Setup IP forwarding

guniens · 31 October 2023 08:05

Hi!

I’ve just installed WireGuard on my RPi4 and connected to a VPN.
I’ve some devices on LAN that don’t support VPN so I need to set RPi4’s IP as these devices’ gateway and route their traffic to the RPi4 and then to the VPN.

The RPi4 is connected via ethernet to my router, the VPN won’t always be up so I would like (don’t know if it’s possible):

Route traffic of specific IPs from eth0 to wg0
Route traffic of specific IPs from eth0 to my router if VPN is down

As stated above I don’t know if it’s possible and my knowledge about networking stuff is a little limited so I’m asking for your help!

Thanks in advance!

Joulinar · 31 October 2023 08:12

@trendy maybe you have an idea.

trendy · 31 October 2023 08:55

Both are possible.
For the first you need to control the DHCP server in your lan and advertise to the specific clients dhcp option 3 to be the RPi IP address, in order to use it as their gateway. Most likely the ISP router will not support this function, so you should be looking at dnsmasq or dhcpd in RPi. There is also the option to use Pihole which has embedded dnsmasq, but this might be an overkill.
For the second, it will be done automatically when the VPN is up. The default gateway will be via the VPN, when the latter is active. When the VPN is down, it will be routed via the ISP router.

guniens · 31 October 2023 09:23

Hi! First of all thanks!

Can I just set the RPi4’s IP as the gateway on the devices’ network config? My router support this too, are there any differences?

I didn’t quite understand this, can you please explain more.
I’ve read some guides and all had to enable ip forwarding but as I said above my knowledge is limited.

EDIT: My router doesn’t have the setting.

trendy · 31 October 2023 09:32

You can.

Run a ip route show with the VPN enabled and disabled and post here the output in preformated text (the </> button).

guniens · 31 October 2023 13:32

Here you go

VPN enabled:

root@DietPi:~# ip route show
default via 192.168.178.1 dev eth0
10.59.244.0/24 dev wg0 proto kernel scope link src 10.59.244.2
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.42

VPN disabled:

root@DietPi:~# ip route show
default via 192.168.178.1 dev eth0
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.42

Btw I tried setting RPi4’s IP as both gateway and dns on a device on lan and I can’t connect to internet.

EDIT: Don’t know If device on lan can’t connect to internet because RPi4 doesn’t have a dns service running but was going to install pihole anyway in the near future, is this related?

trendy · 31 October 2023 14:22

You are probably missing the option to route the allowed IPs from the WG peer. Can you post the WG config? You can redact the keys.

This is necessary to enable ip forwarding and to mask the source IP into the one of the RPi.

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

guniens · 31 October 2023 19:15

[Interface]
PrivateKey = ***
Address = 10.59.244.2/24
DNS = 9.9.9.9, 149.112.112.112 

[Peer]
PublicKey = ***
PresharedKey = ***
Endpoint = X.X.X.X:X
AllowedIPs = 0.0.0.0/0, ::0/0

Do I just run these commands? How to revert if needed?

trendy · 31 October 2023 19:47

The route is not present. How do you bring the tunnel up? wg-quick up wg0 or something else?

For now you can just run them. A reboot will revert them. Once all is fine with the tunnel we can add them in Up/Down scripts.

guniens · 31 October 2023 20:13

I run systemctl start wg-quick@wg0

trendy · 31 October 2023 20:20

Can you try with wg-quick up wg0 ? Then run ip route show

guniens · 31 October 2023 20:24

root@DietPi:~# ip route show
default via 192.168.178.1 dev eth0
10.59.244.0/24 dev wg0 proto kernel scope link src 10.59.244.2
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.42

I’ve run these too and now can successfully connect to internet and with VPN

trendy:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

How can I make the iptables rules stick on boot?

trendy · 31 October 2023 21:03

But you are not routed to the internet via the VPN
The default route is via the ISP router.
Can you do a apt install mtr ; mtr 8.8.8.8 ?

guniens · 1 November 2023 06:50

Can you explain the problem?
I successfully connect to vpn and internet, my ip is vpn’s ip and everything is fine.
Devices which use RPi4’s ip as gateway successfully connect to internet too with the vpn’s ip.

