Commit e09f1805 authored by Nicolas Lenz's avatar Nicolas Lenz

Added blackhole leak prevention

parent c562e76d
......@@ -78,6 +78,12 @@ Table = 242
[Route]
Gateway = {The address of the interface, same as above}
Table = 242
[Route]
Destination = 0.0.0.0/0
Type = blackhole
Metric = 1
Table = 242
```
Then run `sudo docker network create tunneled0 --subnet 10.123.0.0`. Now you can run docker containers with `--net=tunneled0` to tunnel them.
......@@ -185,10 +191,19 @@ Table = 242
Gateway = {The address of the interface, same as above}
# Same table number as above
Table = 242
[Route]
Destination = 0.0.0.0/0
Type = blackhole
Metric = 1
# Same table number as above
Table = 242
```
What the `[RoutingPolicyRule]` section does is taking all traffic from the specified subnet and looking up the routes in routing table 242 for it. We add a route to (hopefully previously empty) table 242 with the `[Route]` section, and that route sends the traffic to our WireGuard interface because we set the interface's address as gateway.
The second `[Route]` section sets a blackhole route in the same table with a metric of 1, that means a lower priority than the default metric of 0. This should discard all traffic (instead of routing it through the default network without any VPN) if the VPN gateway is down and therefore prevent leaks.
That should be all we have to do on the system side!
## Using it with Docker
......@@ -229,8 +244,10 @@ networks:
We got Docker containers running on a WireGuard VPN with only two short and simple config files. If you have any questions or comments, please post them in the discussion forum or [contact me](/about.html).
Watch out: If the WireGuard interface gets destroyed somehow the container traffic will be routed through the default network. Until a way to prevent that is found you might want to configure a proxy server or something like that inside the container to ensure nothing gets leaked.
A big thank you goes out to [Nick Babcock](https://nbsoftsolutions.com/) for the great article this one is based on!
---
**Update:** Added a blackhole route to prevent leaks when VPN gateway is down. Thanks to [tchamb for the suggestion](https://forum.eisfunke.com/t/routing-specific-docker-containers-through-wireguard-vpn-with-systemd-networkd/83/2)!
[^i]: [Image source](https://www.flickr.com/photos/adactio/158965673/), licensed under CC-BY-2.0
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment