1

I just setup a new Wireguard server (as vanilla as it gets) that is connected to two different subnets, eth0 goes out to the internet and eth1 is connected to a local/private network.

When I connect with my Wireguard client, I can effectively go out to the internet through the IP tied to eth0 as you would expect, but I'm not able to access anything in the 192.168.1.0/24 subnet on eth1.

I'm assuming this is because /etc/wireguard/wg0.conf is set to route everything from wg0 to eth0:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Is there a way to set the forwarding rules so that a given IP range is forwarded through eth1 and everything else is sent through eth0?

Any pointers would be appreciated.

hardillb
  • 1,552
  • 2
  • 12
  • 23
FabianC
  • 11
  • 1
  • Questions seeking installation, configuration or diagnostic help must include the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions. Questions without a clear problem statement are not useful to other readers and are unlikely to get good answers. – djdomi Jun 28 '22 at 17:28

1 Answers1

0

Your WireGuard server is probably already set up with the appropriate routes for eth0 and eth1. Run ip route to check. It probably looks something like this:

$ ip route
default via 198.51.100.1 dev eth0 proto dhcp metric 100
198.51.100.0/24 dev eth0 proto kernel scope link src 198.51.100.123 metric 100
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.234 metric 200
10.0.0.0/24 dev wg0 scope link

For IPv6 routes, run ip -6 route.

You likely just need to duplicate the iptables MASQUERADE rules you already have in place for eth0 to add similar masquerading for eth1:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -o eth1 -j MASQUERADE

Shut down WireGuard on your server with sudo wg-quick down wg0, change the config file, and start WireGuard back up with sudo wg-quick up wg0.

Justin Ludwig
  • 1,276
  • 9
  • 9