1

I build a server (vps) which play the role of my gateway. My whole personal network is connected behind through wireguard. Every think works well, I follow more or less https://openbsdrouterguide.net and pf documentations.

My problem now is: I would like my gateway communicate with internet (except for my personnal network) through protonvpn using wireguard. I build a new wg interface on it, with proton config, it works well apparently. But I have no idea how to pass the outgoing traffic (to the internet) of my private lan (wg0) through the proton interface (wg1) before going out.

Is it a routing question or pf rules stuff?

Thanks in advance if you can give me some hints.

Improve this question

2 Answers 2

Reset to default
1

First you need to make sure wg1 is the egress interface on the VPS (i.e., that all traffic TO the internet will go out on that interface. This can be achieved by setting the remote end of wg1 as the default gateway, using route. If the VPS has other interfaces (and gateways), you might want to change wg1's priority. route will also help to make sure everything works as expected: route -n show to check the routing table and route -n get <some_external_ip_address> to check through which interface packets will leave the machine.

Then you'll need to NAT the incoming traffic (i.e. from wg0) to wg1, using PF, with something along the lines of

vps = <ip_addresses of the vps>
my_lan = <ip addresses of the LAN, or its network range>

pass in on wg0 from $my_lan to !$vps
pass out on wg1 from $my_lan nat-to wg1

on /etc/pf.conf (please DO NOT copy-paste this blindly, and adapt it to your case).

I'd actually try each step separately: first simply try to setup NATing and see if the VPS is acting as a gateway, without using ProtonVPN. Then disable NAT, make ProtonVPN the default gateway, and check if the VPS accesses the internet through it by default. And then finally tie both things together.

Also, note that changing routing tables and PF rules on a remote machine is a tried and tested way of locking yourself out. We've all been there. Console access is desirable.

Improve this answer
0
0

Many thanks Zé. It helps a lot. I was not aware of route get! should read more man page :o I am not sure I have a "safe" config but it works! I will give some steps if it can help someone else. After both wg interfaces are installed on the vps server:

  1. Change default route to be the ip of the wg1 (protonvpn) interface. All outgoing traffic will go through wg1.

  2. add route with destination protonvpn endpoint (the one you put in wg1 as endpoint) with gateway the original ISP provider gateway. This allows to join protonvpn endpoint with your internet connection interface.

  3. add route with destinations yours computers external ip in the private lan and with gateway your ISP providers! Indeed, wg0, my private lan, should not communicate through protonvpn, if not it messes everything because communication arrived to my vps IP and go out with protonvpn... This steps was necessary for me, maybe an other option? Because I am stuck with dynamical IP. For wg its ok with keep alive option. But for the routing table, I should script? Should I use pf rdr-to?

  4. add translation rules in pf (also pass in out on wg0 and wg1) :

  • pass out on $ext from wg0:network to any nat-to $ext # this allows to communicate with my private lan, $ext is my interface connected to internet.
  • pass out on $ext from wg1:network to any nat-to $ext
  • pass out on $wg1 from wg0:network to any nat-to $ext # nat traffic from private lan to proton vpn

any idea for point 3?

Improve this answer
1
  • 1
    I have used dynamic DNS services such as noip.com in the past, for something similar to your point 3. Commented Apr 18, 2022 at 21:29

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.