0

Here is a network topology

network topology

The wireguard connection is initiated by the local server, calling the vps through its public IP. Their config files looks like this:

VPS

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = ***********************

[Peer]
PublicKey = **************
AllowedIPs = 10.0.0.2/32

Local Server

[Interface]
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = ******************

[Peer]
PublicKey = ***************
AllowedIPs = 10.0.0.0/24
Endpoint = 70.60.21.22:51820
PersistentKeepalive = 25

The wireguard tunnel is functional at that point.

The myapp.com domain is pointing to the VPS public IP.

There is a web app sitting in the local server, listening to both HTTP and HTTPS ports. It's got a dynamic IP and is behind NAT. Would be nice to expose it to the public without DDNS or port forwarding. There is a reverse proxy on the VPS that forwards port 80 and 443 packets to it... and it works. Apparently that extra piece of software could be replaced by clever wireguard configs, but that's not our main problem here.

Ok, now, let's say we're developers, so the wording might be a tad incorrect thus far... but thing is, if we tcpdump traffic on the local server while receiving requests from a client pointing to myapp.com, the originating IP always is 10.0.0.1.

For obvious logging and firewalling purposes, we'd prefer to replace this the client's IPs.

What can be done to achieve this?

RooSoft
  • 236
  • 2
  • 10

1 Answers1

0

Assuming you're doing port forwarding with the firewall on your VPS instead of using a reverse proxy like Nginx or HAProxy etc (which won't preserve original client addresses at the IP layer), there are several different ways you could approach this (a few other techniques are outlined in this WireGuard Port Forwarding From the Internet article). Usually a simple policy routing rule or two is the most robust way to handle it.

Shut down WireGuard on your Local Server, change its config to the following, and then start it up again:

[Interface]
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = ******************
Table = 123
PreUp = ip rule add from 10.0.0.2 table 123 priority 456
PostDown = ip rule del from 10.0.0.2 table 123 priority 456

[Peer]
PublicKey = ***************
AllowedIPs = 0.0.0.0/0
Endpoint = 70.60.21.22:51820
PersistentKeepalive = 25

With this configuration, wg-quick will set up a custom routing table for you (123), with your WireGuard interface as its default route. The ip rule add from 10.0.0.2 table 123 priority 456 command defines a policy routing rule to use this routing table for any packets sent from the WireGuard interface's own address -- which will be the case for all responses to HTTP requests forwarded from your VPS to the Local Server.

So with this is place, you no longer need to masquerade the packets forwarded from your VPS to your Local Server; you can turn that off on the VPS, which will allow you to see original client IPs on your Local Server.

Justin Ludwig
  • 1,276
  • 9
  • 9