# Advanced Routing

This section is for those who want the WireGuard interface to be used as a secondary interface, only routing through it if an incoming request originally came through the WireGuard interface. Currently, only Linux clients are supported.

# Steps

Add the following lines to your WireGuard configuration, making sure to replace the example IPv4 and IPv6 addresses with the ones assigned to your tunnel. wg-quick automatically replaces occurrences of %i with the name of the interface.

[Interface]
PrivateKey = <leave this as is>
Address = <ipv4_address>, <ipv6_address>

# add the following lines above [Peer]

# Replace with your IPv4 address above
PostUp = ip -4 rule add from <ipv4_address> table 51820

# Replace with your IPv6 address above
PostUp = ip -6 rule add from <ipv6_address> table 51820

PostUp = ip -4 route add 0.0.0.0/0 dev %i table 51820
PostUp = ip -6 route add ::/0 dev %i table 51820
PreDown = ip -4 rule delete table 51820
PreDown = ip -6 rule delete table 51820
Table = off

# Firewall

If you are using the WireGuard interface for development work, then you can set up a default deny firewall for the interface as well. Add the following lines to the configuration file, between the PostUp and PreDown added in the previous section:

PostUp = iptables -A INPUT -i %i -j DROP
PostUp = iptables -A OUTPUT -o %i -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PreDown = iptables -D INPUT -i %i -j DROP
PreDown = iptables -D OUTPUT -o %i -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Then, to allow specific ports through the firewall, run the following commands, making sure to replace the interface name and port:

# For TCP
iptables -I INPUT 1 -i <interface_name> -p tcp --dport <port> -j ACCEPT
# For UDP
iptables -I INPUT 1 -i <interface_name> -p udp --dport <port> -j ACCEPT

Example for allowing SSH on interface wg1:

iptables -I INPUT 1 -i wg1 -p tcp --dport 22 -j ACCEPT

Note: These firewall port exceptions will persist until you reboot the computer. To automatically unblock these ports when starting the WireGuard interface, add the corresponding PostUp and PreDown commands to your configuration file.

# Explanation

The configuration above only has an effect on the outgoing packets on your machine. Any outgoing requests initiated by your machine will use the default network route (i.e. as if the WireGuard interface didn't exist). Blocked ports or routes on your original network connection will still apply when using your normal IP address. For example, programs on your system will fail to make an outgoing network request on port 25, if the port is blocked by your ISP.

If there is an incoming request on the WireGuard interface from an external machine (i.e. has a destination of the Hoppy IP address), any outgoing replies to that external machine will have a source of the Hoppy IP address, by design of the TCP/UDP protocols. The ip -6 rule and ip -4 rule commands make sure that those packets that have a source of the Hoppy IP address are sent to a special routing table 51820 that defaults to routing through the WireGuard interface.

Note that it is possible to force programs such as postfix (opens new window) to use the Hoppy IP address for outgoing requests by binding to the Hoppy IP address on startup, which would be useful for mail server hosting.

← Reverse DNS Troubleshooting →