1

I have two Raspberry Pi's in two different locations (Germany & France), which I want to use as VPN servers to access internet from different devices.

To avoid port forwarding from my local routers, I have setup a VPS (Debian) in Azure with two network interface cards and have assigned a public IP each. I am trying to setup two wireguard interfaces in the VPS so that the first interface wg0 routes all traffic to the Raspberry Pi in Germany and the second interface wg1 to Raspberry Pi in France.

The setup looks like this -

  • (Device 1..N) -> Azure VPS (Public IP #1) (VNET: 10.2.0.4/24) -> wg0 (10.6.0.1) -> Raspberry Pi Germany (10.6.0.15) -> Internet
  • (Device 1..N) -> Azure VPS (Public IP #2) (VNET: 10.4.0.4/24) -> wg1 (10.7.0.1) -> Raspberry Pi France (10.7.0.15) -> Internet

VPS eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 60:45:bd:0f:03:27 brd ff:ff:ff:ff:ff:ff
    inet 10.2.0.4/24 brd 10.2.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::6245:bdff:fe0f:327/64 scope link
       valid_lft forever preferred_lft forever

VPS eth1

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 60:45:bd:d2:5e:54 brd ff:ff:ff:ff:ff:ff
    inet 10.4.0.4/24 brd 10.4.0.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::6245:bdff:fed2:5e54/64 scope link
       valid_lft forever preferred_lft forever

Internet wasn't working in the second public ip (eth1) and I followed this guide - https://www.thomas-krenn.com/en/wiki/Two_Default_Gateways_on_One_System to make it work

cat /etc/iproute2/rt_tables

#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
150 rt2

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.2.0.1        0.0.0.0         UG    0      0        0 eth0
10.2.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.4.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1

ip rule show

0:      from all lookup local
32764:  from all to 10.4.0.4 lookup rt2
32765:  from 10.4.0.4 lookup rt2
32766:  from all lookup main
32767:  from all lookup default

ip route show

default via 10.2.0.1 dev eth0
10.2.0.0/24 dev eth0 proto kernel scope link src 10.2.0.4
10.4.0.0/24 dev eth1 proto kernel scope link src 10.4.0.4

Bring up wg0

VPS wg0 config

[Interface]
PrivateKey = <Private Key>
Address = 10.6.0.1/24
ListenPort = 51820

### Route requests to Raspberry Pi Germany ###
PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
PostUp = echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
PostUp = ip rule add not from 10.6.0.0/24 table main # This is needed to allow SSH access after enabling connection
PostUp = iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

### PostDown ###
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
PostDown = ip rule del not from 10.6.0.0/24 table main
PostDown = echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
PostDown = echo 0 > /proc/sys/net/ipv4/ip_forward

### begin Raspberry Pi Germany ###
[Peer]
PublicKey = <Public Key>
PresharedKey = <Private Key>
AllowedIPs = 10.6.0.15/32, 0.0.0.0/0
### end Raspberry Pi Germany ###

...

wg-quick up wg0

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.6.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
[#] echo 1 > /proc/sys/net/ipv4/ip_forward
[#] echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
[#] ip rule add not from 10.6.0.0/24 table main
[#] iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
[#] iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

ip route show

default via 10.2.0.1 dev eth0
10.2.0.0/24 dev eth0 proto kernel scope link src 10.2.0.4
10.4.0.0/24 dev eth1 proto kernel scope link src 10.4.0.4
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1

ip rule show

0:      from all lookup local
32761:  not from 10.6.0.0/24 lookup main
32762:  from all lookup main suppress_prefixlength 0
32763:  not from all fwmark 0xca6c lookup 51820
32764:  from all to 10.4.0.4 lookup rt2
32765:  from 10.4.0.4 lookup rt2
32766:  from all lookup main
32767:  from all lookup default

Result: All requests from my devices are successfully routed to Raspberry Pi Germany

Bring up wg1

VPS wg1 config

[Interface]
PrivateKey = <Private Key>
Address = 10.7.0.1/24
ListenPort = 51821

PostUp = ip rule add not from 10.6.0.0/24 table main # This is needed to allow SSH access after enabling connection
PostUp = iptables -A FORWARD -i wg1 -o wg1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

PostDown = iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg1 -o wg1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
PostDown = ip rule del not from 10.6.0.0/24 table main

### begin Raspberry Pi France ###
[Peer]
PublicKey = <Public Key>
PresharedKey = <Private Key>
AllowedIPs = 10.7.0.15/32, 0.0.0.0/0
### end Raspberry Pi France ###

ip rule show
0:      from all lookup local
32758:  not from 10.6.0.0/24 lookup main
32759:  from all lookup main suppress_prefixlength 0
32760:  not from all fwmark 0xca6d lookup 51821
32761:  not from 10.6.0.0/24 lookup main
32763:  not from all fwmark 0xca6c lookup 51820
32764:  from all to 10.4.0.4 lookup rt2
32765:  from 10.4.0.4 lookup rt2
32766:  from all lookup main
32767:  from all lookup default

ip route show
default via 10.2.0.1 dev eth0
10.2.0.0/24 dev eth0 proto kernel scope link src 10.2.0.4
10.4.0.0/24 dev eth1 proto kernel scope link src 10.4.0.4
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1
10.7.0.0/24 dev wg1 proto kernel scope link src 10.7.0.1

Result: Connecting from my devices, wg0 does not work anymore and all requests to wg1 are now routed to Azure Public IP #1

I am a new to networking and wireguard and cannot get my head around where it's going wrong. Help!

Edit: I found a simpler solution than using a network interface per WireGuard server. I ended up setting up multiple WireGuard servers using docker and mapping different VPS ports to each of the containers. I found this link useful.

Improve this question

0

Reset to default

You must log in to answer this question.