Routing only the private network in wireguard VPN

networking linux vpn wireguard

Solution 1:

Set AllowedIPs to the IP addresses you want to route to/through the peer.

In a normal hub-and-spoke configuration, on your hub (S), you'd configure AllowedIPs for each peer like you have, routing packets to each peer only if they use the peer's WireGuard IP address as their destination address; and on your spokes (A, B, and X), you'd configure AllowedIPs to the CIDR of your WireGuard network (172.9.9.0/24), routing packets to the hub only if they use another peer's WireGuard IP addresses as their destination address.

So with a normal configuration, you'd access A from B or X with A's WireGuard IP address of 172.9.9.100, B from A or X with 172.9.9.101, and X from A or B with 172.9.9.10.

But if you also want to be able to access each spoke via the IP address bound to the spoke's physical NIC (eg eth0), you'd need to adjust the AllowedIPs on both the hub and the spokes to include those IP addresses.

For example, if A's eth0 address is 198.51.100.65, B's is 192.168.0.66, and X's is 192.168.0.88, you'd adjust the peers in the hub's WireGuard config to this:

## S wg0.conf
...

[Peer]
# A
PublicKey = A-public-key
AllowedIPs = 172.9.9.100/32
AllowedIPs = 198.51.100.65/32

[Peer]
# B
PublicKey = B-public-key
AllowedIPs = 172.9.9.101/32
AllowedIPs = 192.168.0.66/32

[Peer]
# X
PublicKey = X-public-key
AllowedIPs = 172.9.9.10/32
AllowedIPs = 192.168.0.88/32

And set AllowedIPs in each of the spoke's config to this:

AllowedIPs = 172.9.9.0/24
AllowedIPs = 198.51.100.65/32
AllowedIPs = 192.168.0.66/32
AllowedIPs = 192.168.0.88/32

(Note you can also specify all the blocks on one line like AllowedIPs = 172.9.9.0/24, 198.51.100.65/32, 192.168.0.66/32, 192.168.0.88/32 if you prefer.)

With your current configuration, where you have AllowedIPs = 0.0.0.0/0 on X, when you run curl 198.51.100.65 from X, what's happening is that X is routing the packets destined for A (and everything else) through its WireGuard tunnel to S, and then S is routing those packets unencrypted over the Internet to A (masqueraded with S's own public IP address); in response, A sends unencrypted packets over the Internet to S, which S routes through its WireGuard tunnel to X.

If you want to make sure S doesn't ever route packets tunneled through your WireGuard network out to the Internet, you can adjust your iptables rules to prevent this; something like the following would probably do the trick:

PostUp = iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -o eth0 -j DROP; iptables -A FORWARD -i eth0 -o wg0 -j DROP

Related

Unbound error - unbound.service: Start request repeated too quickly
Is there anyone successfully running a mail server in google cloud? [closed]
Load balancer methods understanding(DNS and anycast)
ns-cloud-e2.googledomains.com returns REFUSED
Redudancy with multiple server on same DNS
How to break complicated ExecStart line while still having comments in the middle?
How do I have to configure certmanaager when using a gitlab managed cluster?
Google Chrome incognito (private/anonymous browsing) not available in Google Workspace (GSuite) account
How to find a not formatted hard disk on Linux
Hash Table/Associative Array in VBA
Return pointer to local struct
OSGi, Java Modularity and Jigsaw