0

I have three Linux/Debian hosts: Client, Middleman, and Gateway. The Client and the Gateway are behind NAT, while Middleman has a public IPv4 address.

Thus, the Endpoint for Client and Gateway will be the middleman. Then, I want to route all the traffic from the Client in this way:

Client ==> Middleman ==> Gateway ==> Internet

My current configs are:

Client

[Interface]
PrivateKey = 
Address = 10.0.0.1/32
ListenPort = 51821

[Peer]
PublicKey = 
Endpoint = MIDDLEMAN_PUBLIC_IP:51823
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Middleman

[Interface]
PrivateKey = 
Address = 10.0.0.3/32
ListenPort = 51823

PreUp = sysctl -w net.ipv4.ip_forward=1


# Client
[Peer]
PublicKey = 
AllowedIPs = 10.0.0.1/32

# Gateway
[Peer]
PublicKey = 
AllowedIPs = 10.0.0.0/24

Gateway

[Interface]
PrivateKey = 
Address = 10.0.0.2/32
ListenPort = 51822

# From wg0 to eth0
PreUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE


[Peer]
PublicKey = 
Endpoint = MIDDLEMAN_PUBLIC_IP:51823
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25

At the moment the tunnel is working and I can ssh from Client to Gateway thought Wireguard's tunnel, but the Internet traffic is stuck at the middleman (according to TCP dump, trying to ping 8.8.8.8).

I'm definitively missing some iptables rules on the Middleman, but I've tried several ones from different online guides.

Can you suggest me the working configurations?

Improve this question
1
  • On Middleman, the [Peer] for Gateway needs to have AllowedIPs = 0.0.0.0/0 instead, but the side effect is that Middleman itself will use Gateway as its Internet gateway as well, unless you have Table=off under [Interface] and set up policy routing manually.
    – Tom Yan
    Commented Aug 29, 2023 at 2:53

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .