Jump to content
TorGuard
  • 0

Forward ALL Traffic to different PC behind same router for Wireguard?

Rate this question


BukkakeBlaster
 Share

Question

Hi all!

I have a router with DD-WRT 192.168.0.1 and a Ubuntu Server (loaded with WireGuard) 192.168.0.2 and computers from 192.168.0.100-192.168.0.150.

I want to make some exceptions for a

ROKU box 192.168.0.129

ROKU TV 192.168.0.143

to go straight through the router while everything else like a Macbook or a PS5 go through the Ubuntu Server and TorGuard.

Is this possible with IPTables? If so, what firewall rules or iptables do I need to load into my router with dd-wrt and my Ubuntu Server (which is dual gigabit)?

Link to comment
Share on other sites

6 answers to this question

Recommended Posts

  • 0

Last time when I tried to explain you how to setup, you were not really liking the reply.

Instead of wasting your time with iptables which seems to be complicated, you just should follow what I suggested to you once:

1. Install wireguard on all devices which need vpn, do not use allowed ip's 0.0.0.0. By that all your devices would be in vpn.

2. for devices where you can not install wireguard, use a router which connects to vpn.

3. All devices that do not need vpn like your roku, they work plain and simple as they did, without vpn.

This seems the easiest to me. Unless your router gets full speed with vpn, use as your vpn server some device giving you 100% of what ISP gives. I am using rock device to which 200 clients are connected (rock runs with ubuntu), which would not be possible at all if they connect directly, because you can have only (I guess) 8 connections (8 devices).

Link to comment
Share on other sites

  • 0

The problem is:

1 - I cannot install wireguard on all devices which need VPN.

2 - I would like to make the incoming WAN behind the TorGuard VPN using the WireGuard on Ubuntu Server 20.04.

3 - Putting my WAN behind the VPN makes the Roku boxes lose XFinity Stream access (paid TV subscription service through my ISP).

 

So the solutions that would work for me:

1 - Set up a traditional router behind the WAN and set up the Ubuntu Server 20.04 box with Wireguard next to the default gateway ip (192.168.1.1 would be the router and 192.168.1.2 would be the Ubuntu Server). In doing that I would have to Forward ALL traffic to the Ubuntu Server and then tunnel through Wireguard which means have some vlan forwarding rules or something similar.

2 - Find some way to configure the "wireguard peer" connection from Ubuntu Server 20.04 to TorGuard's 10G with an exception for only specific IP's or MAC Addresses.

Link to comment
Share on other sites

  • 0
3 hours ago, BukkakeBlaster said:

1 - I cannot install wireguard on all devices which need VPN.

That is why I wrote that for devices where wireguard can not be installed you should use use your router.

3 hours ago, BukkakeBlaster said:

2 - I would like to make the incoming WAN behind the TorGuard VPN using the WireGuard on Ubuntu Server 20.04.

That is not a problem at all, you kinda want to use it as a gateway, you still need a rouoter from your ISP, considering that ISP router is your wan/gateway. Normally, for such setups one can configure their ISP routers into route mode instead of switch mode, then your private router within your network could have outer IP. All in all, all this has not much to do with wireguard but with your design of a network.

I think it is better to keep things simple and build up on that.

3 hours ago, BukkakeBlaster said:

3 - Putting my WAN behind the VPN makes the Roku boxes lose XFinity Stream access (paid TV subscription service through my ISP).

So far I understand, roku is one of devices which you do not want to go over vpn because then your TV subscription would stop working. Roku is probably also a device where you do not install VPN. Now if you want to actually define routing and rules, best is on a router meant for it as everything that you need is given and is a device which you can leave on.

If my understanding is correct, then I already replied to you how you easily can achieve that, there are many ways, as example, one them would be to create vlan and interface for second local network, where in one no vpn is used as wan and in another vpn is used.

Probably more simple solution would be to setup a local proxy where you need to define which addresses belong to the service which your provider offers, only those should then not go over vpn. In this case all your roku communication would go over proxy which is on your local router and router decides then what and where can go.

You mentioned ddwrt, yes, there you can set it up too, but I am not using it and would not like to give advices on ddwrt, but on openwrt you would have additional option which is called mwan (multiwan), you can define which wan should be used for as example specific local ip,subnet etc..

As you see, there are many ways how you can achieve from what I at least believe you are trying to achieve 

 

About solution, it depends on what you have, I in general tend to actually use own router for networking things, like dhcp, dns etc. For things like proxy, socks, vpn, it is much cheaper something like rpi4 than some $ 300 router with much less cpu power/ram.

