Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Roman Mamedov <rm@romanrm.net>
To: Rudi C <rudiwillalwaysloveyou@gmail.com>
Cc: wireguard@lists.zx2c4.com
Subject: Re: [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?
Date: Fri, 9 Oct 2020 19:05:05 +0500	[thread overview]
Message-ID: <20201009190505.18391a7d@natsu> (raw)
In-Reply-To: <CAE9z9A3wG8e8djm7Og=+y7QBW6oqunM1Ln+DKHLA5isyWS-88w@mail.gmail.com>

On Fri, 9 Oct 2020 17:16:18 +0330
Rudi C <rudiwillalwaysloveyou@gmail.com> wrote:

> > On Fri, Oct 9, 2020 at 5:04 PM Roman Mamedov <rm@romanrm.net> wrote:
> > Seems like you misunderstand what I mean. If you use the in-VPN (internal) IP
> > of your VPS, all communication with the SOCKS proxy installed on the VPS will
> > happen via the WireGuard tunnel. No DPI can look into that.
> 
> You're right! Some questions:
> 1. What should I do client-side so that wireguard only covers my VPS's
> IP (and does not otherwise route traffic)? Will `AllowedIPs =
> SERVER_IP/32` do it?

SERVER_IP should be the in-VPN IP here, otherwise yes, and remove .0.0.0/0
and ::/0 from AllowedIPs.

> 2. How do I get the in-VPN IP of the server? Is it `Address` in `[Interface]`?

Yes. You can confirm via "ip addr list dev wgX" on the server.

> 3. I use ufw for the firewall on the server. Will ufw block my local
> machine? If not, with what IP should I set ufw rules? (My local
> machine doesn't have a static IP.) Of course, I could alternatively
> expose the socks proxy to the world with a password; How secure will
> that be?

Sorry, not familiar with ufw; generally you need to allow only connections
from the WG interface, or from the internal IP range (or just the "Address ="
of the client), and block all others.

-- 
With respect,
Roman

next prev parent reply	other threads:[~2020-10-09 14:05 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-04 12:11 [FR] How can I expose the wireguard tunnel as a socks5 proxy on the client? Rudi C
2020-10-09 13:22 ` Roman Mamedov
2020-10-09 13:30   ` Rudi C
2020-10-09 13:34     ` Roman Mamedov
2020-10-09 13:46       ` Rudi C
2020-10-09 14:05         ` Roman Mamedov [this message]
2020-10-09 14:08           ` David Kerr
2020-10-09 14:19   ` Chris
2020-10-09 14:32     ` Roman Mamedov
2020-10-09 14:26 ` Max R. P. Grossmann
2020-10-14 11:04   ` Thireus

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201009190505.18391a7d@natsu \
    --to=rm@romanrm.net \
    --cc=rudiwillalwaysloveyou@gmail.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.