Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[question] Routing all traffic through one peer #79

Open
0x1a8510f2 opened this issue Aug 19, 2021 · 3 comments
Open

[question] Routing all traffic through one peer #79

0x1a8510f2 opened this issue Aug 19, 2021 · 3 comments

Comments

@0x1a8510f2
Copy link

I've spent a good few hours trying to figure out how I can configure Drago to route one peer's traffic through another to reach the internet, yet I haven't managed to figure it out thus far. Could anyone point me in the right direction?
@mikkel1156
Copy link

Think what you're looking for is the allowed IPs? You should be able to set it on the connection between the peers, just like normal Wireguard configuration, if you set it to 0.0.0.0/0 then it should route all traffic on that Peer through the other

@0x1a8510f2
Copy link
Author

That's what I thought too but I ran into issues with the RPC connection (or, at least, that's what I think it was). Basically, assuming the public IP of the peer I'm trying to route traffic through is 1.1.1.1, and it's also the Drago server, the Drago client will try to connect to rpc://1.1.1.1:8081, but because of AllowedIPs=0.0.0.0/0, it will try to route that request through the tunnel, meaning that it will arrive on the drago-... interface on that peer. I don't think this request is then routed internally to the correct interface, just dropped, so as soon as one sets AllowedIPs to 0.0.0.0/0 any further RPC connections fail.

I figured out a workaround: first, Allowed IPs should point to the majority of the internet except for the IP of the peer you're connecting to (and possibly local IPs), since this appears to cause issues with Drago's RPC connection (that's what tripped me up). This is difficult to do with WireGuard, but fortunately, sites like this one allow for calculating the correct Allowed IPs easily. Once those are set, the following iptables rules must be added:

Pre Up

iptables -A FORWARD -i <DRAGO_INTERFACE_NAME> -j ACCEPT; iptables -A FORWARD -o <DRAGO_INTERFACE_NAME> -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Pre Down

iptables -D FORWARD -i <DRAGO_INTERFACE_NAME> -j ACCEPT; iptables -D FORWARD -o <DRAGO_INTERFACE_NAME> -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Remembering to replace <DRAGO_INTERFACE_NAME> with the actual interface name.

So, in the end, you have a split tunnel where packets to 1.1.1.1 are sent outside of the tunnel allowing for RPC to work correctly. In the long run though, I think Drago would need to be able to figure this out and connect to the private IP of the peer through the tunnel for RPC.

@mrbluecoat
Copy link

I agree, it would be great to have exit node capability baked into Drago itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mrbluecoat @mikkel1156 @0x1a8510f2