The Setup
The main ethernet interface of my server is enp8s0
, has one public IP address (116.202.221.254
—server's main IP address), and here's how it is set up.
# ip addr show enp8s0
2: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether a8:a1:59:06:e6:6c brd ff:ff:ff:ff:ff:ff
inet 116.202.221.254/26 brd 116.202.221.255 scope global enp8s0
valid_lft forever preferred_lft forever
inet6 2a01:4f8:241:55c1::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::aaa1:59ff:fe06:e66c/64 scope link
valid_lft forever preferred_lft forever
The route:
# ip route show
default via 116.202.221.193 dev enp8s0 onlink
10.103.213.2 dev wg0 scope link
116.202.221.192/26 via 116.202.221.193 dev enp8s0
116.202.221.192/26 dev enp8s0 proto kernel scope link src 116.202.221.254
Contents of file: /etc/network/interfaces
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto enp8s0
iface enp8s0 inet static
address 116.202.221.254
netmask 255.255.255.192
gateway 116.202.221.193
# route 116.202.221.192/26 via 116.202.221.193
up route add -net 116.202.221.192 netmask 255.255.255.192 gw 116.202.221.193 dev enp8s0
iface enp8s0 inet6 static
address 2a01:4f8:241:55c1::2
netmask 64
gateway fe80::1
Then I requested an additional public IP address (116.202.221.202
) for my server and here's how I configured it.
Add the additional IP address to the main interface/device enp8s0
:
# ip address add 116.202.221.202/32 dev enp8s0
Add these lines under the configuration of enp8s0
in /etc/network/interfaces
:
up ip address add 116.202.221.202/32 dev enp8s0
down ip address del 116.202.221.202/32 dev enp8s0
Apply the changes with immediate effect:
# ip address flush enp8s0 && systemctl restart networking
Problem
All internet traffic going out from the server seems to be going out via the main IP address 116.202.221.254
. So for example, if I browsed the internet via the server, my IP address would be seen as 116.202.221.254
.
So even if I configure my tools to use the additional/secondary IP address 116.202.221.202
they seem to be going out from 116.202.221.254
.
How do I configure my server so that the two IP addresses are treated individually (not linked like they are now) and have separate routes?
Context
I have a website on the server using the main IP address 116.202.221.254
.
I am trying to set up WireGuard VPN on the server (to protect my identify and overcome censorship) to use the secondary IP address 116.202.221.202
but instead once configured and set up, I am still facing the internet as 116.202.221.254
.
How do I configure my server so that my VPN will use 116.202.221.202
instead?
My WireGuard VPN Configuration
(For more context. I followed this tutorial: https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-debian/)
WireGuard Server Configuration: /etc/wireguard/wg0.conf
[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.103.213.1/32
ListenPort = 51208
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp8s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp8s0 -j MASQUERADE
SaveConfig = false
# Macbook Pro
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.103.213.2/32
WireGuard Client Configuration: /etc/wireguard/wg0.conf
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.103.213.2/32
ListenPort = 51208
DNS = 8.8.8.8, 8.8.4.4, 1.1.1.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = 116.202.221.202:51208
AllowedIPs = 0.0.0.0/0
What am I missing? How do I fix this?
I did my best to understand each step, but it's still a lot and I know I am missing something related to iptables
routes or rules. But the relevant information on the internet is very difficult to parse given my current knowledge and I was unable to figure out a solution despite working on this for 2 days.
Any help is appreciated. Please try to be as detailed as possible. Thank you!
Best Answer
Unless the application itself specifies, to the system, which IP address its outgoing traffic should go through, the server will use the default (main) IP address—at least that's my understanding.
And as there doesn't seem to be a setting in WireGuard to tell it to use a specific public IP address, we need to depend on
iptables
orip route
.A kind soul on
#wireguard
IRC channel helped me out with thePostUp
andPostDown
values in thewg0.conf
server config that will accomplish what I need.This works too, but is NOT IDEAL I'm told (the
--mark
in above commands is able to target WG-specific traffic, while these are being source IP specific instead—at least that's how I understood it):