0

I have one wireguard interface wg_vpn, but I don't want it to be global, so I add the line "Table = off" to the wg_vpn.conf to prevent wg-quick to modify the route table.

I also have an openvpn/wireguard interface tun0/wg0, and the clients can access my server through it. I've created these iptables rules:

    iptables -t nat -A POSTROUTING -o wg_vpn  -j MASQUERADE
    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i wg0 -o wg_vpn -j ACCEPT
    
    ip6tables -t nat -A POSTROUTING -o wg_vpn  -j MASQUERADE
    ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    ip6tables -A FORWARD -i wg0 -o wg_vpn -j ACCEPT

But they don't work, unless I make wg_vpn global by:

    ip route add default dev wg_vpn
    ip -6 route add default dev wg_vpn

Then they work.

But I just want to forward tun0/wg0 to wg_vpn without modify global route table, so may I know how to achieve this?

Thanks in advance!

Improve this question

1 Answer 1

Reset to default
1

Use policy routing with ip rule.

  1. Instead of Table=off, specify Table=123 to make wg-quick place the routes in a separate table (any 16-bit number except 253–255, which are the global tables).

    ...or manually add your routes to a new table:

    ip -4 route add default dev wg_vpn table 123
ip -6 route add default dev wg_vpn table 123

  2. Create policy routing rules to select this table for packets received from tun0:

    ip -4 rule add pref 1000 iif tun0 lookup 123
ip -6 rule add pref 1000 iif tun0 lookup 123
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .