search

porech / engarde

A go network utility to create a reliable IP tunnel over multiple connections
GNU General Public License v2.0
276 stars 41 forks source link

How do you forward all your traffic using engarde? #37

Closed jphein closed 2 years ago

jphein commented 4 years ago

Hello! Thank you very much, I love the software. It works really well when I set up wireguard manually using the wg command. However, I can't get it to work with wg-quick. I'm using wg-quick to set up the WireGuard VPN, and forward all my traffic over the VPN. It works perfectly for that after setting up ufw masquerading on the server. Has anyone been able to use engarde with wg-quick, and all traffic forwarding with masquerading?

Here is my setup:

gw-quick conf files

Ubuntu 20.04 server cat /etc/wireguard/wg0.conf 

[Interface]
Address = 10.5.5.1
PrivateKey = 
ListenPort = 59301

[Peer]
PublicKey = 
AllowedIPs = 10.5.5.0/24

Ubuntu 20.04 client cat /etc/wireguard/wg0.conf 

[Interface]
Address = 10.5.5.5
PrivateKey =   

[Peer]
PublicKey = 
#Endpoint = <public-ip>:59301
Endpoint = 127.0.0.1:59402
AllowedIPs = 0.0.0.0/0
#AllowedIPs = 10.5.5.0/24

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

engarde configs

server:
  listenAddr: "0.0.0.0:59402"
  dstAddr: "127.0.0.1:59301"
 # You can control engarde-client by accessing the web management interface. Here you can specify its parameters.
 # If you don't want a management interface, you can omit this section.
  webManager:
    # The address to listen to. Leave it empty to disable the management webserver.
    listenAddr: "0.0.0.0:9001"

client:
  listenAddr: "127.0.0.1:59401"
  dstAddr: "<public-ip>:59402"
  excludedInterfaces:
    - "virbr0"
    - "virbr0-nic"
    - "wg0"
 # You can control engarde-client by accessing the web management interface. Here you can specify its parameters.
 # If you don't want a management interface, you can omit this section.
  webManager:
    # The address to listen to. Leave it empty to disable the management webserver.
    listenAddr: "0.0.0.0:9001"
jphein commented 4 years ago

Changes made to the server firewall

sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
59402                      ALLOW       Anywhere                  
59301                      ALLOW       Anywhere                  
9001                       ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)             
59402 (v6)                 ALLOW       Anywhere (v6)             
59301 (v6)                 ALLOW       Anywhere (v6)             
9001 (v6)                  ALLOW       Anywhere (v6)

/etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:

DEFAULT_FORWARD_POLICY="ACCEPT"

Then edit /etc/ufw/sysctl.conf and uncomment:

net/ipv4/ip_forward=1

Now add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT
ghost commented 4 years ago

Engarde client

client:
  listenAddr: "127.0.0.1:59401"
  dstAddr: "<public-ip>:59402"

wg client:

[Peer]
PublicKey = 
#Endpoint = <public-ip>:59301
Endpoint = 127.0.0.1:59402

wg client Endpoint port should be 59401 no?

jphein commented 4 years ago

@talalmash Thank you! You're right! erp. I made the change, but still not working for me. I'm going to investigate a bit more.

ale-rinaldi commented 4 years ago

Hello,

I think the issue is that you're setting:

AllowedIPs = 0.0.0.0/0

on the client.

Doing this, wg-quick will set a default route through the VPN and engarde won't be able to reach the endpoint. This doesn't happen configuring Wireguard manually since it doesn't touch the routing table.

You'll probably want to set a specific route to the public IP of the server via the non-VPN interface after you run wg-quick.

Please let me know if this solves the issue for you!

jphein commented 4 years ago

@ale-rinaldi Thanks for your reply! I can actually get the engarde client and server to connect using wg-quick now. wg-quick uses fwmark to exclude the traffic to the endpoint. I think.

From https://www.wireguard.com/netns/#routing-all-your-traffic

Improved Rule-based Routing
The prior solution relies on us knowing the explicit endpoint IP that should be exempt from the tunnel, but WireGuard endpoints can roam, which means this rule may go stale. Fortunately, we are able to set an fwmark on all packets going out of WireGuard's UDP socket, which will then be exempt from the tunnel:

# wg set wg0 fwmark 1234
# ip route add default dev wg0 table 2468
# ip rule add not fwmark 1234 table 2468
# ip rule add table main suppress_prefixlength 0
We first set the fwmark on the interface and set a default route on an alternative routing table. Then we indicate that packets that do not have the fwmark should go to this alternative routing table. And finally we add a convenience feature for still accessing the local network, whereby we allow packets without the fwmark to use the main routing table, not the WireGuard interface's routing table, if it matches any routes in it with a prefix length greater than zero, such as non-default local routes. This is the technique used by the wg-quick(8) tool.

However, once I restart wg-quick with the new local endpoint, I can ping the server VPN ip, but all my other traffic grinds to a halt. With just the wq-quick vpn connection, I can ping and SSH using the public IP address, but not when I enable engarde.

How would you suggest forwarding all my traffic using engarde?

jphein commented 4 years ago

I think I can use the Table = off to tell wg-quick that it should not mess with the routing tables from: https://www.reddit.com/r/WireGuard/comments/gmc6au/loadbalancing_across_two_wg_connections_to_single/ I'll do some testing with that, but then I'll have to choose one of the manual ways of routing the rest of the traffic from here: https://www.wireguard.com/netns/#routing-all-your-traffic

jphein commented 4 years ago

I added the static route using: `ip route add publicip/32 via localgateway dev eth0' Just to test it out anyway. I still seem to be having issues, although mostly with HTTPS.

Marctraider commented 4 years ago

Issues with HTTPS, maybe MTU issue.

My whole network goes over wireguard tunnel, and all clients all have 1440 MTU.

jphein commented 4 years ago

@Marctraider Thank you so much!!! I'll try that. Good to know you have successfully routed all your normal browser traffic over engarde. Do you use wg-quick?

Marctraider commented 4 years ago

@Marctraider Thank you so much!!! I'll try that. Good to know you have successfully routed all your normal browser traffic over engarde. Do you use wg-quick?

Yes I do. My server and client both run a sh script at boot to initiate everything in proper order. I'd rather not fiddle around with services etc too much :-)

Server running 19:35:48 up 53 days, 50 min, 1 user, load average: 0.00, 0.00, 0.00

Its actually been running much longer than that, but I do have to reboot once in a while to update etc. I don't think I had any more internet downtime since 👍