switch (thats if you need more than 1 connection, like rokubox, tv, etc... => devices which requier dhcp and there is no possibility to install wireguard on them). When you have set it all up, you add additional wireless which is bridged to your new interface and provides same access over wlan.

For every other device which has ability to install wireguard, better install wireguard and create peer connection to your wireguard server.

Link to comment
Share on other sites

  • 0

 

11 hours ago, BukkakeBlaster said:

Edit:

 

In the US the Roku boxes will only work when streaming from the XFinity subscribers WAN

I sadly have no experience with XFinity, but in any case, your roku device is reachable over vpn and it can use for those specific ip ranges of your ISP to go over your clearnet connection instead of vpn.

I already told not to use 0.0.0.0/0, as that way it is set as gateway and everything goes through vpn. For torguard, define dns servers to 10.9.0.1 and 10.8.0.1, in allowed ip's use the same, 10.9.0.1/0,10.8.0.1/0,10.123.124.2/32,....

Edit: also as title could be wrongly interpreted as using more than one wireguard interface, it is in most cases bad idea and you should have only 1 vpn interface which is configured properly in which you of course can use multiple TorGuard servers at the same time as well as you can use then any peer (not only TorGuard) as your gateway.

Link to comment
Share on other sites

  • 0

Hey guys let me clear up some confusion I really appreciate all the feedback:

My current config is as follows

 

ISP ======> MODEM ======> Ubuntu Server ====> Router/Switch ===> My Current Computer

 

I have tried adding firewall rules (ex: iptables -A -s 192.168.1.x -o enp1s0 -j ALL) to go AROUND the Ubuntu server's Wireguard server connected to TorGuard.

The Ubuntu Server will reroute ALL traffic however if I try and make any exception for any particular IP (since IPTABLES won't accept mac address) they will not work.

The Ubuntu Server however has no problem forwarding wg0 (Torguard Wireguard) OR enp1s0 (the WAN link) to enp2s0 (the LAN link)

 

All that other stuff I said I think I just wasted your time I'm sorry for that but this is just how it is in the US:

 

Roku only allows DHCP configuration and the app "XFinity Stream" provided by our ISP and TV saves us $10 per TV per month. So making an exception for the Roku IP address to connect directly with the WAN interface (since the ISP checks your IP to allow for streaming) is not possible atm.

 

Link to comment
Share on other sites

  • 0

I guess way better would be:

isp => router/switch/firewall => clients using ubuntu server as gateway.

For wireguard etc.., I see that so many are confused about it and routing, many things I explained in several threads, but there is enough good description and tools, this link will probably help you understand it better and it has calculator.

You need to setup routes, I guess best way is to do it within wireguard config with PreUp and PreDown entries, which you need anyway if you want to access your wireguard server over your real ip address.

For that other stuff which you say is connected to US, I wouldnt be so sure about it, try another server, mainly one that is not marked as shared server. I mean, you can try be to reset phone to factory settings and install it connected to wlan with EU (or any non US) ip address, maybe that helps, having some old phone around is enough to test it, then you can exclude it if it is not based on your geolocated ip address.

 

Link to comment
Share on other sites

  • 0

No I think there's some confusion:

AllowedIP's is specifically to allow ONLY access to the IP addresses defined in the Wireguard config. For instance if your AllowedIP's is set to 1.1.1.1 it will only allow the 1.1.1.1 address and block everything else. Believe me, I have checked in my lab.

I have tried these rules (enp1s0 is WAN enp2s0 is LAN):

iptables -A FORWARD -i enp2s0 -o wg0 -j ACCEPT
iptables -A FORWARD -i wg0 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

iptables -A FORWARD -s 192.168.1.101 -o enp1s0 -j ACCEPT

iptables -A FORWARD -i enp1s0 -d 192.168.1.101 -m state --state RELATED,ESTABLISHED -j ACCEPT

 

but they don't work. They will allow a connection to the VPN via 192.168.1.101 but do not bypass the wg0 interface.
 

I could be wrong, but I don't think the iptables is the way to go. I have tried similar stunts with default routes etc.

Link to comment
Share on other sites

  • 0
7 hours ago, BukkakeBlaster said:

No I think there's some confusion:

AllowedIP's is specifically to allow ONLY access to the IP addresses defined in the Wireguard config. For instance if your AllowedIP's is set to 1.1.1.1 it will only allow the 1.1.1.1 address and block everything else. Believe me, I have checked in my lab.

I think the only confused is here you. Thinking is not knowing and then you ask me to believe :) in what? In thinking and not knowing?

Maybe your setup is not working because you wrongly understand the meaning of configuration? Well, you say then:

7 hours ago, BukkakeBlaster said:

but they don't work. They will allow a connection to the VPN via 192.168.1.101 but do not bypass the wg0 interface.

and then:

7 hours ago, BukkakeBlaster said:

I could be wrong, but I don't think the iptables is the way to go. I have tried similar stunts with default routes etc.

which proves that you actually do not know, that wireguard is route based vpn and that for anything in Allowed IP's routes are crated. Therefore, you claim nonsense once again about access to 101, where you ignore the advice to use preup/predown configuration for wireguard where you would actually configure routes which you need even if for separate clients, 0.0.0.0 should not be used in that case as that configures your interface as gateway. In your own configuration, you claim that your router is connected to wg server, meaning that you actually do not need at all to configure your wireguard interface, it is sufficient to configure your router, add vlan and use separate config which does not go over your vpn, then if you want some more rules, you could define some routes of your wg interface to go over your routers vlan.

As last, whatever device is connected to your WG, assume the address of your wg interface is 172.16.128.1/24 and your peer has address 172.16.128.2/32, then in your servers config you can add to your clients peer 172.16.128.2/32 and in your peers config you add allowedips for servers peer to 172.16.128.1/32. Now test that in your lab and you will quickly recognize that you are using your clearnet connection but you have direct access to your wireguard server.

That was example of simply 2 ip's, however, there are many ways how one could set it up and achieve what you try to.

Back to your: statement:

8 hours ago, BukkakeBlaster said:

AllowedIP's is specifically to allow ONLY access to the IP addresses defined in the Wireguard config

That is wrong to write it, later you confirm what is wrong with it by writting:

8 hours ago, BukkakeBlaster said:

but I don't think the iptables is the way to go

Maybe you should inspect your routes and read a little bit more about it as well as wireguard configuration, there is no need to think or believe if you can read it up and know.

However, hope you manage to achieve what you want without iptables :) and without silly people like me wasting own time in telling you nonsense :rolleyes:

 

Link to comment
Share on other sites

  • 0

So I just wanted to go back over what I've tried:

In the PostUp and PostDown configs I have tried adding the ip route rules I added above but to no avail.

The client 192.168.1.101 will still be routed via VPN and unable to connect directly over WAN.

 

So I'll just show you another variation of the rules I've tried:

iptables -A FORWARD -i enp2s0 -o wg0 -j ACCEPT
iptables -A FORWARD -i wg0 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
iptables -A FORWARD -i enp2s0 -o enp1s0 -s 192.168.1.101 -j ACCEPT

iptables -A FORWARD -i enp1s0 -o enp2s0 -d 192.168.1.101 -m state --state RELATED,ESTABLISHED -j ACCEPT

 

where enp1s0 is the WAN interface. - x.x.x.x

enp2s0 is the LAN interface - 192.168.1.1

wg0 is the wireguard interface. - y.y.y.y

 

Default Gateway is 192.168.1.1 running on isc-dhcp-server on the local machine serving ip's through enp2s0.

Selection_001.png

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...