this post was submitted on 28 Oct 2024
2 points (75.0% liked)

networking

2805 readers
1 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 1 year ago
MODERATORS
[email protected]
2
How do I set up a wireguard configuration that acts like a nat? (programming.dev)
submitted 1 week ago by [email protected] to c/[email protected]
2 comments fedilink hide all child comments
 

I have a server with wireguard in a container with host networking. I want to assign an ipv6 subnet for each peer (eg: fd42:413d:a91f:dd37::/64) that the client (my laptop) can freely use all the addresses in that subnet and corresponding port ranges as a separate network interface. Meanwhile on the server, that exact same ip and port is routed to that specific client but through the tunnel.

Here's an example:

  1. Server config

    [Interface]
Address = fd42::1/128
ListenPort = 51820
PrivateKey = <key>

[Peer]
PublicKey = <key>
AllowedIPs = fd42:413d:a91f:dd37::/64

  2. Client config

    [Interface]
PrivateKey = <key>
Address = fd42:413d:a91f:dd37::1/64

[Peer]
PublicKey = <key>
Endpoint = server.local:51820
AllowedIPs = fd42:413d::/32, fd42:413d:a91f:dd37::/64

  3. Run a server on the client

    python -m http.server 8080 --bind fd42:413d:a91f:dd37::1 -d dist

  4. Access on the server

    curl -svL http://[fd42:413d:a91f:dd37::1]:8080/

I can't get step 4 to work. It's also entirely possible that my lack of knowledge in networking is making me think this is even possible in the first place. Any help is appreciated!

top 2 comments
sorted by: hot top controversial new old
[โ€“] [email protected] 2 points 1 week ago (1 children)

I'm a little confused where the NAT comes in. It sounds like you want to use the same addresses on the server and the client, which means that there is no translation going on, just routing?

I'm not familiar with wireguard, so I'm not going to be much help with that, but I'd imagine that you need to tell the server that that subnet is routed via the wireguard interface? If you do like ip -6 route on the server do you see that fd42:413d:a91f:dd37::/64 is routed via wireguard?

[โ€“] [email protected] 1 points 1 week ago

It doesn't have to be the same address, just one that I can be sure is associated with a specific peer.

Here's what I see with ip -6 route

2405:201:d03c:d849::/64 dev enp1s0 proto ra metric 100 pref medium
fd42::1 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev docker0 proto kernel metric 256 pref medium
fe80::/64 dev vethe60384e proto kernel metric 256 pref medium
fe80::/64 dev veth9415685 proto kernel metric 256 pref medium
fe80::/64 dev vetha288603 proto kernel metric 256 pref medium
fe80::/64 dev veth99b7aad proto kernel metric 256 pref medium
fe80::/64 dev vethabf9238 proto kernel metric 256 pref medium
fe80::/64 dev enp1s0 proto kernel metric 1024 pref medium
default via fe80::8ea3:99ff:fe5a:d796 dev enp1s0 proto ra metric 100 pref high

I'm a little confused where the NAT comes in.

I think I misunderstood how NAT works.