Join Log in
Score:1
TrevorT avatar Server

WireGuard policy-based routing

ie flag
TrevorT

This question is about configuring a WireGuard relay that routes all its peer's traffic to another WireGuard server, but the relay itself does not use that WireGuard server as the default gateway.

I am doing some self-hosting stuff. Currently my network contains three nodes, a gateway, an ownCloud server and my mobile phone. These nodes connected in mesh. The gateway is hosted on a VPS, and the mobile will use it to access the Internet.

Everything is working. But the problem comes when I add a Windows node to this network because the kill-switch function of the WireGuard Windows client requires the configuration to have exactly one peer and the allowed IP is 0.0.0.0/0. For security reason, I don't want the VPS sit between the Windows node and ownCloud server, so the route should be:

Windows node -> ownCloud server -> Gateway -> Internet

Moreover, the ownCloud server will run hourly restic backup. I don't want this traffic to route to the gateway because of speed.

I have been trying policy-based routing for around a few hours, but still cannot make it work. Could anyone help? Thanks. Below are the running configurations.

Gateway

wg0

[Interface]
Address = 10.0.0.1/32
ListenPort = 51820

[Peer]
PublicKey = (ownCloud server's public key)
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = (mobile's public key)
AllowedIPs = 10.0.0.3/32

nftables

    chain postrouting {
        type nat hook postrouting priority srcnat;
        ip saddr 10.0.0.0/24 oif eth0 masquerade
    }
    chain forward {
        type filter hook forward priority filter; policy drop;
        ct state established,related accept
        ip saddr 10.0.0.0/24 accept
    }

ownCloud server

[Interface]
Address = 10.0.0.2/32
ListenPort = 51820

[Peer]
PublicKey = (gateway's public key)
Endpoint = $gateway_ip_address:51820
AllowedIPs = 10.0.0.1/32
PersistentKeepalive = 25

[Peer]
PublicKey = (mobile's public key)
AllowedIPs = 10.0.0.3/32
PersistentKeepalive = 25

Mobile

[Interface]
Address = 10.0.0.3/32
ListenPort = 51820
DNS = 10.0.0.2

[Peer]
PublicKey = (gateway's public key)
Endpoint = $gateway_ip_address:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

[Peer]
PublicKey = (ownCloud server's public key)
Endpoint = (ownCloud server's domain name):51820
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25
9
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.