Skip to main content

Split Tunneling Wireguard

·275 words·2 mins Draft
Faradj Saadana
Faradj Saadana

Split Tunneling

Wireguard est un module kernel

Chaque interface a sa config. Tous les endpoints sont considerés comme des peers.

Marche à suivre


# Create a Wireguard network interface in the default namespace.
sudo ip link add $DEV_NAME type wireguard

# Load the Wireguard configuration.
sudo wg setconf $DEV_NAME /etc/wireguard/$DEV_NAME.conf

# Create a new network namespace.
sudo ip netns add $NETNS_NAME

# Move the Wireguard interface to the network namespace.
sudo ip link set $DEV_NAME netns $NETNS_NAME

# Set the IP address of the Wireguard interface.
sudo ip -n $NETNS_NAME addr add dev $DEV_NAME

# Bring up the Wireguard interface.
sudo ip -n $NETNS_NAME link set $DEV_NAME up

# Make the Wireguard interface the default route.
sudo ip -n $NETNS_NAME route add default dev $DEV_NAME

# Add nameservers actually this is usually handled by wireguard
mkdir -p /etc/netns/vpn
echo "nameserver" > /etc/netns/vpn/resolv.conf
echo "nameserver" >> /etc/netns/vpn/resolv.conf

Routing le routing de wireguard ne fonctionne qu’en filtrant les adresses ip


Wireguard config

GitHub - pirate/wireguard-docs: 📖 Unofficial WireGuard Documentation: Setup, Usage, Configuration, and full example setups for VPNs supporting both servers & roaming clients.


[Interface] décrit les parametres de l’interface local

[Peer] décrit les paramètres des interfaces distantes


[Peer] Endpoint Ip de l’interface distante

[Peer] AllowedIPs Les packets permit de transiter dans le tunnel depuis et vers ces ips

[Interface] Address Adresses de l’interface local (réseau virtuel)

Firewall config

  1. Mark packets by VPN user with iptables. Then these will be redirected to wireguard interface thanks to routing table

  2. NameSpace

  3. Bind transmission to virtual if