You are not logged in.
- Topics: Active | Unanswered
#1 2021-10-21 20:06:43
- two_penguins
- Member
- Registered: 2019-12-29
- Posts: 13
Route to external interface of wireguard VPN
Hi folks,
I have issues understanding the general principle of routing. My project is a root server running a few services. In order to increase security I want to make it only accessible through a Wireguard Tunnel. To avoid the browser warning due to a self signed certificate I'd rather use a valid SSL certificate but I guess I than have to address the external IP of the server.
If I get the routing and nat done on the server side how would the routing on the client side be done (if possible at all)? Wireguard establishes the tunnel to the external interface. Is it afterwards possible to tell the client to route the traffic to the external interface on the server through the tunnel? Or does the WireGuard connection loses its base then?
If I set the route "ip route add 123.456.789.111 via 10.33.0.1 dev wg0" I just get a "No route to host".
Please help me understand the problem better.
Offline
#2 2021-10-21 20:23:24
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,193
Re: Route to external interface of wireguard VPN
You do not get a certificate for an IP, but for a domain. If you use that domain, the IP is irrelevant. You just have to use a (sub)domain of a publicly registered domain that has A(AAA) records for the wireguard internal IPs. If you want to get a let's encrypt certificate, use the DNS challenge method, that does not require the ip to be publicy accessible, only the acme challenge dns records have to be set on your public authoritative dns server.
Last edited by progandy (2021-10-21 20:24:54)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#3 2021-11-04 08:28:13
- two_penguins
- Member
- Registered: 2019-12-29
- Posts: 13
Re: Route to external interface of wireguard VPN
In other words: if I have the certificate for example.com I could run the services under app1.example.com and app2.example.com and it would still be valid, right?
Since this is a wireguard tunnel I don't have control over the client devices (at least at the moment I don't know how). Consequently the users will use the IP-addresses to access the services. Will the certificate still be valid in this case?
Offline