I've two linux machines connected with wg.
Machine #1 is a remote VM, & connects to the public 'net.
Machine #2 is local, on my LAN.
To date, they've only routed internal traffic. Nice -n- easy.
I'm adding forwarding of specific EXTERNAL traffic from the 'net, received at
Machine #1, to port-specific services, on the LAN.
E.g. a 'listener' on a local lan machine, @ ip 10.0.0.1 port 11111
On the local end of the VPN, for any external IP that needs to traverse the VPN
link, adding the specific IP to
AllowedIPs = ... X.X.X.X
works. Traffic flows.
BUT, that adds a local route
X.X.X.X dev wg0 scope link
so ALL local traffic from local lan to that IP, e.g. an ssh session, gets
routed BACK via that new route over the VPN.
I'd like to limit that -- so that ONLY traffic from the 'net to that local
listener on ip 10.0.0.1 port 11111 is routed back via the VPN; all _other_
traffic to the originating IP (e.g., that ssh connection), gets routed over my
normal default route.
What's the cleanest way -- in wireguard config -- to
(a) allow any/all IPs over the VPN
(b) limit the route to the specific ip target/port
So far, I seem to _need_ that originating IP in the "allowedips ="; which
creates the 'overreaching' route ...
I'm guessing some judicious use of PostUp/Down routes set?
