Wireguard Routing

Hi there,

First of all, I just wanted to thank you for all the work you’ve done in helping others; not only through your well-written blog posts but personally through this forum. I have benefited from using 2 of your guides already. I’m not sure if you have any interest in this but if you had a Patreon or some sort of donation mechanism, I would have gladly donated already.

In relation to my topic posting, I was wondering if you could help point me in the right direction with my Wireguard configuration on my Raspberry Pi. I’ve followed your guide and everything is working as expected. I’m now trying to do something that I can’t seem to find the solution to, perhaps my knowledge is just too limited in this domain to piece together the already available resources.

What I’m trying to accomplish:
In my setup, I want to Wireguard into my RPi using eth0 (which is on one network), and forward all that traffic to wlan0 (which is on another network, a mobile lte hotspot), but both connected to on the RPi.

In short summary: I want to do this because there are services that I need to access that are only authenticated through the Mobile LTE Hotspot. I thought I could simply create a Wireguard tunnel to the RPi (which is connected to the hotspot) to do this. However, then I learned about CGNAT on mobile networks and also realized that I couldn’t do any port-forwarding on a mobile network (duh, I feel ignorant for assuming I could). In order to get around this, I have the RPi connected to a normal internet connection through eth0 and that RPi is also connected to the Mobile Hotspot through wlan0. Would it be possible to route all the traffic from eth0 to wlan0 (and back, I suppose?)
Ultimately, all I’m trying to do is share the IP address of the hotspot, remotely.

I’m not nearly as eloquent as you are in describing complex scenarios so I drew out a diagram that might explain this better.

If this sounds like too much work to simply respond to on a forum, I would love to pay you for any help in solving this/creating a solution.

Thanks again for your time and energy, I would appreciate any insight into this.

1 Like

Hi Sean,

Thank you for the feedback and words of encouragement. Responses like yours make this all worth it.

I’m about to head out to launch one of my fixed wing UAVs before the wind picks up (we’re about to get storms tonight).

I’ll take a more thorough look at your post tonight and see what I can come up with, if not today, then tomorrow at the latest. Sounds like a useful project!

-TorqueWrench

Hi Sean,

I thought about your post while I was flying yesterday and I’m fairly sure accomplishing what you want is easier than you might have thought (I know, famous last words :sweat_smile:). Thank you for taking the time to put together the diagram and write-up by the way.

In order to forward your traffic from eth0 to wlan0 via the WireGuard interface, I’m fairly certain that all you need to do is edit the output interface in the POSTROUTING change from:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

to

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

That is, changing -o eth0 to -o wlan0.

The other instructions in the main Wireguard set up still apply.

I believe WireGuard listens on all interfaces for the port specified in your wg0.conf. Therefore, it should still pick up on the incoming connection regardless of where it comes from (i.e. eth0). We then just need to tell iptables (and thus WireGuard) to NAT/masquerade the traffic out through wlan0.

We may still run into IPv6 issues, but I think that should at least get you started. Let me know how it turns out.

-TorqueWrench

Hi TorqueWrench,

Thank you so much for your prompt reply. I’m sorry for the delay, I had a bunch of non-technical issues arise and I couldn’t get back to this until today. I really appreciate your help and your response.

Your idea is wonderful, so simple and elegant.
However, I’m not sure why but I can’t seem to get it to work.
I’ve done exactly as you said but there seems to be a problem.

I can technically connect to WireGuard from the client sitting on a different network, however, I can’t actually download/browse/ping/etc.

However, WG from both the client and the RaspberyPi server is claiming that the client is connected and showing transfer, albeit very small (under 1MB received & sent).

I’m wondering if this is an issue with something else related to the network configuration of the OS?
I’m technically connected so something is working?

Also, just to note, the rest of the configuration for Wireguard should be fine because when the configuration is set for only eth0 post up/down or only wlan0 post up/down, it works (not wlan from the hotspot but from the local connection). However, when I’ve tried setting wlan0 for post up and eth0 for post down, coming from the same local network, the same issue arises. It makes me think that something needs to change routing wise, likely from elsewhere in the OS, but I’m not qualified to make the judgement on that.

Any more wisdom on this would be greatly appreciated.
Thanks again for your patience and my apologies for the extended delay on replying to your help.

Also, just to give some more context as I’m testing with my limited experience.
If the RaspberyPi is connected to the Hotspot WiFi & the local Ethernet connection, and I set the Wireguard configuration for both PostUp & PostDown to be wlan0, (I’ve confirmed that I’m not mistakenly connected to the local wifi using iwgetid), I can connect to WireGuard but the IP shows that of eth0, not the Hotspot, even though WG is configured for wlan0.

Seems weird, right?

I don’t know if this dings any bells on your side, trying to do further research but again, since I don’t have the necessary background knowledge, I can’t validate/invalidate it.

https://serverfault.com/questions/431593/iptables-forwarding-between-two-interface

Also, I don’t want you to feel like you’re wasting any time here, I’m willing to pay for your time and knowledge. Thanks again.

Just to confirm, you’re seeing received data on the client after a new connection? Interesting, that’s definitely good news so we know the connection is in fact live. I know you said you can’t ping, but what you’re pinging can make a difference. What happens if you ping 1.1.1.1? (For example, being able to ping 1.1.1.1 but not being able to ping cloudflare.com implies a problem with DNS).

Enabling IPv6 Forwarding

You know, I just had an epiphany…WLAN is going to be on IPv6. In my original guide, we never set up IPv6 forwarding, just IPv4. Try going into your RPi and enabling net.ipv6.conf.all.forwarding=1 in /etc/sysctl.conf. Don’t forget to reload your configuration with sysctl -p /etc/sysctl.conf (or reboot).

Setting Up WireGuard with IPv6 (ip6tables)

Something else I forgot about, you might actually need to use ip6tables, the IPv6 equivalent of iptables like @BurntOC did in his post here.

Updating from my previous directive:

to

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

Unfortunately, I’m still not set up for IPv6 so I can’t test this myself.

@BurntOC, you’re our resident IPv6 expert, any other thoughts or input on this?


:+1: Thank you for the offer, but I just appreciate your contribution to the forum and the opportunity to learn from it. If you absolutely insist on repaying me, you can do so in the form of continuing to participate in the discussion board and documenting any/all projects you end up working on!

-TorqueWrench