Introduction

We need a way to tunnel incoming traffic to a local server. While you could use port forwarding from your router, most ISPs assign a new IP every time you reconnect.

Another solution is to establish a WireGuard tunnel between your server and a VPS, which will act as a router for ingress traffic only.

Preliminary Knowledge

While it may not be necessary to know, some of the following topics might be unfamiliar to you. In that case, I recommend researching them:

• Basic knowledge of TCP/IP:
  • TCP/IP routing and subnetting
  • Sending IP packets through an Ethernet-type LAN
• Experience using tcpdump or Wireshark

Idea

Linux has a feature called namespaces, which allows you to isolate programs from everything, including file systems and networking. It’s the feature Docker uses for containerization.

We will use network namespaces, and if we want to expose a program in the DMZ, we can run it in that DMZ network namespace.

Plan

1. Set up a network namespace.
2. Create a veth pair and move one link to the network namespace.
3. Use a /31 subnet between the veth pair.
4. Set up an IP routing rule: if a packet comes from the virtual ethernet interface, use the tunnel’s routing table.
5. Configure WireGuard using the configuration provided below:
   • Client:
     • Configure AllowedIPs on the client side to your WireGuard subnet and a default route 0.0.0.0/0.
     • AllowedIPs:
       • WG Tunnel Subnet
       • 0.0.0.0/0
   • Server:
     • Configure AllowedIPs to the veth subnet, with the client’s IP ideally set as a /32 subnet.
     • AllowedIPs:
       • WG Tunnel Client
       • DMZ Virtual Ethernet Link Subnet

Next Steps

I decided to split this into parts since I haven’t fully completed the setup yet and am still experimenting.

The next part will focus more on implementing our plan through Linux commands.