Not setting WireGuard as default interface

H

HexagonWin

Hello. I'm trying to run an IRC server on my machine at home. The problem is that I'm behind my ISP's CGNAT, so I'm trying to connect this home machine(A) to a remote machine(B) that has public IP using WireGuard.
On server A I wrote the following WireGuard config:
Code: 
# /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = placeholder
Address = 192.168.3.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = placeholder
PreSharedKey = placeholder
AllowedIPs = 0.0.0.0/0
Endpoint = machine-b.com:51820
PersistentKeepalive=15

And on server B I wrote the below WireGuard and ipfw configs:
Code: 
# /usr/local/etc/wireguard/wg0.conf
[Interface]
Address = 192.168.3.1/32
ListenPort = 51820
PrivateKey = placeholder

[Peer]
AllowedIPs = 192.168.3.2/32
PreSharedKey = placeholder
PublicKey = placeholder

Code: 
# /etc/ipfw.rules
#!/bin/sh

ipfw -q -f flush

pif="re0"

ipfw nat 1 config if $pif redirect_port tcp 192.168.3.2:6697 6697
ipfw add 100 nat 1 ip4 from any to me in via $pif
ipfw add 200 nat 1 ip4 from 192.168.3.0/24 to any out via $pif

ipfw add allow all from any to any

Code: 
# /etc/rc.conf
wireguard_interfaces="wg0"
wireguard_enable="YES"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="open"
firewall_script="/etc/ipfw.rules"
firewall_nat_enable="YES"
It works well and I'm able to access my IRC server on A from machine-b.com:6697. But now, all traffic on A is going through B's connection, and it is very slow. Since A has much faster internet I want to have em0 (A's ethernet) as default route rather than wg0 (so that I can download packages and stuff).
I tried searching a bit and found Table = off, added it to A's wg0.conf [Interface] section and though it does make em0 remain default, it also makes the wg0 interface not function at all. (Tested with curl icanhazip.com --interface wg0)
Is there a solution to what I'm doing here? Thanks!
 
Look at your routing table with netstat -rn, my guess is that wg0 is setup for all the traffic.
My guess is that you should have:
Code: 
AllowedIPs =  192.168.3.0/24
Instead of
Code: 
AllowedIPs = 0.0.0.0/0
 
monwarez said:
Look at your routing table with netstat -rn, my guess is that wg0 is setup for all the traffic.
My guess is that you should have:
Code: 
AllowedIPs =  192.168.3.0/24
Instead of
Code: 
AllowedIPs = 0.0.0.0/0
Click to expand...
Doesn't that mean only 192.168.3.x would be able to connect to my machine?
I need any IPs to be able to connect here. Just tested and it doesn't seem to work for some reason.
Is there no method to just keep wg0 as it is now and set the default interface to em0? I'm considering also using torrent here with ports open using the same technique.
 
What version of wireguard-tools are you using ? The -lite flavor or the regular one ?
This could be solve with a different routing table with setfib in my opinion.
You put the wireguard on a different fib, then just run the irc daemon with setfib.
 
monwarez said:
What version of wireguard-tools are you using ? The -lite flavor or the regular one ?
This could be solve with a different routing table with setfib in my opinion.
You put the wireguard on a different fib, then just run the irc daemon with setfib.
Click to expand...
I'm running the regular one. Could you please explain a bit more?
 
Before going the setfib route, what does your routing table look like when you use
Code: 
AllowedIPs = 0.0.0.0/0
and that your irc server is reachable from the outside.
Run netstat -rn and report here.

PS: In my case I use the -lite variant that use the rc.d script to set my ip with wireguard_wg0_ips, and I do the nat with pf and the firewall with ipfw.
 
Hello, sorry for the late reply. netstat -rnon the IRC server looks like this. (REDACTED is the public IP of machine B):
Code: 
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          link#3             US          wg0
default            192.168.1.1        UGS         em0
REDACTED           192.168.1.1        UGHS        em0
127.0.0.1          link#2             UH          lo0
128.0.0.0/1        link#3             US          wg0
192.168.1.0/24     link#1             U           em0
192.168.1.128      link#2             UHS         lo0
192.168.3.2        link#2             UH          lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             link#2                        URS         lo0
::1                               link#2                        UHS         lo0
::ffff:0.0.0.0/96                 link#2                        URS         lo0
fe80::%lo0/10                     link#2                        URS         lo0
fe80::%lo0/64                     link#2                        U           lo0
fe80::1%lo0                       link#2                        UHS         lo0
ff02::/16                         link#2                        URS         lo0
 
HexagonWin said:
Doesn't that mean only 192.168.3.x would be able to connect to my machine?
...
Click to expand...

That directive is not what can connect to you, it is what destinations machine-b will forward across the tunnel.

If you want this to work without tunneling all traffic, change the config as monwarez suggested
Code: 
Change AllowedIPs = 0.0.0.0/0 to 192.168.3.0/24

Then you are going to need to source NAT the traffic to machine-b on machine-a so that when the traffic arrives at machine-b, it appears to have come from machine-a. Otherwise, machine-b will route the traffic back out the default route (not over the wireguard tunnel) and the packets will be discarded at the client.
 
You must log in or register to reply here.
Back
Top