I am trying to use Linux routing to route traffic for a SPECIFIC IP (172.16.20.4/32
) on a Linux Bridge (named vmbr-dmz
) to wireguard tunnel (named wg0
). However it is not working.
I have two questions, firstly how to get it working when wireguard AllowedIPs=0.0.0.0/0
and when restrcited to just AllowedIPs=172.16.20.4/32
?
What I have done - on my host (default debian 11 installation) using linux-bridging
9: vmbr-dmz: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 172.16.20.1/28 brd 172.16.20.15 scope global vmbr-dmz
11: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.2.0.2/32 scope global wg0
valid_lft forever preferred_lft forever
I created a new Policy Routing Table in /etc/iproute2/rt_tables.d/dmzwg0.conf
100 dmzwg0
I create a rule for that IP address to use the table dmzwg0. The rule is visibile in the list.
ip rule add from 172.16.20.4 lookup dmzwg0
I started with the default wireguard setup from my VPN and started using systemctl start wg-quick@wg0
[Interface]
PrivateKey = k...=
Address = 10.2.0.2/32
DNS = 10.2.0.1
[Peer]
PublicKey = 8...=
AllowedIPs = 0.0.0.0/0
#AllowedIPs = 172.16.20.4/32
Endpoint = NNN.NNN.NNN.NNN:51820
I am not sure how to find the next hopw address for wg - but guessing it is 10.2.0.1. How do you determine the next-hop for a wireguard interface? Since it is AllowedIPs=0.0.0.0/0 I can ping it, so I can added as next-hop.
ip route add default via 10.2.0.1 dev wg0 table dmzwg0
Looking that the dmzwg0
table I see the route I expect
ip route show table dmzwg0
default via 10.2.0.1 dev wg0
I added the following nf table rules for masquerading.
nft add table nat
nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
nft add rule nat postrouting oifname "wg0" ip saddr 172.16.20.4/32 counter packets 0 bytes 0 masquerade
I started from VM I tried to connect to the internet. On the host I ran tcpump -i vmbr-dmz
so I could find the traffic from the bridge has the expected I address IP
tcpdump -i vmbr-dmz
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vmbr-dmz, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:40:09.803588 IP 172.16.20.4.56226 > dns.google.domain: 59264+ SRV? _http._tcp.security.debian.org. (48)
14:40:09.803620 IP 172.16.20.4.55497 > dns.google.domain: 60873+ SRV? _http._tcp.deb.debian.org. (43)
14:40:14.808719 IP 172.16.20.4.41741 > 8.8.8.4.domain: 60873+ SRV? _http._tcp.deb.debian.org. (43)
14:40:14.808721 IP 172.16.20.4.54173 > 8.8.8.4.domain: 59264+ SRV? _http._tcp.security.debian.org. (48)
I tried tcpdump on both wg0
and my physical NIC eno1
and I could not see the traffic.
My nft nat rules are not counting any packets?
Q1) - So what have I missed? What steps could I take to work out where my traffic is going?
Also if I change my wireguard config to just the IP address I want to allpw 172.16.20.4
.
I am unable to add the next hop as the host cannot reach/ping the next-hop via wg0
.
ip route add default via 10.2.0.1 dev wg0 table dmzwg0
Error: Nexthop has invalid gateway.
Q2) - How do I add the default route to the dmzwg0
table to send all traffic via wg0 for only 172.16.20.4/32
?