0

I am sorry if this is a trivial question. I've spent the last 3 days trying to sort this problem out, so I've certainly tried to find a solution myself.

I have a host with two network interfaces that go through two different gateways/IPs. One that is directly connected to the host (Floating IP) and one that goes through a router (Gateway). (OpenStack infastructure)

I cannot port-forward through the gateway so to connect to the VPN I must use the Floating IP. I must however access the internet from the peer via the Gateway due to IP whitelisting.

The two network interfaces on an ubuntu server 22.04 instance are set up correctly.

ens3 is the Floating IP. It is also the default. When doing curl ifconfig.me --interface ens3 or curl ifconfig.me it yields the floating IP.

ens7 is the Gateway. When doing curl ifconfig.me --interface ens7 it yields the Gateway IP.

How would I go about forcing wireguard to send outbound traffic (ie a request on a peer connected to wireguard) through ens7 even though the wireguard connection is on ens3?

  • So far I've tried to reroute traffic by making the ens7 the default route, but it seemingly disconnected connections to the instance.
  • I've further tried to run the POSTUP settings with ens7 instead of ens3 but that didn't work either. I didn't think did would work but tried anyway.
Improve this question
1
  • Though WireGuard could be a special case, this generally cannot work. By responding using another IP address, you are essentially sending unrelated traffic. Remember the association tuple: (IP a, port a, IP b, port b).
    – Daniel B
    Commented Feb 17 at 15:22

1 Answer 1

Reset to default
0

If you actually need to send tunneled WireGuard traffic through a different physical network interface than the one through which you received it, you would likely need two separate WireGuard interfaces (one for each physical interface).

However, you're probably overthinking this. You probably don't need to use both interfaces -- you probably just need to set up a WireGuard tunnel through just one of the physical network interfaces, and use WireGuard's persistent-keepalive functionality to keep the tunnel open for bi-directional communication.

Let's call your host with two interfaces "Host A", and the host you're trying to communicate with over WireGuard "Host B". These are the three usual ways you'd do this:

1. Host A sets up the tunnel to Host B

If Host A can initiate connections to Host B's public IP address and WireGuard listen port (like through your Host A's ens7 interface), configure Host A with Host B's public IP address and WireGuard listen port (via the Endpoint setting), and add a PersistentKeepalive setting to it:

# /etc/wireguard/wg0.conf on Host A
[Interface]
...

# connection to Host B
[Peer]
...
Endpoint = <Host B public IP>:<Host B listen port>
PersistentKeepalive = 25

When you start up the WireGuard interface on Host A, it will attempt to set up a WireGuard connection with Host B, and send a keepalive packet to Host B every 25 seconds. These keepalive packets should keep the connection open through any firewalls between Host A and Host B, allowing both hosts to send and receive traffic to each other on demand (adjust the PersistentKeepalive seconds as necessary to make sure it triggers those firewalls keep the connection state active).

In this case, don't include an Endpoint or PersistentKeepalive setting in Host B's WireGuard config.

2. Host B sets up the tunnel to Host A

If Host B can initiate connections to Host A's public IP address and WireGuard listen port (like through your Host A's ens3 interface), instead configure Host B with Host A's public IP address and WireGuard listen port (via the Endpoint setting), and add a PersistentKeepalive setting to Host B:

# /etc/wireguard/wg0.conf on Host B
[Interface]
...

# connection to Host A
[Peer]
...
Endpoint = <Host A public IP>:<Host A listen port>
PersistentKeepalive = 25

In this case, when you start up the WireGuard interface on Host B, it will attempt to set up a WireGuard connection with Host A, and send a keepalive packet to Host A every 25 seconds. Don't include an Endpoint or PersistentKeepalive setting in Host A's WireGuard config in this case.

3. Host A and Host B both set up a tunnel to a third host

If Host A cannot initiate connections to Host B's public IP address and WireGuard listen port, and Host B cannot initiate connections to Host A's public IP address and WireGuard listen port, set up a third host, "Host C", at some other location with a public IP address and WireGuard listen port to which both Host A and Host B can connect.

Configure both Host A and Host B with Host C's public IP address and WireGuard listen port, and add a PersistentKeepalive setting to both:

# /etc/wireguard/wg0.conf on Host A
[Interface]
...

# connection to Host C
[Peer]
...
Endpoint = <Host C public IP>:<Host C listen port>
PersistentKeepalive = 25

(Same for Host B):

# /etc/wireguard/wg0.conf on Host B
[Interface]
...

# connection to Host C
[Peer]
...
Endpoint = <Host C public IP>:<Host C listen port>
PersistentKeepalive = 25

Then configure Host C as a WireGuard hub, forwarding traffic back and forth through its WireGuard connections between Host A and Host B.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .