You are not logged in.

#1 2020-03-16 19:21:45

initbox
Member
Registered: 2008-09-27
Posts: 172

[SOLVED] WireGuard client routing with multiple interfaces on server

Hey,

I have a routing situation I'm not really sure how to configure...

I have a WireGuard VPN server with two interfaces, an "external" and "internal" interface (+ WireGuard interface). I want to set up a full tunnel VPN for the clients so that all traffic is routed out via the server's internal interface. The clients come in through the external public facing interface. For the server itself, I obviously want to use the external interface as the default route, but several internal ranges need to go out via the internal interface.

I don't need/use any NAT.

It seems like policy-based routing is required so that a separate routing table is used for the VPN client traffic, but I can't get it to work properly - with the below configuration even traffic towards the WireGuard server's gateway address is forwarded via the internal interface and there's something weird going on that might be related to this. Otherwise it seems to work (clients can reach internal network & internet, just not the VPN server through the gateway address).

I'm guessing the secondary routing table needs an exception for the WireGuard gateway address? Or another route?

I'm configuring everything through systemd-networkd so the configuration is from there.

IP config:

external: 10.0.200.162/28 (gw .161)
internal: 10.0.200.130/28 (gw .129)
wireguard: 10.0.100.1/23
client pool: 10.0.100.0/23

For the server itself, I want to route 10.0.0.0/8 and 192.168.0.0/16 through the internal interface.

Configuration:

[Match]
Name = external

[Address]
Address = 10.0.200.162/28

[Route]
Destination = 0.0.0.0/0
Gateway = 10.0.200.161

# ---

[Match]
Name = internal

[Address]
Address = 10.0.200.130/28

[Route]
Destination = 10.0.0.0/8
Gateway = 10.0.200.129

[Route]
Destination = 192.168.0.0/16
Gateway = 10.0.200.129

[Route]
Destination = 0.0.0.0/0
Gateway = 10.0.200.129
Table = 2

[RoutingPolicyRule]
From = 10.0.100.0/23
Table = 2

# ---

[Match]
Name = wg0

[Address]
Address = 10.0.100.1/23
IPForward = yes

[Route]
Destination = 10.0.100.0/23
Gateway = 10.0.100.1

This of course results in this routing table:

# ip route
default via 10.0.200.161 dev external proto static
10.0.0.0/8 via 10.0.200.129 dev internal proto static
10.0.100.0/23 dev wg0 proto kernel scope link src 10.0.100.1
10.0.100.0/23 via 10.0.100.1 dev wg0 proto static
10.0.200.128/28 dev internal proto kernel scope link src 10.0.200.130
10.0.200.160/28 dev external proto kernel scope link src 10.0.200.162
192.168.0.0/16 via 10.0.200.129 dev internal proto static

# ip rule
0: from all lookup local
0: from 10.0.100.0/23 lookup 2
32766: from all lookup main
32767: from all lookup default

# ip route show table 2
default via 10.0.200.129 dev internal proto static

Last edited by initbox (2020-03-17 22:21:07)

Offline

#2 2020-03-16 23:23:44

fukawi2
Administrator
From: .vic.au
Registered: 2007-09-28
Posts: 5,835
Website

Re: [SOLVED] WireGuard client routing with multiple interfaces on server

This should be basic routing. No need for policy-based routing. Did you try before delving into PBR?

Offline

#3 2020-03-16 23:40:50

initbox
Member
Registered: 2008-09-27
Posts: 172

Re: [SOLVED] WireGuard client routing with multiple interfaces on server

You can only have one default route no? The default route needs to be the external interface for the server itself. The VPN clients also need a default route via the internal interface to route all client traffic through it (because that needs to go to the internet via the internal interface). If I only did split tunnel I could remove the default route requirement and I'd be done (all the internal networks will be routed to the internal interface already).

Offline

#4 2020-03-17 00:43:09

fukawi2
Administrator
From: .vic.au
Registered: 2007-09-28
Posts: 5,835
Website

Re: [SOLVED] WireGuard client routing with multiple interfaces on server

If I'm understanding the problem correctly, the routing table on your server should look like this (where ext0 and int0 are your external/internal interfaces respectively):

default via 10.0.200.161
10.0.200.162/28 dev ext0
10.0.200.130/28 dev int0
10.0.100.0/23 dev wg0

Clients can just default route to 10.0.100.1 over the WG tunnel, and packets arriving at the server from the Wireguard clients will be routed according to the servers route table (assuming you have ip_forwarding enabled and firewall rules to allow it).

I don't think I'm fully understanding your goal - this may be a little bit of a XY Problem.

Offline

#5 2020-03-17 07:42:39

initbox
Member
Registered: 2008-09-27
Posts: 172

Re: [SOLVED] WireGuard client routing with multiple interfaces on server

No that doesn't work - the traffic from the VPN clients will flow out through the external interface of the VPN server. It needs to go through the internal interface. The external interface is only the correct default route for the server itself.

Traffic from VPN clients needs to go out via the internal interface so that it ends up on the internal network and out from there via its default routes and firewall (with its firewall rules, IPS functionality, content filtering etc.). Via the external interface it just goes out directly to the internet.

Offline

#6 2020-03-17 09:30:44

progandy
Member
Registered: 2012-05-17
Posts: 3,717

Re: [SOLVED] WireGuard client routing with multiple interfaces on server

Maybe you could try policy based routing for marked packets  and then mark wg-packets with ip/nftables.

Last edited by progandy (2020-03-17 10:05:44)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#7 2020-03-17 22:20:14

initbox
Member
Registered: 2008-09-27
Posts: 172

Re: [SOLVED] WireGuard client routing with multiple interfaces on server

OK it looks like I have the config sorted out - the original config was close enough but required a route for the VPN client subnet (I had that but it needs to be on the secondary table).

systemd-network wants to configure things only for the same interface so the config needs to be split over the two interfaces but obviously you can just use the one routing table.

IncomingInterface can be used as the routing policy rule.

[Match]
Name = internal

[Route]
Destination = 0.0.0.0/0
Gateway = 10.0.200.129
Table = 2

# ---

[Match]
Name = wg0

[Route]
Destination = 10.0.100.0/23
Gateway = 10.0.100.1
Table = 2

[RoutingPolicyRule]
IncomingInterface = wg0
Table = 2

Offline

Board footer

Powered by FluxBB