Do you have a linux-based gateway you can manage yourself? And that gateway has dnsmasq and iptables/netfilter available? If yes then you can selectively route traffic over a wireguard interface and leave the rest to go to default.
Warning... this is expert stuff... in dnsmasq.static set list of all the domains you want to send over wireguard... ipset=/example.com/VPN_LIST_IPV4,VPN_LIST_IPV6 ipset=/example.org/VPN_LIST_IPV4,VPN_LIST_IPV6 Export some environment variables... VPN2IF="wg2" VPN2IP="10.11.12.13" VPN2DNS="8.8.8.8" INTIF="eth1" INTIP="192.168.0.1" And execute the following to create the wireguard interface, setup the network routing and iptables rules, etc... Note that your system may use just "iptables" for IPv4 rather than "ip4tables" and that your firewall netfilter chains might be named differently from mine. But if you are familiar enough with iptables/netfilter then you should be able to figure it out... # ============================================================================= # Route traffic to select domains over $VPN2IF # Start by creating a wireguard VPN interface if ! ip link show dev $VPN2IF >/dev/null 2>&1; then ip link add dev $VPN2IF type wireguard ip address add dev $VPN2IF $VPN2IP/32 wg setconf $VPN2IF /etc/wireguard/$VPN2IF.conf ip link set up dev $VPN2IF fi # route DNS IP address over the VPN in default routing table ip route add $VPN2DNS dev $VPN2IF # create a new routing table (400) with default route to VPN interface # and send all packets marked with 0x8 bit to that table ip route add default dev $VPN2IF table 400 ip rule add from $INTIP/24 fwmark 0x8/0x8 table 400 priority 2000 # create an ipset hash which dnsmasq will save all IP addresses for the domains # and add the 0x8 firewall mark to all traffic going to those destinations ipset -exist create VPN_LIST_IPV4 hash:ip family inet ip4tables -t mangle -A PREROUTING -i $INTIF -m set --match-set VPN_LIST_IPV4 dst -j MARK --set-xmark 0x8/0x8 # make sure traffic from my internal interface is permitted to forward to/from the VPN interface ip4tables -A FORWARD_CHAIN -i $INTIF -o $VPN2IF -j ACCEPT ip4tables -A FORWARD_CHAIN -i $VPN2IF -o $INTIF -j ACCEPT # and NAT traffic over the VPN ip4tables -t nat -A NAT_POSTROUTING_CHAIN -s $INTIP/24 ! -d $INTIP/24 -o $VPN2IF -j MASQUERADE # the VPN does not support IPv6 so drop all attempts to connect by IPv6 ipset -exist create VPN_LIST_IPV6 hash:ip family inet6 ip6tables -I FORWARD_CHAIN -i $INTIF -m set --match-set VPN_LIST_IPV6 dst -j DROP On Fri, Oct 9, 2020 at 10:05 AM Roman Mamedov <[email protected]> wrote: > > On Fri, 9 Oct 2020 17:16:18 +0330 > Rudi C <[email protected]> wrote: > > > > On Fri, Oct 9, 2020 at 5:04 PM Roman Mamedov <[email protected]> wrote: > > > Seems like you misunderstand what I mean. If you use the in-VPN > > > (internal) IP > > > of your VPS, all communication with the SOCKS proxy installed on the VPS > > > will > > > happen via the WireGuard tunnel. No DPI can look into that. > > > > You're right! Some questions: > > 1. What should I do client-side so that wireguard only covers my VPS's > > IP (and does not otherwise route traffic)? Will `AllowedIPs = > > SERVER_IP/32` do it? > > SERVER_IP should be the in-VPN IP here, otherwise yes, and remove .0.0.0/0 > and ::/0 from AllowedIPs. > > > 2. How do I get the in-VPN IP of the server? Is it `Address` in > > `[Interface]`? > > Yes. You can confirm via "ip addr list dev wgX" on the server. > > > 3. I use ufw for the firewall on the server. Will ufw block my local > > machine? If not, with what IP should I set ufw rules? (My local > > machine doesn't have a static IP.) Of course, I could alternatively > > expose the socks proxy to the world with a password; How secure will > > that be? > > Sorry, not familiar with ufw; generally you need to allow only connections > from the WG interface, or from the internal IP range (or just the "Address =" > of the client), and block all others. > > -- > With respect, > Roman
