I have three Linux/Debian hosts: Client, Middleman, and Gateway. The Client and the Gateway are behind NAT, while Middleman has a public IPv4 address.
Thus, the Endpoint
for Client and Gateway will be the middleman.
Then, I want to route all the traffic from the Client in this way:
Client ==> Middleman ==> Gateway ==> Internet
My current configs are:
Client
[Interface]
PrivateKey =
Address = 10.0.0.1/32
ListenPort = 51821
[Peer]
PublicKey =
Endpoint = MIDDLEMAN_PUBLIC_IP:51823
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Middleman
[Interface]
PrivateKey =
Address = 10.0.0.3/32
ListenPort = 51823
PreUp = sysctl -w net.ipv4.ip_forward=1
# Client
[Peer]
PublicKey =
AllowedIPs = 10.0.0.1/32
# Gateway
[Peer]
PublicKey =
AllowedIPs = 10.0.0.0/24
Gateway
[Interface]
PrivateKey =
Address = 10.0.0.2/32
ListenPort = 51822
# From wg0 to eth0
PreUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey =
Endpoint = MIDDLEMAN_PUBLIC_IP:51823
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25
At the moment the tunnel is working and I can ssh from Client to Gateway thought Wireguard's tunnel, but the Internet traffic is stuck at the middleman (according to TCP dump, trying to ping 8.8.8.8).
I'm definitively missing some iptables rules on the Middleman, but I've tried several ones from different online guides.
Can you suggest me the working configurations?
Middleman
, the[Peer]
forGateway
needs to haveAllowedIPs = 0.0.0.0/0
instead, but the side effect is thatMiddleman
itself will useGateway
as its Internet gateway as well, unless you haveTable=off
under[Interface]
and set up policy routing manually.