g00nix
commented
2 years ago I think the issue is your device has a public IP on eth0 and you are routing all outbound traffic through the wireguard interface, so traffic is coming in on eth0 but going out on wgpia. Solving this issue is out of the scope of this repo, so I will have to close the ticket, but we can continue the discussion.
Here is an idea that could work:
Try to isolate the public services in a special network namespace (for example, by hosting those services on a docker network within the 172.17.0.0/16 range). After that, try to SNAT outbound connections to the WG interface instead of masquerading everything, and configure outbound connections from your public service to still go out via eth0. This should achieve the expected split tunnel effect you are looking for.
There are also other solutions to this. If you keep digging into Linux networking you will probably find alternative solutions.
If you want to dive into this deeper, I suggest starting by creating a diagram of the network flow (current and expected).
Bitals
Hello and thank you very much for this project.
My system is behind a NAT with multiple ports forwarded to it. My issue is that when I launch this script, my system stops answering requests coming from the internet. It answers everything from LAN, but nothing from outside, which is confusing for me since all requests from outside are forwarded to its local IP address, the same one I use to test from LAN.
Do you have any suggestions how to keep it answering on its NATed public IP while routing all outgoing traffic through PIA? Listening via PF seems like a lot of further automatization I really-really don't want to implement since it's completely redundant for my use case, and 1 port is not nearly enough for my needs.
Best regards.