#372429 - 15/11/2019 16:20
Anybody using WireGuard? (IPTables)
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
I've been using Mullvad as a VPN provider for a while now. They not only offer the usual OpenVPN protocol, but also the cutting edge WireGuard protocol. I've been using it for a while now on both my desktop and mobile phone and it works great. Fast, secure, stable. As a bonus it's also very energy efficient and doesn't consume my phone's battery in no time like OpenVPN tends to do. In fact, I notice almost no difference in battery life with the VPN tunnel enabled or disabled, so I tend to keep it enabled all the time. There's just one snag : the WireGuard client's standard setup is that it will forward ALL network traffic through the VPN tunnel, so also my local LAN traffic. This means that eg. I cannot print a document on my network printer or access my router's setup without disabling the VPN tunnel first. Annoying. I know there must be a way to have WireGuard send all the network traffic through the VPN tunnel, with the exception of everything in my local LAN range (which is 192.168.1.x/24). I know it can be done by using IPtables, but I simply know nothing about this and it also seems too big a thing to master just to be able to fix this one issue. I can follow a how-to like the best of them, but I cannot do this myself. I've tried by using this how-to, but it's too extended for what I want to do. Could somebody help me with this please?
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#372430 - 15/11/2019 17:58
Re: Anybody using WireGuard? (IPTables)
[Re: BartDG]
|
new poster
Registered: 18/07/2001
Posts: 41
Loc: Koblenz, Germany
|
Hi, some wireguard clients (iOS, Android) offer an option called "Exclude private IPs". It puts all IPv4 networks except the private ranges and the DNS servers in the "Allowed IPs" config option. You can do this by hand. Just specify this as AllowedIPs:
::/0, 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3,
64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11,
172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4,
192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15,
192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7,
196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4 Alex
|
Top
|
|
|
|
#372431 - 15/11/2019 18:33
Re: Anybody using WireGuard? (IPTables)
[Re: ghostwheel]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Thanks for your reply! I've had somebody on another forum recommend me to do this:
You can add AllowedIPs under [Peer], which is the list of IPs that
should be tunneled through the Wireguard tunnel, in your wireguard
configuration file.
0.0.0.0/0 is the whole internet.
If you change it to this:
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4,
32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6,
172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8,
174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13,
192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12,
192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5,
208.0.0.0/4, 8.8.8.8/32, 10.64.0.0/10
It should exclude all private IPs (for example LANs)
Then add the following under [Interface]: (if you don't have Postup or
Predown set, otherwise put "&& iptables -I INPUT....."at the back of
your existing line)
Postup = iptables -I INPUT -i YOURLANINTERFACE -d 192.168.1.0/24 -j
ACCEPT && iptables -I OUTPUT -o YOURLANINTERFACE -d 192.168.1.0/24 -j ACCEPT
Predown = iptables -D INPUT -i YOURLANINTERFACE -d 192.168.1.0/24 -j
ACCEPT && iptables -D OUTPUT -o YOURLANINTERFACE -d 192.168.1.0/24 -j ACCEPT
I can see the ranges provided are about the same as you mention. But I do wonder why I have to exclude so many ranges when all I need is 192.168.1.x ? Now, adding those lines I can do, but I have to admit it's the second part that's got me stumped. I'm using Windows. I cannot change YOURLANINTERFACE to eth0 because that wouldn't work. Do I need to make it the IP address of my desktop pc? And then what about my mobile phone? I also totally don't understand what the third paragraph (the one about PostUp and Predown) means...
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#372432 - 15/11/2019 18:53
Re: Anybody using WireGuard? (IPTables)
[Re: BartDG]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
It's a shame it's that complicated. I've seen other VPN software where the setting to allow local LAN addresses is a single tickybox. (Though some corporate VPNs disallow their users from ticking the tickybox, for security reasons.)
|
Top
|
|
|
|
#372433 - 15/11/2019 19:07
Re: Anybody using WireGuard? (IPTables)
[Re: BartDG]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
Thanks for your reply! I've had somebody on another forum recommend me to do this: When did part of the 10/8 range become public?
Edited by mlord (15/11/2019 23:18)
|
Top
|
|
|
|
#372434 - 15/11/2019 21:55
Re: Anybody using WireGuard? (IPTables)
[Re: tfabris]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
I'm using the official WireGuard client, which does not have such a tickbox unfortunately. I only know of one other client app for Windows : Tunsafe. Unfortunately, Tunsafe does not seem to work anymore. This was the main reason I started using the official WireGuard app. When I started using WireGuard, there was no official client yet, and Tunsafe was about the only way to make it work with Windows. Tunsafe was smart enough to exclude my LAN by itself though...
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#372435 - 15/11/2019 22:02
Re: Anybody using WireGuard? (IPTables)
[Re: mlord]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
No idea since when Mark, but I've always know the range from 10.0.0.0 to 10.255.255.255 to be public?
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#372436 - 15/11/2019 23:18
Re: Anybody using WireGuard? (IPTables)
[Re: BartDG]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
https://en.wikipedia.org/wiki/Private_network10/8 has always been reserved as a private block. I wonder if that's just a typo above, because 100.64/16 is somewhat "special" (carrier grade NAT).
|
Top
|
|
|
|
#372437 - 17/11/2019 21:29
Re: Anybody using WireGuard? (IPTables)
[Re: BartDG]
|
new poster
Registered: 18/07/2001
Posts: 41
Loc: Koblenz, Germany
|
Thanks for your reply! I've had somebody on another forum recommend me to do this: [...] I can see the ranges provided are about the same as you mention. But I do wonder why I have to exclude so many ranges when all I need is 192.168.1.x ?
This is because a wireguard client needs to know what is "behind" the tunnel: for a common road warrior setup this is your home or company network (ie. 192.168.1.0/24). If you are using wireguard to improve your privacy at open wlan for example, you need to specify the whole (IPv4) internet _except_ the private network ranges you are logged in into. The long list of networks is exactly this: everything (v4) except the private ranges. Now, adding those lines I can do, but I have to admit it's the second part that's got me stumped. I'm using Windows. I cannot change YOURLANINTERFACE to eth0 because that wouldn't work. Do I need to make it the IP address of my desktop pc? And then what about my mobile phone? I also totally don't understand what the third paragraph (the one about PostUp and Predown) means... You shouldn't need to specify anything else. No iptables rules are necessary. If you are using googles DNS you can add the 8.8.8.8/32 to the AllowedIPs. Don't add the 10.64.0.0/10 - the guy from the other forum just forgot to remove this when copying his config for you. I have to mention that I'm only using wireguard on linux, android and ios - not windows. So there is the possibility the windows client has some differences. You could run "netstat -rn" before and after establishing the tunnel to inspect the routing table. Alex
|
Top
|
|
|
|
#372438 - 18/11/2019 22:03
Re: Anybody using WireGuard? (IPTables)
[Re: ghostwheel]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Thanks for the extensive explanation Alex! This makes it a lot more clear to me. I'm not home at the moment, but I'll try to makes these changes tomorrow and see what gives. I'll report back here.
Thx!!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#372442 - 21/11/2019 19:59
Re: Anybody using WireGuard? (IPTables)
[Re: BartDG]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Update : tried the IP list, but it doesn't work for me. Eg. I've got an UnRaid server running on 192.168.1.120, but when the WireGuard tunnel is up I still can't access it, also not with this list of IP's in the AllowedIPs section. When I shutdown the VPN tunnel it immediately works. Edit : I tried this again, and now it DID work! Go figure! But I don't care, I'm happy! Thanks for all the help!
Edited by BartDG (22/11/2019 15:52)
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
|
|