On Fri, 9 Oct 2020 17:16:18 +0330 Rudi C <[email protected]> wrote:
> > On Fri, Oct 9, 2020 at 5:04 PM Roman Mamedov <[email protected]> wrote: > > Seems like you misunderstand what I mean. If you use the in-VPN (internal) > > IP > > of your VPS, all communication with the SOCKS proxy installed on the VPS > > will > > happen via the WireGuard tunnel. No DPI can look into that. > > You're right! Some questions: > 1. What should I do client-side so that wireguard only covers my VPS's > IP (and does not otherwise route traffic)? Will `AllowedIPs = > SERVER_IP/32` do it? SERVER_IP should be the in-VPN IP here, otherwise yes, and remove .0.0.0/0 and ::/0 from AllowedIPs. > 2. How do I get the in-VPN IP of the server? Is it `Address` in `[Interface]`? Yes. You can confirm via "ip addr list dev wgX" on the server. > 3. I use ufw for the firewall on the server. Will ufw block my local > machine? If not, with what IP should I set ufw rules? (My local > machine doesn't have a static IP.) Of course, I could alternatively > expose the socks proxy to the world with a password; How secure will > that be? Sorry, not familiar with ufw; generally you need to allow only connections from the WG interface, or from the internal IP range (or just the "Address =" of the client), and block all others. -- With respect, Roman
