Skip to content

Instantly share code, notes, and snippets.

@mbaezner

mbaezner/wireguard-natless.md

Created April 22, 2021 03:13
Show Gist options
  • Save mbaezner/9772249391e0f493fc9c3f789fd75c58 to your computer and use it in GitHub Desktop.
Save mbaezner/9772249391e0f493fc9c3f789fd75c58 to your computer and use it in GitHub Desktop.
Download ZIP
WireGuard Routing without NAT
Raw
wireguard-natless.md

WireGuard Routing without NAT

WireGuard Configuration

Remove the iptables masquerade rule from the post-up and post-down section of the WireGuard configuraiton file.

iptables -t nat -A POSTROUTING -o {{ lan_interface }} -j MASQUERADE

Be sure to stop WireGuard first to remove iptables rules, then change the configuration file and start WireGuard

pfSense Configuration

Add a gateway for the WireGuard server:

  1. Navigate to System -> Routing: Gateways; Click Add
    1. Change "Interface" to {{ lan_interface }}
    2. Enter the "WireGuard" into the "Name" field
    3. Enter the WireGuard server IP into the "Gateway" field
    4. Click "Save"

Add a static route for the WireGuard network directing traffic to the WireGuard gateway:

  1. Navigate to System -> Routing: Static Routes; Click Add
    1. Enter the WireGuard network into the "Destination network" field
    2. Change "Gateway" to the WireGuard gateway (from the previous steps)
    3. Click "Save"

Add a NAT rule for traffic bound for the Internet:

  1. Navigate to Firwall -> Rules: LAN
    1. Copy the rule "Default allow LAN to any rule"
    2. Change "Source" to "Network" and enter the WireGuard network
    3. Click "Save"

References

  1. wireguard_without_nat
  2. wireguard_bridge_without_nat

VyOS Configuration

Add a static route for the WireGuard network directing traffic to the WireGuard server:

set protocols static route '{{ wireguard_network_ipv4 }}' next-hop '{{ wireguard_server_ipv4 }}'

Add a NAT rule for traffic bound for the Internet:

set nat source rule 20 description 'Masquerade all outbound traffic from WireGuard'
set nat source rule 20 outbound-interface '{{ wan_interface }}'
set nat source rule 20 source address '{{ wireguard_network_ipv4 }}'

Be sure to commit the changes and save the changes after testing

Appendix A: Pi-Hole Configuration

By default dnsmasq (the DNS server used by Pi-Hole) only accepts requests from the local network, meaning that requests from the WireGuard network will be ignored. dnsmasq man

Configure Pi-Hole to accept traffic from the primary interface. Create "/etc/dnsmasq.d/interface.conf" on the Pi-Hole server:

interface={{ interface }}

Restart Pi-Hole systemctl restart pihole-FTL or docker restart pihole

Alternatively

Create "/etc/dnsmasq.d/local.conf" on the Pi-Hole server:

listen-address=127.0.0.1
listen-address={{ local_network }}

Restart Pi-Hole systemctl restart pihole-FTL or docker restart pihole

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment