0

enter image description here The image shows a complete picture of what I'm building. But for now I want to implement a small part with one home server and 2 LXC, 2 ipv4 on a remote server. I want to use 2 different Wireguard tunnels for 2 LXC containers. It's easy to solve when I have only one Wireguard tunnel - just "AllowedIPs = 0.0.0.0/0" and all (host and guests) traffic will go thought Wireguard tunnel. But how to solve it in case of many different Wireguard tunnels?

Home server 1

WireGuard config:

[Interface]
PrivateKey = my_private_key
Address = 192.168.7.2/24

[Peer]
PublicKey = my_public_key
AllowedIPs = 0.0.0.0/0 <- ok for 1 LXC, but how to do it for 2?
Endpoint = 11.11.11.1:51194
PersistentKeepalive = 15

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    100    0        0 enp2s0
10.7.56.0       0.0.0.0         255.255.255.0   U     0      0        0 lxdbr0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 enp2s0
192.168.1.1     0.0.0.0         255.255.255.255 UH    100    0        0 enp2s0
192.168.7.0     0.0.0.0         255.255.255.0   U     0      0        0 wg1

Remote server

/etc/wireguard/helper/add-nat-routing.sh

#!/bin/bash
IPT="/sbin/iptables"

IN_FACE="eth0"                   
WG_FACE="wg1"                    
SUB_NET="192.168.7.0/24"         
WG_PORT="51194"                  

## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -d 11.11.11.1 --jump DNAT --to-destination 192.168.7.2

/etc/wireguard/wg1.conf

[Interface]
Address = 192.168.7.1/24
ListenPort = 51194
PrivateKey = private_key
PostUp = /etc/wireguard/helper/add-nat-routing.sh

[Peer]
PublicKey = public_key
AllowedIPs = 192.168.7.2/32
Improve this question
12
  • your wireguard config doesn't describe any of the wireguard endpoints in your picture, so I guess that's a source for confusion. Where exactly do you mean to have that wg1.conf? Commented Jun 13, 2021 at 20:26
  • @MarcusMüller updated, it's Home server 1, thanks. Commented Jun 13, 2021 at 20:34
  • Home server 1 itself doesn't have a wireguard tunnel in your picture. The LXC network namespaces do. And it makes no sense that the endpoint has an IP address from the internal wireguard subnet. Commented Jun 13, 2021 at 20:36
  • yes, the diagram is not very accurate, I tried to do it simply... Commented Jun 13, 2021 at 20:42
  • hm in this case I'd call it misleading then. We have no idea what networks you want to have, where. Commented Jun 13, 2021 at 20:53

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.