The way how you set it up with ubuntu server in front, this is ok but only if does not act as a gateway to the network, but offers just wireguard server (in this case your ubuntu server has also no access to local network as it is behind your routers firewall). Because if lets say TorGuard's server goes offline or your ubuntu server hangs, it would affect only vpn peers, but not the whole network.

3 hours ago, BukkakeBlaster said:

2 - Find some way to configure the "wireguard peer" connection from Ubuntu Server 20.04 to TorGuard's 10G with an exception for only specific IP's or MAC Addresses.

you can do it easily, specify second IP of your interface with /24 range.

As example, torguards vpn outer IP: 123.123.123.123 (Endpoint), where wireguard assigns to you some 10.x.x.x/32 address (/32 means only one). This IP you have to enter in your interface configuration under address, lets say it is 10.1.2.3/32. This is address which you need to use to establish connection to Torguard server. However, as you do not get a free range of ip's but only one, you actually should use another address range for your private network and no, no second wireguard config/interface is required.

So, on ubuntu your interface looks then something like this

[Interface]
SaveConfig = false
PrivateKey = YourPrivkey
# Torguard VPN Ip which you get from Torguard
Address = 10.1.2.3/32
...

 

Now you want it to actually act also as a server (it that terminology is at all correct for wireguard), for this you add second line, lets say we choose from some range that is not used, your router probably uses 192.x.x.x, Torguard VPN 10.x.x.x, you can use here 172.16.x.x which is also kinda private range:

[Interface]
SaveConfig = false
PrivateKey = YourPrivkey
# Torguard VPN Ip which you get from Torguard
Address = 10.1.2.3/32
# Ip range for your own vpn server for peers connecting to this device
Address = 172.168.42.1/24
...

 

Then all your peers connecting to that server (internet/intranet) need to use 172.168.42.x/32 in their interfaces (of course this can go endless as each peer can be also a server at the same time).

This way you can stay connected over vpn always, even if you do  not want to VPN for your internet connection, then change allowed ip's according to that adding only the ip's which you need to reach into allowed ip's.

To prevent writting wall of text, I stop here as I believe that your question of how to configure your ubuntu server is replied, in short, you just need to configure wireguard interface and add your peers, thats all.

Link to comment
Share on other sites

  • 0

No dude! You ARE the man! 

 

Write as much as you want! 

 

Again here is my config:

SET UP 1

WAN (MODEM) => ROUTER (NETGEAR) => PC + ANDROID + Roku + UBUNTU SERVER 20.04

This configuration will not tunnel all traffic. I do not have an option to install a client on every pc or Android device. 

 

Test config:

SET UP 2

WAN => Ubuntu Server 20.04 => ROUTER (NETGEAR) => PC + ANDROID + Roku

 

So my configuration I have tested so far allows the Ubuntu Server before the router acting as a primary gateway and tunnels all traffic to Torguard from the router etc. The router in this mode ACTS ONLY AS A SWITCH AND AP with DHCP done via Ubuntu Server 20.04

Problem is my ISP provider will not allow streaming Live TV outside the WAN assigned IP designated by Mac Address on my own modem. 

 

One solution:

FROM SET UP 1

Set iptables to forward all traffic to the Ubuntu Server from the main router with the only exception being the devices that I need to make exceptions for. 

I don't have any examples or experience in this. 

 

If you could help provide me with some iptables which would forward ALL network traffic to an acting VPN tunnel behind the same router let me know. 

 

Edited by BukkakeBlaster
Make sure I'm as clear and concise as possible for even the illiterate and blind
Link to comment
Share on other sites

  • 0
16 hours ago, BukkakeBlaster said:

FROM SET UP 1

Set iptables to forward all traffic to the Ubuntu Server from the main router with the only exception being the devices that I need to make exceptions for. 

I don't have any examples or experience in this. 

Did you try at all what I replied previously? I ask, because I believe if you would have tried, some of your questions would be resolved.

16 hours ago, BukkakeBlaster said:

If you could help provide me with some iptables which would forward ALL network traffic to an acting VPN tunnel behind the same router let me know.

Your request is unclear. If you want to check iptables, please run

man iptables

which will show you description, manual and how to use it. You should not rely on somebodies reply about, read the manual.

