WireGuard - fine grained routing control

[jggimi]

I configured a WireGuard VPN on my OpenBSD laptop shortly after it was committed to -current in June of 2020. It was a relatively easy implementation, and at the time, I set up my routing table with priorities to be able to turn the VPN on and off easily by just setting the WireGuard NIC wg0 "down" to disable the VPN, then "up" to enable it:

• I set my route to the remote VPN tunnel endpoint with the highest routing priority, through my physical egress NIC.
• I set up two default routes: a high priority route through the VPN via the wg0 pseudo-NIC, and a lower priority route through the egress NIC.

While this worked well, over time I determined two reasons to switch to a different routing schema.

1. I needed to switch now and then between wired and wireless, and that changed my true egress NIC. And my wired NIC would sometimes need to manage multiple VLANs, and sometimes not, so using trunk(4) was not a provisioning option.
2. I wanted more fine grain control -- by process -- of which applications were or were not transiting the VPN. My original provisioning turned the VPN on or off for everything on the laptop globally.

Several "how to" guides have been published that recommended using routing domains with WireGuard -- including solene@'s guide, so armed with her guide and the rtable(4)/rdomain(4) man page, I switched from routing by priority to using routing domains. I even set up a `novpn` shell alias for `route exec -T 1` to make it easy and simple to start something I didn't want using the VPN.

There was one service lacking though -- I'm an unwind(8) user for its DNS over TLS (DoT) features, and I needed to have two instances of unwind(8) available in order to resolve DNS entries through either of my two domains.

----

Here is how I have unwind(8) provisioned to run two instances in support of both rdomain 0, the default domain through my WireGuard VPN, and rdomain 1, my "real" network connection:

1. Provision unwind's IPv4 loopback address on lo1:
   
   # echo rdomain 1 > /etc/hostname.lo1
   # echo inet 127.0.0.1/8 >> /etc/hostname.lo1
   # sh /etc/netstart lo1
2. Duplicate the unwind rc.d(8) script:
   
   # ln -s /etc/rc.d/unwind /etc/rc.d/unwind1
3. Enable the second instance with a unique control socket and starting with rtable 1:
   
   # rcctl enable unwind1
   # rcctl set unwind1 flags -s /dev/unwind1.sock
   # rcctl set unwind1 rtable 1
4. Start the new instance, and ensure it is running:
   
   # rcctl start unwind1
   $ rcctl ls on | grep unwind

Now I have fine-grain control. I can start an application with $ novpn program which will run any of its network connections outside the VPN, while all other applications continue to use the VPN.

[Entropic]

Quote:

Originally Posted by jggimi

I configured a WireGuard VPN on my OpenBSD laptop shortly after it was committed to -current in June of 2020. It was a relatively easy implementation, and at the time, I set up my routing table with priorities to be able to turn the VPN on and off easily by just setting the WireGuard NIC wg0 "down" to disable the VPN, then "up" to enable it:

• I set my route to the remote VPN tunnel endpoint with the highest routing priority, through my physical egress NIC.
• I set up two default routes: a high priority route through the VPN via the wg0 pseudo-NIC, and a lower priority route through the egress NIC.

While this worked well, over time I determined two reasons to switch to a different routing schema.

1. I needed to switch now and then between wired and wireless, and that changed my true egress NIC. And my wired NIC would sometimes need to manage multiple VLANs, and sometimes not, so using trunk(4) was not a provisioning option.
2. I wanted more fine grain control -- by process -- of which applications were or were not transiting the VPN. My original provisioning turned the VPN on or off for everything on the laptop globally.

Several "how to" guides have been published that recommended using routing domains with WireGuard -- including solene@'s guide, so armed with her guide and the rtable(4)/rdomain(4) man page, I switched from routing by priority to using routing domains. I even set up a `novpn` shell alias for `route exec -T 1` to make it easy and simple to start something I didn't want using the VPN.

There was one service lacking though -- I'm an unwind(8) user for its DNS over TLS (DoT) features, and I needed to have two instances of unwind(8) available in order to resolve DNS entries through either of my two domains.

----

Here is how I have unwind(8) provisioned to run two instances in support of both rdomain 0, the default domain through my WireGuard VPN, and rdomain 1, my "real" network connection:

1. Provision unwind's IPv4 loopback address on lo1:
   
   # echo rdomain 1 > /etc/hostname.lo1
   # echo inet 127.0.0.1/8 >> /etc/hostname.lo1
   # sh /etc/netstart lo1
2. Duplicate the unwind rc.d(8) script:
   
   # ln -s /etc/rc.d/unwind /etc/rc.d/unwind1
3. Enable the second instance with a unique control socket and starting with rtable 1:
   
   # rcctl enable unwind1
   # rcctl set unwind1 flags -s /dev/unwind1.sock
   # rcctl set unwind1 rtable 1
4. Start the new instance, and ensure it is running:
   
   # rcctl start unwind1
   $ rcctl ls on | grep unwind

Now I have fine-grain control. I can start an application with $ novpn program which will run any of its network connections outside the VPN, while all other applications continue to use the VPN.

What VPN provider are you using? It seems Wireguard is easier to setup on OBSD than OpenVPN but ExpressVPN don't support it (my current provider)

[jggimi]

My VPN provider is ... me. I rent a VPS server which provides a variety of services. One of those is providing a WireGuard VPN gateway for my systems (and phone).

[Entropic]

Quote:

Originally Posted by jggimi

My VPN provider is ... me. I rent a VPS server which provides a variety of services. One of those is providing a WireGuard VPN gateway for my systems (and phone).

Did you find WG much easier to setup than OpenVPN in OBSD?
Did this inspire you to the self hosted VPS option?
https://www.youtube.com/watch?v=gxpX_mubz2A It's certainly got me thinking about it, but I can't afford to squander my existing ExpressVPN subscription till at least Feb when it renews

[jggimi]

• I have never been an OpenVPN user. (One day of testing it decades ago does not qualify me to know anything about it now.)
• I have previously deployed several IPSec VPNs in production. Their primary use was to isolate and secure plaintext traffic such as NFS, all within networks I administered.
• WireGuard did not replace any existing VPN implementation. The IPSec VPNs had long been replaced by managed switches and 802.1Q VLANs.

The IPSec VPNs I'd previously deployed had all been with ipsec.conf(5)'s relatively simplistic isakmpd(8) automatic keying. But WireGuard was far simpler to provision and deploy.

One nice thing I've liked about WireGuard is its ability to flexibly tunnel IPv4 over IPv6, or IPv6 over IPv4. One of the VPS servers I operate is a low-cost, IPv6-only platform, which I can reach through the VPN with a tunneled RFC1918 IPv4 address.

The only thing I wish was better about WireGuard is its limited scalability. Adding of new clients, today, requires individual static provisioning. I have 6 VPN clients deployed, and that was easy. But I'd hate to try to manage 600 and would dread 6000.