https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/
This could also include looking at firewalld at the same time, it integrates very well with NetworkManager.
We'll have to see whether this works on Debian as well.
"Modern" approach to handling just WireGuard using NetworkManager, I am sure this is also possible with OpenVPN, just didn't investigate yet.
This should work "out of the box" on Fedora/EL.
We first stop using
wg-quick
to manage the WireGuard interface, and instead switch to using NetworkManager:$ sudo systemctl disable --now wg-quick@wg0 $ nmcli con import type wireguard file /etc/wireguard/wg0.confWe assume that the VPN server's link to the Internet is already established, e.g.
eth0
is configured and working. We'll define and configureeth1
and call the interfacenat-gw
:$ sudo nmcli connection add type ethernet con-name nat-gw ifname eth1 ipv4.method manual ipv4.addresses 192.168.1.100/24 ipv4.routes "0.0.0.0/0 192.168.1.1 table=5000"Now we'll route WireGuard traffic over this interface:
$ sudo nmcli connection modify wg0 ifname wg0 ipv4.routes "10.10.10.0/24 table=5000" ipv4.routing-rules "priority 5 from 10.10.10.0/24 table 5000"TODO: investigate integrating with firewalld
TODO: update tooling, i.e.
vpn-maint-apply-changes
and/usr/libexec/vpn-server-node-server-config
to also support NetworkManager...
with IPv6:
$ sudo nmcli connection \ add \ type ethernet \ con-name nat-gw \ ifname eth1 \ ipv4.method manual \ ipv4.addresses 192.168.1.100/24 \ ipv6.addresses fd00:1010:1010:1010::100/64 \ ipv4.routes "0.0.0.0/0 192.168.1.1 table=5000" \ ipv6.routes "::/0 fd00:1010:1010:1010::1 table=5000" $ sudo nmcli connection \ modify wg0 \ ifname wg0 \ ipv4.routes "10.10.10.0/24 table=5000" \ ipv6.routes "fd00:4242:4242:4242::/64 table=5000" \ ipv4.routing-rules "priority 5 from 10.10.10.0/24 table 5000" \ ipv6.routing-rules "priority 5 from fd00:4242:4242:4242::/64 table 5000"
OpenVPN server configurations are not supported by NetworkManager, so we can't use that for OpenVPN.
I don't know how to configure policy routing persistently on EL9 for OpenVPN in a supported way.
I don't know if that matches 100% to what you are looking for, but I have put my additional internal interface completely into a separate routing-table and configured it like this, e.g. in a /etc/NetworkManager/system-connections/enX1.nmconnection for enX1:
... [ipv4] address1=192.168.100.1/24 gateway=192.168.100.254 may-fail=false method=manual route-table=100 routing-rule1=priority 100 from 192.168.100.0/24 table 100 routing-rule2=priority 101 from 10.123.212.0/24 table 100 [ipv6] ...
This way the main routing table does not contain any routes about the internal interface and networks, but only the specific table 100. rule1 routes the traffic of the server using the interface IP 192.168.100.1 correctly through table 100 (to prevent it from going out the external interface). rule2 routes the traffic sourced from the vpn subnet.