https://www.procustodibus.com/blog/2022/06/multi-hop-wireguard/#internet-gateway-as-a-spoke
routovani default routy skrz wireguard mezi peerama:
on the client, 172.20.24.15 set
wg0.conf
[Interface]
... Address = 172.20.24.15/32
[Peer]
... AllowedIPs = 0.0.0.0/0
ip route add wg_server_ip via 192.168.122.1 dev eth0
ip route add default via 172.20.24.10 dev wg0
on the gateway, 172.20.24.10
iptables -t nat -A POSTROUTING -s 172.20.24.0/24 -o vlan2 -j MASQUERADE
(a mozna i neco z toho:
iptables -t nat -A POSTROUTING -o oet1 -j MASQUERADE
iptables -A FORWARD -i oet1 ...?
)
(list: iptables -t nat -S POSTROUTING )
on the hub (wg server) 172.20.24.1
wg:
wg set wg2 peer rdwrtQdE7Z0SqZcJmoydFD74vXLLTnf+gk9go5pDWRw= allowed-ips 0.0.0.0/0 (namisto 172.20.24.10/24)
(klic je klienta gateway)
routing:
echo "123 wgfrompeer" >> /etc/iproute2/rt_tables #tim se nastavi jen jmeno
ip route add default via 172.20.24.10 dev wg2 table 123
ip rule add iif wg2 table 123 priority 100
(list: ip route show table 123 , ip rule show )
firewall:
# neco z tohodle:
sysctl -w net.ipv4.ip_forward=1 (to uz je zrejme jako default)
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wg2 -s 172.20.24.0/24 -j ACCEPT
iptables -I FORWARD -i wg2 -o wg2 -j ACCEPT
Žádné komentáře:
Okomentovat