Comment by Frotag

Comment by Frotag 4 days ago

3 replies

View on Hacker News

> The gateway device performs 1:1 NAT. Traffic arriving for 100.97.14.3 is destination-translated to 192.168.1.100, and the source is masqueraded to the gateway's own LAN address.

Couldn't you tell the WG devices that 192.168.2.0/24 refers to the 192.168.1.0/24 network at customer A, such that 192.168.2.55 is routed to 192.168.1.55. Same for 192.168.3.0/24 referring to customer B.

I think this is what the article is getting at but I don't see the value in manually assigning an alias to each non-wg device, versus assigning an alias to the entire LAN.

direwolf20 4 days ago

It's not enough to set fake routes. You have to edit the addresses in the packets, so the end devices will receive them.

Reply View 2 replies
  • Frotag 4 days ago

    Yeah so instead DNAT, use NETMAP on the gateway device to that LAN. (Sorry if I'm abusing the terminology, I only do this stuff like once a year for homelab.)

    eg this is what I'm currently using to alias my home network

        # Rewrite 192.168.150.?? as 192.168.50.??
    PreUp = iptables -t nat -A PREROUTING -d 192.168.150.0/24 -j NETMAP --to 192.168.50.0/24
    PostDown = iptables -t nat -D PREROUTING -d 192.168.150.0/24 -j NETMAP --to 192.168.50.0/24
    With other wg peers getting a 192.168.150.0/24 entry in the AllowedIPs for this gateway (if needed).
    Reply View 0 replies
  • pcarroll 4 days ago

    The problem there is you still need to keep track of the subnets. It works for a while, but it's quite complex. NAT is actually easier when you get into hundreds of sites.

    Reply View 0 replies