Skip to content

Instantly share code, notes, and snippets.

@itslukej

itslukej/tunneling.md

Created September 16, 2023 01:12
Show Gist options
  • Star 8 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save itslukej/297b10ad687ad5fb33df06ef749ad1bb to your computer and use it in GitHub Desktop.
Save itslukej/297b10ad687ad5fb33df06ef749ad1bb to your computer and use it in GitHub Desktop.
Download ZIP
Tunneling a whole process through wireguard
Raw
tunneling.md

Tunneling a whole process through wireguard

Certain company blocking a certain hosting provider? No problem, just tunnel the process through a small VPS with wireguard.

Consider server A your blocked server and server B your VPS.

Step 1: Generate a keypair on server A and server B

Server A:

wg genkey > endpoint-a.key
wg pubkey < endpoint-a.key > endpoint-a.pub

Server B:

wg genkey > endpoint-b.key
wg pubkey < endpoint-b.key > endpoint-b.pub

Step 2: Configure server B

Create a wireguard config at /etc/wireguard/wg0.conf with the following content:

[Interface]
PrivateKey = <endpoint-b.key>
Address = 10.0.0.2/32
ListenPort = 51822

PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE

[Peer]
PublicKey = <endpoint-a.pub>
AllowedIPs = 10.0.0.1/32

Turn on the interface:

wg-quick up wg0

Allow forwarding for a port:

iptables -t nat -A PREROUTING -p tcp --dport <port> -j DNAT --to-destination 10.0.0.1

Step 3: Configure server A

Create a wireguard config at /etc/wireguard/wg0.conf with the following content:

[Interface]
PrivateKey = <endpoint-a.key>
ListenPort = 51821

[Peer]
PublicKey = <endpoint-b.pub>
Endpoint = <server B ip address>:51822
AllowedIPs = 0.0.0.0/0

Set up the namespace:

ip netns add pvt-net1
ip -n pvt-net1 link set lo up
ip link add wg0 type wireguard
ip link set wg0 netns pvt-net1
ip netns exec pvt-net1 wg setconf wg0 /etc/wireguard/wg0.conf
ip -n pvt-net1 address add 10.0.0.1/32 dev wg0
ip -n pvt-net1 link set wg0 up
ip -n pvt-net1 route add default dev wg0

Make DNS work:

mkdir -p /etc/netns/pvt-net1
echo nameserver 1.1.1.1 | sudo tee /etc/netns/pvt-net1/resolv.conf >/dev/null
chmod -R o+rX /etc/netns

Alter the systemd service of your process to use the new namespace & DNS:

NetworkNamespacePath=/run/netns/pvt-net1
BindReadOnlyPaths=/etc/netns/pvt-net1/resolv.conf:/etc/resolv.conf
systemctl daemon-reload
systemctl restart <your service>

Credit

This whole config was derived from https://www.procustodibus.com/blog/2023/04/wireguard-netns-for-specific-apps. All credit goes to them!

@SecondaryH
Copy link

Hey, first of all thankyou very much for the handy guide!

I've followed your steps and I think its running correctly but how do I actually get connected again because the service shows as offline through the browser

MobaXterm_FCryWfiron

@ShipkaChalk
Copy link

Inspired me to do something similar, but I wanted to do it with Docker so I could easily containerise it on both ends and make it portable:

https://gist.github.com/ShipkaChalk/629fdc42dad781776d2007fc502188f3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment