Skip to main content

Split Tunneling Wireguard

·275 words·2 mins Draft
Faradj Saadana
Author
Faradj Saadana
J’aime

Split Tunneling
#

Wireguard est un module kernel

Chaque interface a sa config. Tous les endpoints sont considerés comme des peers.

Marche à suivre
# 

NETNS_NAME="vpn"
DEV_NAME="wg0"

# Create a Wireguard network interface in the default namespace.
sudo ip link add $DEV_NAME type wireguard

# Load the Wireguard configuration.
sudo wg setconf $DEV_NAME /etc/wireguard/$DEV_NAME.conf

# Create a new network namespace.
sudo ip netns add $NETNS_NAME

# Move the Wireguard interface to the network namespace.
sudo ip link set $DEV_NAME netns $NETNS_NAME

# Set the IP address of the Wireguard interface.
sudo ip -n $NETNS_NAME addr add 172.16.0.2/32 dev $DEV_NAME

# Bring up the Wireguard interface.
sudo ip -n $NETNS_NAME link set $DEV_NAME up

# Make the Wireguard interface the default route.
sudo ip -n $NETNS_NAME route add default dev $DEV_NAME

# Add nameservers actually this is usually handled by wireguard
mkdir -p /etc/netns/vpn
echo "nameserver 172.111.156.3" > /etc/netns/vpn/resolv.conf
echo "nameserver 172.111.156.5" >> /etc/netns/vpn/resolv.conf

Routing le routing de wireguard ne fonctionne qu’en filtrant les adresses ip

Sources
#

Wireguard config
#

GitHub - pirate/wireguard-docs: 📖 Unofficial WireGuard Documentation: Setup, Usage, Configuration, and full example setups for VPNs supporting both servers & roaming clients.

Sections

[Interface] décrit les parametres de l’interface local

[Peer] décrit les paramètres des interfaces distantes

Settings

[Peer] Endpoint Ip de l’interface distante

[Peer] AllowedIPs Les packets permit de transiter dans le tunnel depuis et vers ces ips

[Interface] Address Adresses de l’interface local (réseau virtuel)

https://www.reddit.com/r/selfhosted/comments/b5pymz/split_tunnel_in_wireguard/

https://stackoverflow.com/questions/65444747/what-is-the-difference-between-endpoint-and-allowedips-fields-in-wireguard-confi

https://mullvad.net/fr/help/wireguard-and-mullvad-vpn/

https://medspx.fr/blog/Sysadmin/backup_with_wireguard/

Firewall config
#

  1. Mark packets by VPN user with iptables. Then these will be redirected to wireguard interface thanks to routing table

    https://www.htpcguides.com/force-torrent-traffic-vpn-split-tunnel-debian-8-ubuntu-16-04/

    https://www.htpcguides.com/configure-transmission-for-vpn-split-tunneling-ubuntu-16-04-debian-8/

  2. NameSpace

    https://www.reddit.com/r/selfhosted/comments/b5pymz/comment/ejf31vr/?utm_source=share&utm_medium=web2x&context=3

    https://www.wireguard.com/netns/

  3. Bind transmission to virtual if

    https://mondedie.fr/d/5933-tuto-faire-passer-le-traffic-bittorrent-dans-un-tunnnel-vpn

    https://www.ccaillat.fr/2013/09/transmission-et-vpn/?doing_wp_cron=1577277998.9418969154357910156250