I am attempting to configure a VPS running Alpine Linux 3.18.4 to do a few things:

Accept incoming traffic on WireGuard interface wg0, from there:

  1. Allow peer-to-peer communication in the 10.7.2.0/24 subnet
  2. Provide a default route (Internet) through the WireGuard client on wg1 (NOT eth0)

So far WireGuard works on both interfaces. If I ip route add 1.1.1.1 dev wg0 I can ping -I wg1 1.1.1.1. For wg0 I can ping the server from the client.

The problem is setting up SNAT/NAT/routing. I’ve been banging my head against a wall trying to figure this stuff out, and everything I read online seems tailored to the “I just want WireGuard clients to use the VPS’ internet connection on eth0 directly” mentality. I’ve even been chatting in circles with ChatGPT and getting nowhere.

Below are my configuration files, but I’ll leave out routing tables, rules, etc. because at this point I’ll probably blow away the entire VPS and restore just the files I have here:

/etc/network/interfaces (just wg0, wg1):

auto wg0
iface wg0 inet static
    address 10.2.7.1/24
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-up ip route add 10.2.7.0/24 dev wg0
    post-up iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wg1 -j MASQUERADE
    post-down ip link delete wg0
    post-down iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wg1 -j MASQUERADE

auto wg1
iface wg1 inet static
    address 172.30.66.233/32
    pre-up ip link add dev wg1 type wireguard
    pre-up wg setconf wg1 /etc/wireguard/wg1.conf
    post-down ip link delete wg1

iface wg1 inet6 static
    address fd00:4956:504e:ffff::ac1e:42e9/128
    pre-up ip -6 addr add fd00:4956:504e:ffff::ac1e:42e9/128 dev wg1
    post-down ip -6 addr del fd00:4956:504e:ffff::ac1e:42e9/128 dev wg1

I have Address commented out in the files below because Alpine Linux doesn’t like them.

/etc/wireguard/wg0.conf:

[Interface]
# Address = 10.2.7.1/24
ListenPort = 51820
PrivateKey = [REDACTED]

[Peer]
PublicKey = [REDACTED]
AllowedIPs = 10.2.7.0/24,0.0.0.0/0,::0/0

/etc/wireguard/wg1.conf:

[Interface]
# Address = 172.30.X.X/32
PrivateKey = [REDACTED]

[Peer]
PublicKey = [REDACTED]
AllowedIPs = 10.2.7.0/24,0.0.0.0/0
Endpoint = [REDACTED]:[REDACTED]
  • verstra@programming.dev
    1·
    11 months ago

    If i remember correctly, Linux won’t forward IP packets from one interface to another. In other words, Linux won’t act as a network switch.

    To enable that search for something “IPv4 forwarding”.

    • railsdev@programming.devOP
      1·
      11 months ago

      Thanks for answering, cheers!

      I’ve successfully set up IP forwarding with sysctl. I’m about to crack the case but it’s been a leisurely, time-permitting endeavor so when I finally have the answer I hope to report back here.

      • railsdev@programming.devOPEnglish
        1·
        11 months ago

        I managed to get this working for IPv4. Here are the commands I used:

        iptables -A FORWARD -i wg1 -j ACCEPT
iptables -t nat -A POSTROUTING -o wg1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.2.7.0/24 -o wg1 -j MASQUERADE

iptables -A FORWARD -i wg0 -o wg1 ! -d 10.2.7.0/24 -j ACCEPT
iptables -A FORWARD -i wg1 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -o wg1 -s 10.2.7.0/24 -j SNAT --to-source 172.30.X.X

# echo "1 wg0table" >> /etc/iproute2/rt_tables
ip rule add from 10.2.7.0/24 lookup wg0table
ip route add default via 172.30.X.X table wg0table
ip route add 10.2.7.0/24 dev wg0 table wg0table

        I’d like to make this more permanent but not sure how to go about it. I know I can add iptables directives in /etc/network/interfaces but I’m not sure how it’d work since the wg0 depends on wg1.