1

I have been trying to get this working for a long time and finally decided I would join serverfault in hope that someone can help before I lose my mind.

Current setup:

Users connect into the AWS network via a WireGuard VPN server I setup. Its configured in NAT mode which means all users are hidden behind the WireGuard server IP address. They can SSH to machines using hostnames, or IP addresses and can also connect to the internet. Their WireGuard client config is set to route all traffic through the VPN as this adds a layer of protection if they are working in say a coffee shop.

Desired setup:

I would like to change the config so WireGuard is running in routing mode rather than NAT mode. This way users will get a unique IP address and I will be able to use AWS security groups to prevent certain users from reaching certain servers. Adds an extra layer of security which is nice.

How far I have got:

I can get routing mode "working", in that users get a unique IP address, they are still able to SSH to machines using hostnames or IP addresses. The problem I am facing is that they lose internet connection! So I solve one problem but create another. I have tried pinging 8.8.8.8 to rule out DNS being the problem.

Server config (NAT mode commented out):

[Interface]
Address = 10.0.0.162
SaveConfig = false
PrivateKey = abcdefg
ListenPort = 51820

#NAT mode:
#PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;

#Routing Mode attempt 1:
#Machines in AWS show connections from the actual client IP which is good. No internet access though.
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT;

[Peer] #My_Laptop
PublicKey = abcdefg
PresharedKey = abcdefg
AllowedIPs = 192.168.1.2/32

Client config:

[Interface]
PrivateKey = abcdefg
Address = 192.168.1.2/32
DNS = 10.0.0.162

[Peer]
PublicKey = abcdefg
PresharedKey = abcdefg
AllowedIPs = 0.0.0.0/0
Endpoint = x.x.x.x:51820
PersistentKeepalive = 25

Hopefully the above is enough information to show what I have tried. Note I have BIND running on the same machine as WireGuard. BIND simply forwards all DNS queries to AWS Route53.

I feel like its so close to working but I have been stuck at this point for months.

Tipex
  • 31
  • 7
  • Do the AWS machines you are trying to access know to route via the Wire Guard machine to reach the IP addresses of the remote client machines? Routes need to set in both directions – hardillb Jun 28 '22 at 16:56
  • I have the following route in AWS: Destination = 192.168.1.0/24 Target = The WireGuard VPN Server I can connect to machines in AWS using SSH over WireGuard. Its specifically my laptop trying to reach the general internet via the WireGuard connection thats the issue. – Tipex Jun 28 '22 at 18:12
  • Then you are going to need NAT somewhere in the loop because the internet isn't going to route 192.168.1.0/24 via your AWS machines – hardillb Jun 28 '22 at 18:37
  • Would that not be something that is built into the AWS network? In my mind I have: - Request for a website from my laptop - This gets sent to WireGuard - WireGuard then sends it to the AWS router - AWS router sends it out to the internet Routing is not my strong point unfortunatly. – Tipex Jun 28 '22 at 18:51
  • This explains things perfectly: https://www.procustodibus.com/blog/2021/04/wireguard-point-to-site-routing/ Just reading through it now to see if I can do what I want. – Tipex Jun 30 '22 at 12:54
  • I feel like the solution might be with iptables in the WireGuard config file. If there was a rule to forward traffic to the AWS network and then another rule to masqerade all other traffic. So something like this for connecting to AWS machines: iptables -A FORWARD -i %i -d 10.0.0.0/16 -j ACCEPT And this for reaching the internet i.e. everything thats not on the AWS network: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE – Tipex Jun 30 '22 at 15:00

1 Answers1

1

I found the solution. It was all to do with iptables in Linux.

The following was needed in the WireGuard config: PostUp = iptables -t nat -A POSTROUTING ! -d 10.0.0.0/16 -o eth0 -j MASQUERADE; PostDown = iptables -t nat -D POSTROUTING ! -d 10.0.0.0/16 -o eth0 -j MASQUERADE;

What this does is not masquerade when the traffic is for the local AWS network. This way each user gets their own IP address which I can then use in firewall rules to prevent them reaching certain machines. For all other traffic masquerading is done which then means user can go out to the internet.

Tipex
  • 31
  • 7