On 1/7/19 10:02 AM, C. Cook wrote: > I have a WireGuard server running in a KVM virtual machine in my LAN. > (CentOS 7.6) It accepts WG connections from the outside (phone, laptop) > and this is working fine with port-forarding, but I also intend it to be > the Azire VPN access to the outside for the LAN. > > This question is about the latter. I want every machine in the LAN to > go out through the Azire tunnel. > > The WG interface is running on the server: > > # ip address > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 52:54:00:c0:46:30 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.16/24 brd 192.168.1.255 scope global eth0 > valid_lft forever preferred_lft forever > 5: outgoingWG-ca1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc > noqueue state UNKNOWN group default qlen 1000 link/none > inet 10.34.8.123/19 scope global outgoingWG-ca1 > valid_lft forever preferred_lft forever > > But to start with I want to route all traffic from this server out the > WG interface, rather than eth0. > > # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > default gateway 0.0.0.0 UG 0 0 0 eth0 > 10.34.0.0 0.0.0.0 255.255.224.0 U 0 0 0 > outgoingWG-ca1 > link-local 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > > How would this be done? There is no > /etc/sysconfig/network-scripts/ifcfg-outgoingWG-ca1 where I could set > gateway since the WG interface is created by a systemd service. Is > there a Shorewall trick I could use? > > Then, how would I route the rest of the LAN to this WG server and out > the WG interface to the greater internet?
You also have to remember that the encapsulated VPN traffic must still be routed out of eth0, which further complicates your question. I'm afraid that I don't know enough about WG to advise you, and I also don't use systemd for network configuration. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