16 hours ago, BukkakeBlaster said:

One solution:

FROM SET UP 1

In previous post I said you should make it as simple as possible. Setup 1 is actually better and more simple. WAN router is your ISP's, it supplies with a dhcp server your clients. Putting router then involves that your router does see your local network (ISP modem). If your ISP's router can give your enough IP's and dhcp is configurable, you can use it, but better you use ISP's router only as wan gateway and port forwarding, meaning that you need to switch of dhcp on isp's router. If that is not possible on ISP's router then you can leave it to act as dhcp server. As next you assign your WAN port of your Netgear router to LAN's vlan (meaning it acts as switch port, some would call it now access point if it has lan) and disable WAN interfaces, configure your LAN interface with static IP where gateway is your ISP router's ip. If you can disable DHCP on ISP's router, then setup your dhcp server on netgear to actually supply clients with gateway (3) and dns server/s (6):
 

3, 192.168.0.1
6, 1.1.1.1,1.0.0.1

 

Ok, by that it is clear, your ISP router in local network has ip 192.168.0.1 (for vpn lets use 172.16.42.1/24), dhcp server is your netgear. By that all devices are in same network which makes further discussion simpler, later then you can put as many firewalls as you want if when you have a working setup.

As next, you decide that your ubuntu server connects to torguard, beside the configurations on ubuntu which are required assuming you got it all, you add to this server peers

interface - torguard server - two IP addresses, one which you get from TorGuard (10.xx) and another on which this interface acts as server (172.16.42.100/24)

peer1 - Torguard Endpoint

peer2 - netgear router (192.168.0.2) (lets say in VPN you want to allow only one ip, 172.16.42.2/32)

peer3 - your pc (192.168.0.3) (in vpn you give lets say 172.16.42.3/32)

All of devices connected to lan/wlan receive already correct settings from dhcp and can reach each other as well as their internet is working.

Ok, so, on your pc, lets as you actually want to route all traffic over your ubuntu server, in your PC config youw will use then in:

peer1 ubuntu server - AllowedIps 0.0.0.0/0

thats it, however, you still can add also your netgear router as a peer too:

peer2 your pc - AllowedIps 172.16.42.2/32

On your router, you do the same.

 

Now you have a working local network with working vpn network, considered you forward also wireguard's listen port to ubuntu server. In this configuration only those devices which are connected over vpn use torguard, every another device uses clearnet address. In this case:

1. Your roku box uses normal connection and has normal ip addresses behind your ISP's router, just check if you need additionaly to use only ISP's dns for streaming, if not, then great, if yes, then set those on roku box directly.

2. Your ubuntu server is in VPN, considering you have also proper configuration in wireguard (normally ifup/down) it can also reach local devices locally as well as over vpn, you asked for example, here would be one where torguard's port forwarding works too:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o %i -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D POSTROUTING -o %i -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT

3. Your netgear device uses VPN (torguard) over ubuntu server but as it is configured as a switch, all devices connected over LAN/WLAN would not be using wireguard, which is exactly what you want on this point.

 

Ok, on that point we have now working vpn server, we have configured peers and we have it all in same network.

Here it is then up to you to experiment, not to me to try to guess your configs, there are endless configuration possibilities. However, lets say you decide on this point, that you actually do want roku box to go over torguard but for streaming services it should use normal connection over your ISP. Then do not setup your router as switch which I described above, then your netgear will have wan port and all devices connected to it would use its wan connection, meaning that all devices connected to your Netgear would be in VPN. This would be now something which you describe as SET UP2.

In SET UP2 it is just about configuration of your Netgear router where you can now set new vlan for vpn and add rules on dns level and to filter your ISP's streaming service Ips/domains and set them to go over another WAN which is your VPN interface. If you already do know IP's and do not want to deal with dns, then use multiwan or try calculating proper ip route/s and those have to be added to Wireguard configuration (PreUp/PreDown).

All in all, whatever path you choose, you still need to know exactly which IP's you do want to route/exclude etc... . If you do not know it, go for setup 1 where your netgear router in difference to setup 2 does extend your WLAN.

 

 

 

Link to comment
Share on other sites

  • 0
16 hours ago, BukkakeBlaster said:

SET UP 1

WAN (MODEM) => ROUTER (NETGEAR) => PC + ANDROID + Roku + UBUNTU SERVER 20.04

This configuration will not tunnel all traffic. I do not have an option to install a client on every pc or Android device. 

This will not tunel all traffic only if you did not install/configure properly wireguard on Netgear.

For other clients, see my previous reply.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...