Need routing help for a Wireguard client on VPS.

[ioogithub]

Trying to setup a wireguard client on VPS so traffic destined to the internet will use wireguard tunnel instead of public IP: LAN -> OMR -> VPS -> Wireguard -> Internet

Traffic that comes from the Internet (www or ssh) should still use the public IP, not wireguard: Internet -> VPS -> OMR -> LAN

I followed the guide here to setup shorewall: https://github.com/Ysurac/openmptcprouter/issues/1536

1. Create rule to allow UDP wireguard: ACCEPT $FW net udp 51820

2. Create an interface: exvpn exwg+ nosmurfs,tcpflags

3. Create a zone: exvpn ipv4

4. Create policies vpn exvpn ACCEPT and fw exvpn ACCEPT

5. Modify existing snat rule and replace $NET_IFACE with exwg0.

6. Create exwg0.conf:

   [Interface]
   ...
   # Use server IP for replying back to direct connections instead of VPN
   PostUp = ip rule add from {SERVER_PUBLIC_IP} table main
   PostDown = ip rule del from {SERVER_PUBLIC_IP} table main
   ...
   [Peer]
   ...
   AllowedIPs = 0.0.0.0/0
   ...

   I need help with the routing. Two ideas:

7. Leave AllowedIPs = 0.0.0.0/0 and try to set specific routes for OMR traffic with the PostUP and PostDown commands.

   • If I set AllowedIPs = 0.0.0.0/0 then wireguard sets a default route and takes over the VPS when it starts. I lose ping and ssh access. I adding many different routes with PostUP and it never works.

8. Set AllowedIPs = IPs from OMR

   • If I set AllowedIPs= something. Then I can bring the wireguard tunnel online but I can't get traffic to route though it.
   • I can't find the IP address to set here. How to identify only traffic from OMR that is going to internet?
   • shorewall rules has something like this vpn:$OMR_ADDR how do I find out what $OMR_ADDR is to try to add it to AllowedIPs?

I think I am close to a solution but I need help with the routing. This is just a wireguard client on the VPS not a wireguard server.

Summary:

• Traffic coming from OMR via shadowsocks (TCP) or Glorytun (UDP) and going to internet will use wireguard tunnel.
• All other traffic will use regular public IP. Please help.

Specifications

• OpenMPTCProuter version: 0.59.1-5.4 r0+16594-ce92de8c8c
• OpenMPTCProuter VPS version:
• OpenMPTCProuter VPS provider:
• OpenMPTCProuter platform: x86_64

[ioogithub]

I think I got a step closer. I am trying to forward all packets from the shadowsocks (65101) and glorytun (65001) tunnel to the wgtunnel on the VPS with this config:

[Interface]
Address = 10.1.2.1/32
...
PostUp = ip rule add from 0.0.0.0/0 sport 65101 table 200; ip rule add from 0.0.0.0/0 sport 65001 table 200; ip route add default dev exwg0 table 200

PostDown = ip rule del from 0.0.0.0/0 sport 65101 table 200; ip rule del from 0.0.0.0/0 sport 65001 table 200; ip route add default dev exwg0 table 200

[Peer]
...
Endpoint = 1.1.2.1:1637
AllowedIPs = 1.1.2.0/24

but it doesn't seem to work. When I bring the wireguard tunnel up it breaks the shadowsocks with this message on the OMR status page:

VPN tunnel is down
can't get public ip address from shadowsocks.

Now that I know how to identify the packets from OMR, is there another way to forward them to the wg tunnel without breaking the shadowsocks tunnel?

[ioogithub]

I tried another solution using iptables to call these two lines when the wg intrface is brought up:

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 65000:65535 -j DNAT --to-destination <WireGuard tunnel IP>:<WireGuard tunnel port>; iptables -t nat -A PREROUTING -p udp --dport 65000:65535 -j DNAT --to-destination <WireGuard tunnel IP>:<WireGuard tunnel port>

PostDown = iptables -t nat -D PREROUTING -p tcp --dport 65000:65535 -j DNAT --to-destination <WireGuard tunnel IP>:<WireGuard tunnel port>; iptables -t nat -D PREROUTING -p udp --dport 65000:65535 -j DNAT --to-destination <WireGuard tunnel IP>:<WireGuard tunnel port>

This don't work either, similar error on the OMR status page:

Can't get the public ip from shadowsocks
Can't contact server admin script (no token yet avaliable)

I tested the wg config file on my computer, it works but can't get traffic from OMR on the VPS to be directed to the wg tunnel without breaking the tunnel.

[github-actions[bot]]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days