Route traffic of specific port through another interface

Issues related to configuring your network
Post Reply
Derpaphobia
Posts: 5
Joined: 2020/01/21 21:33:36

Route traffic of specific port through another interface

Post by Derpaphobia » 2020/02/08 12:32:53

Hi there! So basically... I've got a server, with 3 interfaces on it
A Wireguard client, that connects to my VPN provider (let's call it wg-client)
A Wireguard host, that I want to be able to connect to from anywhere on my devices (let's call it wg0)
The regular Eth0 / enp1s0 interface

Currently, all traffic is being routed through the wg-client (as it should) but that also includes my own Wireguard host (wg0), making it impossible to connect to since all the outgoing packets are going to come from the wrong IP to my device.

What I would like to do is route the outgoing traffic of port 41967 on the wg0 interface through enp1s0 instead of wg-client.
I've tried doing some reading about routing, firewall-cmd, iptables and so on.. but I just can't seem to get it.
I would like to learn all about this stuff, so any pointers to where I could do that would also be nice!
Thank you!

aks
Posts: 2992
Joined: 2014/09/20 11:22:14

Re: Route traffic of specific port through another interface

Post by aks » 2020/02/09 17:14:00

A port is not a network layer thing.

Do you mean any address on port 41967 should go via <interface>? So something like 0.0.0.0:41967 via <interface>?

Derpaphobia
Posts: 5
Joined: 2020/01/21 21:33:36

Re: Route traffic of specific port through another interface

Post by Derpaphobia » 2020/02/09 21:52:11

Oh... yeah, so I need the outgoing traffic from wg0 which is on port 41967 to bypass wg-client and connect to my device like wg-client was never there (like it was directly through enp1s0 instead)

User avatar
jlehtone
Posts: 2771
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Route traffic of specific port through another interface

Post by jlehtone » 2020/02/10 09:11:55

Derpaphobia wrote:
2020/02/08 12:32:53
Currently, all traffic is being routed through the wg-client (as it should)
That is not quite true. The wg-client cannot talk with VPN provider through the tunnel; it has to use the unencrypted connection.

Routing is (in principle) simple: Use the most specific rule that does match. How does the Wireguard generate rules when it creates a tunnel?

Derpaphobia
Posts: 5
Joined: 2020/01/21 21:33:36

Re: Route traffic of specific port through another interface

Post by Derpaphobia » 2020/02/10 20:44:59

That's where I got stuck, as I understood it:
The traffic goes in to the server just fine.
But when the wg0 interface tries to send outgoing traffic, the outgoing traffic is going to go through wg-client and therefor my phone in this case is going to get an answer from the wrong IP and not accept the connection.
I did manage to solve this problem with the help of a stranger, here:
https://www.reddit.com/r/WireGuard/comm ... ting_help/
and the problem was solved by adding:
PostUp = ip rule add from 192.168.1.7(my servers local IP) lookup main
PreDown = ip rule del from 192.168.1.7(my servers local IP) lookup main
to the interface part of the "wg-client" config.
I would however like to learn all about this stuff myself, so that I can solve future problems whenever they decide to show up, so if anyone has any pointers as to where/how I can learn it, please tell me. Thank you!

Post Reply

Return to “CentOS 8 - Networking Support”