Btw the mtr
with vpn down:

My traceroute  [v0.95]
DietPi (192.168.178.42) -> 8.8.8.8 (8.8.8.8)                                                                                                                                                                        2023-11-01T07:53:26+0100
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                                                                                                                                                    Packets               Pings
 Host                                                                                                                                                                                             Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. fritz.box                                                                                                                                                                                      0.0%    28    1.2   1.1   0.8   1.4   0.1
 2. 100.64.255.255                                                                                                                                                                                 0.0%    28    8.0   7.3   6.6   8.7   0.5
 3. net233-27-32-195.dimensionesrl.eu                                                                                                                                                              0.0%    28    6.9   7.4   6.4  13.7   1.5
 4. net246-27-32-195.dimensionesrl.eu                                                                                                                                                              0.0%    28   38.0   8.1   6.5  38.0   5.9
 5. 72.14.221.8                                                                                                                                                                                    0.0%    27    6.9   7.8   6.6  14.3   1.6
 6. 108.170.245.81                                                                                                                                                                                 0.0%    27    7.6   7.8   7.3   9.2   0.5
 7. 142.250.211.31                                                                                                                                                                                 0.0%    27    7.0   6.9   6.4   7.6   0.3
 8. dns.google                                                                                                                                                                                     0.0%    27    6.9   6.5   6.1   7.5   0.3

with vpn up:

My traceroute  [v0.95]
DietPi (10.59.244.2) -> 8.8.8.8 (8.8.8.8)                                                                                                                                                                           2023-11-01T07:56:02+0100
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                                                                                                                                                    Packets               Pings
 Host                                                                                                                                                                                             Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 10.59.244.1                                                                                                                                                                                    0.0%    15   11.4  11.3  11.1  11.5   0.1
 2. 192.168.1.1                                                                                                                                                                                    0.0%    15   11.6  11.7  11.4  12.1   0.2
 3. h210-ipv4-93-91-128.mynet.it                                                                                                                                                                   0.0%    15   13.7  14.1  13.0  18.7   1.8
 4. 100.64.12.9                                                                                                                                                                                    0.0%    15   17.2  18.9  17.1  28.1   3.6
 5. 100.64.14.161                                                                                                                                                                                  0.0%    15   16.4  16.7  16.1  17.9   0.4
 6. 100.64.12.57                                                                                                                                                                                   0.0%    15   16.6  16.7  16.1  19.8   0.9
 7. 100.64.14.182                                                                                                                                                                                  0.0%    14   16.4  16.4  16.0  16.9   0.2
 8. h170-ipv4-45-142-185.mynet.it                                                                                                                                                                  0.0%    14   16.0  16.6  15.6  21.0   1.4
 9. 108.170.245.65                                                                                                                                                                                 0.0%    14   16.0  16.8  15.9  21.1   1.6
10. 142.251.235.177                                                                                                                                                                                0.0%    14   16.0  16.1  15.8  16.3   0.2
11. dns.google                                                                                                                                                                                     0.0%    14   15.6  15.9  15.5  16.3   0.2

trendy · 1 November 2023 08:39

The mtr looks correct and while the vpn is up, your ip route show must show default via 10.59.244.1 dev wg0. Can you confirm that?

guniens · 1 November 2023 09:09

Nope, still this:

root@DietPi:~# ip route show
default via 192.168.178.1 dev eth0
10.59.244.0/24 dev wg0 proto kernel scope link src 10.59.244.2
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.42

Don’t really know as everything is fine as I said above.

Joulinar · 1 November 2023 10:01

@trendy could it be, that even VPN is up, default gw is the router still, because VPN tunnel is established via the default route?? Means, all data are going into the VPN tunnel, while VPN tunnel is using the router to connect to internet?

Ok this is more guessing than real knowledge

trendy · 1 November 2023 10:19

Can you run ip -4 route list table all; ip -4 rule ?

No, what usually happens is that the default is via the vpn gateway and there is an additional route for the VPN endpoint via the ISP gateway. If my suspicion is correct, there are VRFs involved here.

guniens · 1 November 2023 10:46

root@DietPi:~# ip -4 route list table all
default dev wg0 table 51820 scope link
default via 192.168.178.1 dev eth0
10.59.244.0/24 dev wg0 proto kernel scope link src 10.59.244.2
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.42
local 10.59.244.2 dev wg0 table local proto kernel scope host src 10.59.244.2
broadcast 10.59.244.255 dev wg0 table local proto kernel scope link src 10.59.244.2
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.178.42 dev eth0 table local proto kernel scope host src 192.168.178.42
broadcast 192.168.178.255 dev eth0 table local proto kernel scope link src 192.168.178.42

root@DietPi:~# ip -4 rule
0:      from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default

Don’t know if it can help but I’m connecting via VPN to another RPi.

trendy · 1 November 2023 11:54

ok it is now clear that the vpn is using a separate routing table and gets precedence from the ip rules.
It’s all good, you can add the echo 1 > /proc/sys/net/ipv4/ip_forward in /etc/rc.local or edit /etc/sysctl
The iptables rules can be added in PostUp and PostDown wg-quick(8) — wireguard-tools — Debian unstable — Debian Manpages
For the PostDown use

iptables -D FORWARD -i eth0 -o eth0 -j ACCEPT
iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE