When connecting to a Wireguard server on your Linux machine, a new network interface is brought up, and all traffic is forwarded through it.
Usually, to connect two interfaces together, you would just easily set up a bridge and connect the two interfaces two it.
However, Bridges work on the OSI Layer-2 (forwarding frames, which are directed to destination MAC Addresses), while Wireguard is a Layer-3 protocol (forwarding IP packets with destination IP addresses) (more info).
So you cannot connect an interface that operates on L3 with a bridge. So you have several options:
- Use a Layer-2 VPN tunnel (like L2TP+IPSec), with the configuration hassle that incurs.
- Set up the Raspberry Pi as a Socks proxy that tunnels traffic to Wireguard and bridge the full internet connection to the connected device. This would mean traffic would not go through the VPN by default, which most likely isn't what you want.
- Set up the Raspberry Pi as a gateway router and forward IP packets to the VPN:
To achieve this, you'd need the following:
- Enable packet forwarding on the client Pi (set
net.ipv4.ip_forward=1 in /etc/sysctl.conf and updating it with sysctl -p
- Set up the NAT on your client Pi between both interfaces. This would forward packets from your WG subnet (i.e.
10.0.0.0/24 to the new subnet your Raspberry Pi will take care of and you set up in the DHCP Server (i.e 10.10.0.0/24).
There are multiple ways to configure this, but in 2022 using Ubuntu, you should give Netplan a try, which allows you to configure all these networks with a YAML file intuitively. There is an example on Netplan's website achieving exactly this.
- Set up the raspberry pi as a DHCP server (so the IP configuration is automatic and devices with no manual config also have traffic forwarded): set the
option routers yourRaspberryPisWireguardIP; in /etc/dhcp/dhcpd.conf and choose a new subnet to assign IP addresses to the clients. guide. You should prepare to make isc-dhcp-server play nice with Netplan. This askubuntu answer does just that.
- Remember using Netplan will probably override your Wg-Quick network setup, but that's no problem. Just add your WG client configuration on that same Netplan file in the
tunnels: section.
- You might want to set up a DNS server on the Raspberry Pi that points to your WG server DNS to avoid leaks.
As you might have guessed, with this last approach all clients connected to your raspberry would seem to come from the same client IP (your Raspberry's) due to NAT. You might be able to change this (Wireguard's server config AllowedIPs can be set to a range, but I'm not sure how to exactly achieve that.
TLDR: Configure the wg client tunnel using Netplan. Set up NAT using Netplan between the WG Client interface and the secondary ethernet iface you plan to have your clients on. Set up a DHCP server on your pi on a separate subnet for your clients. Essentially, build your own router.
