From 99d2aa0f1a3cc63bc2b46dbfb3017a0b27fbaabe Mon Sep 17 00:00:00 2001
From: sgf <sgf.dma@gmail.com>
Date: Tue, 13 Jun 2023 15:13:54 +0300
Subject: [PATCH] wireguard. Route packets from a NAT-ed network into
 wireguard.

---
 wireguard-for_NATed_network/rules.v4 | 23 +++++++++++++++++++++++
 wireguard-for_NATed_network/wg4.conf | 25 +++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 wireguard-for_NATed_network/rules.v4
 create mode 100644 wireguard-for_NATed_network/wg4.conf

diff --git a/wireguard-for_NATed_network/rules.v4 b/wireguard-for_NATed_network/rules.v4
new file mode 100644
index 0000000..213689a
--- /dev/null
+++ b/wireguard-for_NATed_network/rules.v4
@@ -0,0 +1,23 @@
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+# Restore packet mark on incoming packets from connection mark.
+-A PREROUTING -m connmark --mark 0x4 -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
+
+# Mark transit (forwarded) packets, which i need to forward to wireguard.
+-A PREROUTING -s 192.168.4.1/32 -i br0 -m conntrack --ctstate NEW -j MARK --set-xmark 0x4/0xffffffff
+# Copy transit packet mark to connection mark.
+-A PREROUTING -m mark --mark 0x4 -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -s 192.168.4.0/24 -j MASQUERADE
+COMMIT
diff --git a/wireguard-for_NATed_network/wg4.conf b/wireguard-for_NATed_network/wg4.conf
new file mode 100644
index 0000000..5155d8f
--- /dev/null
+++ b/wireguard-for_NATed_network/wg4.conf
@@ -0,0 +1,25 @@
+[Interface]
+PrivateKey = ...
+Address = 10.10.238.146
+
+Table = off
+
+# Add table for routing marked packets into wireguard.
+PostUp = ip rule add pref 444 fwmark 4 table 444
+# Default route to wireguard.
+PostUp = ip ro add default dev wg4 table 444
+# Route replies back to sender. Otherwise, they'll be looped back to
+# wireguard.
+PostUp = ip ro add 192.168.4.0/24 dev br0 table 444
+
+# Undo all changes.
+PreDown = ip rule del pref 444 fwmark 4 table 444
+PreDown = ip ro del default dev wg4 table 444
+PreDown = ip ro del 192.168.4.0/24 dev br0 table 444
+
+[Peer]
+Endpoint = ...
+PublicKey = ...
+
+AllowedIPs = 0.0.0.0/0
+PersistentKeepalive = 25
-- 
2.20.1