Hello!
I have two identically setup wireguard servers, both work fine on their own.
I essentially wish to create a tunnel through one, so it would be me -> vps1 -> vps2 -> internet.
So this is what I did:
On vps1 I have two interfaces, one wg0 which is the connection between me and the vps (10.0.0.x). The second interface is wg0 (10.100.100x,) which acts as a client to connect to the wg0 interface on vps2.
Both of these connections work fine, I can connect to the vps1 (wg0) and vps2 (wg0). vps1 (wg1) can also connect to vps2 (wg0).
I cannot however get vps1's wg0 to tunnel everything into wg1 and thus complete the project.
I have tried iptables and forwarding the interface, much like how wireguard already forwards eth0 traffic into itself.
I have tried routing tables.
I think I am just missing the intricacies of wireguard itself or my one semester in linux networking has been completely forgotten.
Any advice?
Things I have tried:
sudo iptables -A INPUT -p udp -m udp --dport 51821 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -i wg1 -j ACCEPT iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE ip6tables -A FORWARD -i wg1 -j ACCEPT ip6tables -t nat -A POSTROUTING -o wg0 -j MASQUERADE And I dont know, I did some stuff with ip routing and gateways and ahhh this is giving me a headache. VPS1 wg0.conf
[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = key PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE #USER [Peer] PublicKey = key AllowedIPs = 10.0.0.2/32 #VPS2 [Peer] PublicKey = key AllowedIPs = 10.0.0.6/32 VPS1 IPTables:
-P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 10.0.0.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wg0 -j ACCEPT -A OUTPUT -o lo -j ACCEPT VPS1 IP Route:
sudo ip route default via myip dev eth0 onlink 10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1 myip dev eth0 proto kernel scope link src myip VPS2 wg0.conf
[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = key PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE #Gateway (vps1) [Peer] PublicKey = key AllowedIPs = 10.0.0.4/32 VPS2 wg1.conf
[Interface] Address = 10.100.100.2/32 ListenPort = 51821 #DNS = 10.0.0.1 PrivateKey = key PostUP = route add -net 10.0.0.0/24 gw 10.100.100.1 [Peer] PublicKey = key AllowedIPs = 10.100.100.1/32, 10.0.0.1/32 #AllowedIPS = 0.0.0.0/0 Endpoint = myip:51820 PersistentKeepalive = 21 VPS2 IPTables:
sudo iptables --list-rules -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 10.0.0.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wg0 -j ACCEPT -A OUTPUT -o lo -j ACCEPT VPS2 IP Route:
sudo ip route default via myip dev eth0 10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1 myip/24 dev eth0 proto kernel scope link src myip 
No comments:
Post a Comment