I am trying to configure wireguard to work as a VPN server. The main problem is, that the gateway only forwards the VPN server ip to other server, not my client IP.
My setup is the following:
- server A (10.10.0.4)
/
CLIENT (10.10.1.3) -> wireguard server (10.10.1.2) --
(10.10.0.2) \
- server B (10.10.0.3)
The wireguard server runs on a machine with two interfaces:
- eth0 (10.10.0.2)
- wg0 (10.10.1.2)
When the VPN connection is established, I am able to connect to server A and server B (via ssh). The problem is, that the IP address of the wireguard server is forwarded (nat) to server A and B. Logged in via ssh shows me every time, that the last connection came from 10.10.0.2 (on server A and B). But on the wireguard server, the last logged in IP is my real client IP (10.10.1.3).
What I am trying to do is to configure wireguard so that my IP (10.10.1.3) is forwarded correctly to server A and B.
This is my client wireguard config file:
[Interface]
PrivateKey = xxx
Address = 10.10.1.3/24
DNS = 10.10.0.2, 8.8.8.8
[Peer]
PublicKey = XXX
AllowedIPs = 10.10.0.0/24
Endpoint = xxx.xxx.xxx.xxx:41194
PersistentKeepalive = 15
My wireguard server (wg0.conf) config:
[Interface]
Address = 10.10.1.2/24
## My VPN server port ##
ListenPort = 41194
PrivateKey = xxx
# Internet Gateway config: nat wg1 out to the internet on ens10
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
## Desktop/client VPN public key ##
PublicKey = xxx
AllowedIPs = 10.10.1.3/32
I guess that the iptables configuration is wrong, because of the nat / MASQUERADE, but I wasn't able to configure the gateway correctly.
I appreciate your help.
Update
Executing on server A (same on B)
ip -br link; ip -br address; ip route
Returns (public IP is masked):
lo UNKNOWN 00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
eth0 UP 96:00:01:29:d6:9b <BROADCAST,MULTICAST,UP,LOWER_UP>
ens10 UP 86:00:00:08:9c:c5 <BROADCAST,MULTICAST,UP,LOWER_UP>
lo UNKNOWN 127.0.0.1/8 ::1/128
eth0 UP 10.10.0.3/32 fe80::9400:1ff:fe29:d69b/64
ens10 UP 49.xxx.xxx.xxx/32 2a01:xxx:xxx:xxx::1/64 fe80::8400:ff:fe08:9cc5/64
default via 172.31.1.1 dev ens10 proto dhcp src 49.xxx.xxx.xxx metric 100
10.10.0.0/16 via 10.10.0.1 dev eth0
10.10.0.1 dev eth0 scope link
172.31.1.1 dev ens10 proto dhcp scope link src 49.xxx.xxx.xxx metric 100
Best Answer
NAT is done by the configuration so you get NAT as asked. To avoid using NAT you have to:
make sure end servers A and B have a real route back to the client
If that's not the case, add at least this
on A and B(if running Linux):ip route add 10.10.1.3/32 via 10.10.0.2
UPDATE: OP's routing setup (in a cloud) makes A and B's traffic to 10.10.0.2 (or even between each others) go through an additional router 10.10.0.1 (part of the cloud network). So the route had to be added on this part, as confirmed by OP.
remove NAT on wireguard server
Just remove the second
iptables
commands in the two WireGuard'sPostUp
andPostUp
configuration, and make sure there's not a previously added entry left, by running this time only:optional: update
AllowedIPs
on clientIf client wants to access wireguard server using server's address on its tunnel side rather than its eth0 side, or to be sure ICMP sent back by the wireguard server are received (eg: to get
traceroute
to server A working without* * *
), 10.10.1.2 should also be inAllowedIPs
to satisfy WireGuard's cryptokey routing.Replace on client:
with: