0

I set up my machine going by the tutorial here to make a Wireguard interface the only interface (so any of my applications can only use that to access the internet).

This works as intended, but now I want to exclude my LAN (192.168.0.0/16) from it, so I can access it by SSH, use a HTTP(S) reverse proxy, etc.

New to ip I tried setting up a veth (vethVPN/vethPhys) pair and set the the route for 192.168.0.0/16 via vethPhys IP:

ip link add name vethVPN type veth peer name vethPhys
ip link set vethPhys netns physical
ip -n physical addr add 10.0.0.1/32 dev vethPhys
ip -n physical link set vethPhys up
ip link set vethVPN up
ip -n physical route 192.168.0.0/16 via 10.0.0.1

What do I do wrong? Whats the correct way to accomplish this?

Improve this question

1 Answer 1

Reset to default
0

Very briefly:

By disconnecting your main network namespace from the LAN you can no longer make it "part" of the LAN.

You can either treat your main namespace as a segment different from the LAN, and route between it and the LAN using the "physical" namespace, but this will require correct routes on all the other machines connected to the LAN (which you can distribute e.g. by DHCP, if the device the DHCP server runs on can do that).

Or you can use a different setup: Keep the main namespace connected to the LAN, make a "wireguard" namespace with a macvlan and the wireguard process, move the wg0 interface from that mainspace into your main namespace, and make wg0 the default gateway.

That will ensure every destination address except your LAN will go through the wireguard interface.

Improve this answer
3
  • Would I create the MACVLAN in the main namespace too and then move to the wireguard one? So something like ip link add mac0 link [physicalIf] type macvlan mode bridge ip link set mac0 netns wg_netns And the remaining stuff ip -n wg_netns link add wg0 type wireguard ip -n wg_netns link set wg0 netns wg_netns ip addr add [...] dev wg0 wg setconf wg0 /etc/wireguard/wg0.conf ip link set wg0 up ip route del default ip route add default dev wg0 Am I still missing something? Will try this when I come home. Commented Jun 18, 2021 at 15:20
  • (readable version of the commands here: pastebin.com/raw/N0B4HgYV) Commented Jun 18, 2021 at 15:23
  • You can create the macvlan directly in the "wireguard" namespace. For experimenting, it's also useful to start an xterm inside the namespace (I like to give those a differently colored background). The macvlan should get an IP address inside your LAN through DHCP, just like your normal eth0 (which the macvlan points to). Commented Jun 18, 2021 at 15:23

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.