I have a remote VPS that acts as a wireguard server (keys omitted):
[Interface]
Address = 10.0.0.2/24
[Peer] # self host server
AllowedIPs = 10.0.0.1/32
(The VPS is configured to be a router from the wg0 to it’s WAN via nft masquerading)
And i have another server, my self-host server, which connects to the VPS trough wireguard because it uses wireguard tunnel as a port-forwarder with some nft glue on the VPS side to “port forward” my 443 port:
[Interface]
Address = 10.0.0.1/24
[Peer]
AllowedIPs = 10.0.0.2/24
(omitted the nft glue)
My self-hosted server default route goes trough my home ISP and that must remain the case.
Now, on the self-host server i have one specific user that i need to route trough the wireguard tunnel for it’s outgoing traffic, because i need to make sure it’s traffic seems to originate from the VPS.
The way i usually handle this is with a couple of nft commands to create a user-specific routing table and assign a different default route to it (uid=1070):
 ip rule add uidrange  1070-1070 lookup 1070
ip route add default via 192.168.0.1 dev eno1 table 1070
(this is the case, and works, to use eno1 as default gateway for user 1070. Traceroute 8.8.8.8 will show user 1070 going trough eno1, while any other user going trough the default gateway)
If i try the same using the wg0 interface, it doesn’t work.
 ip rule add uidrange  1070-1070 lookup 1070
ip route add default via 10.0.0.2 dev wg0 table 1070
This doesnt work, wireguard refuses to allow packets trough with an error like:
ping 8.8.8.8
From 10.0.0.1 icmp_seq=3 Destination Host Unreachable                                            
ping: sendmsg: Required key not available 
I tried to change my self-host server AllowedIps like this:
[Interface]
Address = 10.0.0.1/24
[Peer]
AllowedIPs = 10.0.0.2/24, 0.0.0.0/0
and it works! User 1070 can route trough wireguard. BUT… now this works just too much… because all my self-host server traffic goes trough the wg0, which is not what i want.
So i tried to disable the WireGuard messing with routing tables:
[Interface]
Address = 10.0.0.1/24
Table = off
[Peer]
AllowedIPs = 10.0.0.2/24, 0.0.0.0/0
and manually added the routes for user 1070 like above (repeat for clarity):
 ip rule add uidrange  1070-1070 lookup 1070
ip route add default via 10.0.0.2 dev wg0 table 1070
The default route now doesnt get replaced, but now, without any error, the packers for user 1070 just don’t get routed. ping 8.8.8.8 for user 1070 just hangs
I am at a loss… Any suggestions?
(edits for clarity and a few small errors)
- Did you add the vps IP to the routing table of your user? - ip r add 10.0.0.2/32 dev wg0 table 1070?- ip r add 10.0.0.2/32 dev wg0 table 1070 - All the IPs behind wg0 can be pinged by user 1070 without issue, but nothing else - Do a ping of 8.8.8.8 from your user, then open a new console and run tcpdump -i <interface> with first your uplink, then wg0. The packets should be seen on wg0 if they’re routed correctly and the problem then is on the vps side. Otherwise it’s a problem on your local config. - Interesting enough… - tcpdump -i wg0 21:49:49.604220 IP 10.70.0.1 > dns.google: ICMP echo request, id 5337, seq 1, length 64 21:49:49.638242 IP dns.google > 10.70.0.1: ICMP echo reply, id 5337, seq 1, length 64 21:49:50.615200 IP 10.70.0.1 > dns.google: ICMP echo request, id 5337, seq 2, length 64 21:49:50.648361 IP dns.google > 10.70.0.1: ICMP echo reply, id 5337, seq 2, length 64 21:49:51.628391 IP 10.70.0.1 > dns.google: ICMP echo request, id 5337, seq 3, length 64 21:49:51.673502 IP dns.google > 10.70.0.1: ICMP echo reply, id 5337, seq 3, length 64 21:49:52.641711 IP 10.70.0.1 > dns.google: ICMP echo request, id 5337, seq 4, length 64 21:49:52.673321 IP dns.google > 10.70.0.1: ICMP echo reply, id 5337, seq 4, length 64 21:49:53.655076 IP 10.70.0.1 > dns.google: ICMP echo request, id 5337, seq 5, length 64 21:49:53.695391 IP dns.google > 10.70.0.1: ICMP echo reply, id 5337, seq 5, length 64- while on the other console, as user 1070: - ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.- just gets stuck there… - This is baffling! - (stopping the ping also stop the prints in the tcpdump) - Try - sysctl -w net.ipv4.conf.all.rp_filter=2on the PC (not vps) or =0 if that doesn’t work- Yes! - That’s it… - How did I forgot about that? - I assumed it was already set… - Need to double check all my setup scripts tomorrow… - Thanks! 
 
 
 
 
 


