Jump to content

bit

Members
  • Content Count

    6
  • Joined

  • Last visited

  • Feedback

    N/A

Community Reputation

0 Neutral

About bit

  • Rank
    Vassal

Profile Information

  • Gender
    Not Telling

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I finally managed to replicate your setup almost exactly. The only difference is that i used wireguard instead of openvpn. The most notable thing in this setup is rp_filter. I was not aware of it and thus spent multiple weeks figuring it out. Anyone following these directions: Do not customize AllowedIPs thinking you will tighten security - you will break packet routing. Do not forget rp_filter part. You do not have to run windows instance in a VM. Could simply connect windows server to same network using TunSafe client. eressea thanks for initial guide. it was absolutely essential in making transparent proxying happen for me :) #### Setup +--+-------------------+------+ +----------------------------+ | | | | | | | | VM (10.20.0.100) <---------------------+ Proxy: 10.21.0.101 (wg21) | | | | | | y.y.y.y (eth0) | | +-------------------+ | | | | | +----------------------------+ | Router: 10.20.0.1 (virbr0) | | 10.21.0.1 (wg21) | | x.x.x.x (eth0) | | | +-----------------------------+ #### Server wg21.conf [Interface] Address = 10.21.0.1/24 Table = off SaveConfig = true ListenPort = 43832 PrivateKey = <...> [Peer] PublicKey = <...> AllowedIPs = 0.0.0.0/0 # Required for preserving original source ip Endpoint = y.y.y.y:43832 iptables # enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # prevent packets with original source from being dropped echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter echo 1 >/proc/sys/net/ipv4/conf/eth0/rp_filter wg-quick up wg21 # transparent proxying ip rule add fwmark 101 table 101 ip route add default via 10.21.0.101 table 101 iptables -t mangle -A PREROUTING -i wg21 -p tcp -m multiport --dport $gs_ports -j CONNMARK --set-mark 101 iptables -t mangle -A PREROUTING -i virbr0 -p tcp -m multiport --sport $gs_ports -j CONNMARK --restore-mark # forwarding iptables -t filter -I FORWARD -i wg21 -o virbr0 -p tcp -d $gs -m multiport --dports $gs_ports -j ACCEPT iptables -t filter -A FORWARD -i wg21 -j ACCEPT iptables -t filter -A FORWARD -o wg21 -j ACCEPT #### Proxy wg21.conf [Interface] Address = 10.21.0.101/32 Table = off SaveConfig = true ListenPort = 43832 PrivateKey = <...> [Peer] PublicKey = <...> AllowedIPs = 0.0.0.0/0 # Required so that packets can reach 10.20.0.100 Endpoint = x.x.x.x:43832 iptables wg-quick up wg21 ip route add 10.20.0.100 dev wg21 # Routing to VM ip route add 10.21.0.0/24 dev wg21 # Routing to vlan iptables -A FORWARD -i wg21 -j ACCEPT iptables -A FORWARD -o wg21 -j ACCEPT # forward incoming packets to VM iptables -t nat -A PREROUTING -i $eth0 -p tcp -m multiport --dport $gs_ports -j DNAT --to 10.20.0.100 iptables -t nat -A POSTROUTING -s 10.21.0.0/24 -o eth0 -j MASQUERADE
×