# Advanced Routing
This section is for those who want the WireGuard interface to be used as a secondary interface, only routing through it if an incoming request originally came through the WireGuard interface. Currently, only Linux clients are supported.
Add the following lines to your WireGuard configuration, making sure to replace the example IPv4 and IPv6 addresses with the ones assigned to your tunnel.
wg-quick automatically replaces occurrences of
%i with the name of the interface.
[Interface] PrivateKey = <leave this as is> Address = <ipv4_address>, <ipv6_address> # add the following lines above [Peer] # Replace with your IPv4 address above PostUp = ip -4 rule add from <ipv4_address> table 51820 # Replace with your IPv6 address above PostUp = ip -6 rule add from <ipv6_address> table 51820 PostUp = ip -4 route add 0.0.0.0/0 dev %i table 51820 PostUp = ip -6 route add ::/0 dev %i table 51820 PreDown = ip -4 rule delete table 51820 PreDown = ip -6 rule delete table 51820 Table = off
If you are using the WireGuard interface for development work, then you can set up a default deny firewall for the interface as well. Add the following lines to the configuration file, between the
PreDown added in the previous section:
PostUp = iptables -A INPUT -i %i -j DROP PostUp = iptables -A OUTPUT -o %i -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT PreDown = iptables -D INPUT -i %i -j DROP PreDown = iptables -D OUTPUT -o %i -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Then, to allow specific ports through the firewall, run the following commands, making sure to replace the interface name and port:
# For TCP iptables -I INPUT 1 -i <interface_name> -p tcp --dport <port> -j ACCEPT # For UDP iptables -I INPUT 1 -i <interface_name> -p udp --dport <port> -j ACCEPT
Example for allowing SSH on interface
iptables -I INPUT 1 -i wg1 -p tcp --dport 22 -j ACCEPT
Note: These firewall port exceptions will persist until you reboot the computer. To automatically unblock these ports when starting the WireGuard interface, add the corresponding
PreDown commands to your configuration file.
The configuration above only has an effect on the outgoing packets on your machine. Any outgoing requests initiated by your machine will use the default network route (i.e. as if the WireGuard interface didn't exist). Blocked ports or routes on your original network connection will still apply when using your normal IP address. For example, programs on your system will fail to make an outgoing network request on port 25, if the port is blocked by your ISP.
If there is an incoming request on the WireGuard interface from an external machine (i.e. has a destination of the Hoppy IP address), any outgoing replies to that external machine will have a source of the Hoppy IP address, by design of the TCP/UDP protocols. The
ip -6 rule and
ip -4 rule commands make sure that those packets that have a source of the Hoppy IP address are sent to a special routing table
51820 that defaults to routing through the WireGuard interface.
Note that it is possible to force programs such as postfix (opens new window) to use the Hoppy IP address for outgoing requests by binding to the Hoppy IP address on startup, which would be useful for mail server hosting.