2

I have a Wireguard connect to a cloud server that I do not control, and I was granted only one IP address to use when connecting to that server. However, I would like to allow multiple clients to connect to that cloud server, and I want to do this by setting up my own local Wireguard server, connecting clients to that, and then forwarding traffic from that local Wireguard into the cloud Wireguard.

Here is a diagram of the configuration I am looking to implement: Image

The connection in wg1 works for one device, and I am able to set up wg0 and have multiple clients connect to it, but I am stumped at getting the bridge from wg0 to wg1 to work. I'm reasonably sure that some sort of NAT config via iptables will be required, but I cannot for the life of me figure out what needs to be configured in order to get this to work.

I have already set net.ipv4.ip_forward=1 in /etc/sysctl.conf and have configured my ufw firewall to allow traffic into wg0. I also want to make sure that the Wireguard configurations on my local server do not force all traffic coming out of that server to go through the external Wireguard server, so I have set all tables to 1234.

It could also be that adding the external wireguard as a peer of my local wireguard is possible, but this is also beyond my ability to get working.

Local client config:

[Interface] Address = 10.8.0.1/32 # or 10.8.0.2, 10.8.0.3 PrivateKey = ... [Peer] AllowedIPs = 0.0.0.0/0 Endpoint = 1.2.3.4:51820 PublicKey = ...

Local server config (wg0):

[Interface] Address = 10.8.0.254/24 PrivateKey = ... Table = 1234 PostUp = iptables -A FORWARD -i wg0 -o wg1 -j ACCEPT PostUp = iptables -A FORWARD -i wg1 -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT PostUp = iptables -t nat -I POSTROUTING -o wg1 -j MASQUERADE PostUp = iptables -t nat -I POSTROUTING -o mv0 -j MASQUERADE PreDown = iptables -D FORWARD -i wg0 -o wg1 -j ACCEPT PreDown = iptables -D FORWARD -i wg1 -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT PreDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE PreDown = iptables -t nat -D POSTROUTING -o wg1 -j MASQUERADE [Peer] AllowedIPs = 10.8.0.1/32 PublicKey = ... [Peer] AllowedIPs = 10.8.0.2/32 PublicKey = ... [Peer] AllowedIPs = 10.8.0.3/32 PublicKey = ...

Cloud server peer config (wg1):

[Interface] Address = 10.9.0.1/32 PrivateKey = ... Table = 1234 [Peer] AllowedIPs = 0.0.0.0/0 Endpoint = 5.6.7.8:51820 PublicKey = ...

Any help would be greatly appreciated.

Improve this question
1
  • This question is similar to: Iptables - Forwarding + Masquerading. If you believe it’s different, please edit the question, make it clear how it’s different and/or how the answers on that question are not helpful for your problem. Commented Aug 9, 2024 at 19:07

1 Answer 1

Reset to default
2

I've found a solution to my problem. There were two missing pieces:

  • Instead of a MASQUERADE job, I needed a SNAT where the source IP is set to 10.9.0.1. That way, any outgoing traffic would have the correct source IP for the cloud VPN to accept it.
  • All traffic on the network needs to be redirected to the table used by the Wireguard interface.

With this, I was also able to set up everything using a single Wireguard interface.

Here is my updated server config file (the clients are unchanged):

[Interface] Address = 10.8.0.254/24 PrivateKey = ... Table = 1234 PostUp = iptables -t nat -I POSTROUTING -o wg0 -j SNAT --to-source 10.9.0.1 PostUp = ip rule add iif wg0 lookup 1234 PreDown = iptables -t nat -D POSTROUTING -o wg0 -j SNAT --to-source 10.9.0.1 PreDown = ip rule del iif wg0 lookup 1234 # External VPN [Peer] AllowedIPs = 0.0.0.0/0 Endpoint = 5.6.7.8:51820 PublicKey = ... # Internal VPN clients [Peer] AllowedIPs = 10.8.0.1/32 PublicKey = ... [Peer] AllowedIPs = 10.8.0.2/32 PublicKey = ... [Peer] AllowedIPs = 10.8.0.3/32 PublicKey = ...
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.