👋 reading the VPN/NAT Gateway part of your documentation I'm having trouble understanding what's causing trouble on my (otherwise fully functional) netmaker setup. According to this part: https://netmaker.readthedocs.io/en/latest/egress-gateway.html#vpn-nat-gateway:~:text=the%20egress%20gateway.-,2)%20VPN%20/%20NAT%20Gateway,%C2%B6,-Most%20people%20think adding the network subset to the Egress Gateway is supposed to make a client properly exit trough the Egress node on the Internet. IDK if it's because I'm using

wg-quick up a_netmaker_generated_ext_client.conf

on my tests, but as soon as I pop the VPN client up → I loose any internet connection.

what did you set the egress gateway range to be?

first, I tried and followed the docs

interesting...

I haven't compared yet what differs from this while I'm successfuly netclient to run the exact same thing (using this same server as a gateway to the internet)

this is to get to a specific machine where the netmaker client is acting as an egress gateway for just that machine?

the use case that I'm trying to POC here is a workstation has to mask its public ip address on a single exit node, using a wg config (i.e. not using netclient per-se)

i still not sure that I completely understand what you were trying to do (and whether you were doing it with netmaker or pure wireguard)

ok, sorry about that, let me rephrase: I have a netmaker instance with two networks for two different purposes. The first network runs fine, it's a mesh network where all my servers are on the same wg network managed by netmaker. So far, nothing fancy. The second one, the one I'm trying to debug here, is "just a single node", my netmaker server, with a fleet of devices connected to it (ext clients) and using as a default gateway to reach the internet. To mask their identity, for instance. When I'm applying what is suggested in the docs (namely the list of ip ranges to set in the "egress"), and connecting my external client to this server, I lose Internet connectivity for a good reason: my server is on the Internet. Unless I explicitely tell wireguard to use an exceptional route (namely

ip r add foo.bar.baz.bam via my.lan.gateway.to.the.net dev wlan0

or

ip r add wg-server.public.ip.addr $(ip r get 1.1.1.1|awk -F 'src' '{ print $1 }'|awk -F '1.1.1.1' '{ print $2 }')

I can't reach the wg endpoint and therefore can't use it as a gateway

ok .... let me process that for a bit

i can make a drawing if it helps

so you are using the netmaker server as both an ingress gateway (for the ext clients) and as an egress gateway (to the internet) .... have I got that right

yeah indeed

and the ip route command is running on server? (foo.bar.baz.bam is server?)

the ip route command is to be run on the client

or you have to run that on the ext clients

and foo.bar.baz.bam is indeed the server, or replaced as wg-server.public.ip.addr on the second example

ok, gottcha ... understand it now

because you override the route used to reach the remote server in the first place with the AllowedIPs

true ... that why you can't just use 0.0.0.0/0 in allowedips

it's kind of the same reason yep

I think you are correct

at least my poc tells me that, I may be missing smt

when are you currently running that ip route command ---- before or after bring up the wg interface

it works either way since wg is stateless, if I haven't the route in my routing table: I lose my connection, if I have it, i can go online

so then it should be ok to put either in a postup or preup

yep

But this needs to be run on the ext client. How can the server determine the interface name of the ext client

the client has to run the pre-up script, but the server has to generate a pre-up script with its endpoint IP

I see. Might work

it is not interpreted as is by wg, this is why i wanted to run it by you x)

try adding bash -c to front of command eg.. bash -c ip r add x.x.x.x via ....

good idea!

well android client does funky stuff with allowed ips

it is not able to read the line either btw, qr scan throws an error x)

fyi you can get default dev with just `ip r get 1.1.1.1 | awk '{print $5}'

noted

yes, please

https://github.com/gravitl/netmaker/issues/1175 done.

Issue configuring VPN NAT Gateway