Closed jphein closed 2 years ago
Changes made to the server firewall
sudo ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
59402 ALLOW Anywhere
59301 ALLOW Anywhere
9001 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
59402 (v6) ALLOW Anywhere (v6)
59301 (v6) ALLOW Anywhere (v6)
9001 (v6) ALLOW Anywhere (v6)
/etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:
DEFAULT_FORWARD_POLICY="ACCEPT"
Then edit /etc/ufw/sysctl.conf and uncomment:
net/ipv4/ip_forward=1
Now add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT
Engarde client
client:
listenAddr: "127.0.0.1:59401"
dstAddr: "<public-ip>:59402"
wg client:
[Peer]
PublicKey =
#Endpoint = <public-ip>:59301
Endpoint = 127.0.0.1:59402
wg client Endpoint port should be 59401 no?
@talalmash Thank you! You're right! erp. I made the change, but still not working for me. I'm going to investigate a bit more.
Hello,
I think the issue is that you're setting:
AllowedIPs = 0.0.0.0/0
on the client.
Doing this, wg-quick will set a default route through the VPN and engarde won't be able to reach the endpoint. This doesn't happen configuring Wireguard manually since it doesn't touch the routing table.
You'll probably want to set a specific route to the public IP of the server via the non-VPN interface after you run wg-quick.
Please let me know if this solves the issue for you!
@ale-rinaldi Thanks for your reply! I can actually get the engarde client and server to connect using wg-quick now. wg-quick uses fwmark to exclude the traffic to the endpoint. I think.
From https://www.wireguard.com/netns/#routing-all-your-traffic
Improved Rule-based Routing
The prior solution relies on us knowing the explicit endpoint IP that should be exempt from the tunnel, but WireGuard endpoints can roam, which means this rule may go stale. Fortunately, we are able to set an fwmark on all packets going out of WireGuard's UDP socket, which will then be exempt from the tunnel:
# wg set wg0 fwmark 1234
# ip route add default dev wg0 table 2468
# ip rule add not fwmark 1234 table 2468
# ip rule add table main suppress_prefixlength 0
We first set the fwmark on the interface and set a default route on an alternative routing table. Then we indicate that packets that do not have the fwmark should go to this alternative routing table. And finally we add a convenience feature for still accessing the local network, whereby we allow packets without the fwmark to use the main routing table, not the WireGuard interface's routing table, if it matches any routes in it with a prefix length greater than zero, such as non-default local routes. This is the technique used by the wg-quick(8) tool.
However, once I restart wg-quick with the new local endpoint, I can ping the server VPN ip, but all my other traffic grinds to a halt. With just the wq-quick vpn connection, I can ping and SSH using the public IP address, but not when I enable engarde.
How would you suggest forwarding all my traffic using engarde?
I think I can use the
Table = off
to tell wg-quick that it should not mess with the routing tables
from: https://www.reddit.com/r/WireGuard/comments/gmc6au/loadbalancing_across_two_wg_connections_to_single/
I'll do some testing with that, but then I'll have to choose one of the manual ways of routing the rest of the traffic from here: https://www.wireguard.com/netns/#routing-all-your-traffic
I added the static route using: `ip route add publicip/32 via localgateway dev eth0' Just to test it out anyway. I still seem to be having issues, although mostly with HTTPS.
Issues with HTTPS, maybe MTU issue.
My whole network goes over wireguard tunnel, and all clients all have 1440 MTU.
@Marctraider Thank you so much!!! I'll try that. Good to know you have successfully routed all your normal browser traffic over engarde. Do you use wg-quick?
@Marctraider Thank you so much!!! I'll try that. Good to know you have successfully routed all your normal browser traffic over engarde. Do you use wg-quick?
Yes I do. My server and client both run a sh script at boot to initiate everything in proper order. I'd rather not fiddle around with services etc too much :-)
Server running 19:35:48 up 53 days, 50 min, 1 user, load average: 0.00, 0.00, 0.00
Its actually been running much longer than that, but I do have to reboot once in a while to update etc. I don't think I had any more internet downtime since 👍
Hello! Thank you very much, I love the software. It works really well when I set up wireguard manually using the wg command. However, I can't get it to work with wg-quick. I'm using wg-quick to set up the WireGuard VPN, and forward all my traffic over the VPN. It works perfectly for that after setting up ufw masquerading on the server. Has anyone been able to use engarde with wg-quick, and all traffic forwarding with masquerading?
Here is my setup:
gw-quick conf files
Ubuntu 20.04 server cat /etc/wireguard/wg0.conf
Ubuntu 20.04 client cat /etc/wireguard/wg0.conf
engarde configs