WireGuard as a “Switch”



Not really a switch, but similar. If you want to exchange data from two network using a host on Internet, this post helps.

In this case, Router 1 want to use Router 2 as gateway for some destinations. All 3 Nodes here have Internet public IP address.

I set-up a network, 192.168.20.0/24, using WireGuard. Our work are all on the Server in the middle.

If I put such config to /etc/wireguard/wg0.conf and run wg-quick up wg0, then I may lost connection to the server, because of the default route.

Now, add a route table to your system and change wg0.conf, let’s name it wgswitch and table id 201.

Then modify wg0.conf.

Now when you establish connections, you’ll be able to ping from router1 to router2 using 192.168.20.0/24 network.

But if you want to try a custom network, that’s not enough, you need extra route and ip rule for your network



WireGuard as a “Switch” by @sskaje: https://sskaje.me/2019/11/wireguard-as-a-switch/

Incoming search terms:

Azure Site-to-Site VPN with Dynamic Client IP



以前自己用 strongswan 等软件配 IPSec site-to-site 的时候,可以直接指定客户端的 IP 是 0.0.0.0,Azure 的 site-to-site IPSec VPN 必须要指定客户端 IP。

PowerShell 爱好者可以参考 https://www.hayesjupe.com/using-azure-rm-site-to-site-vpn-with-a-dynamic-ip/ 这篇文章。

我还是习惯用 Linux,于是使用 Azure CLI 来解决这个问题。

在 VPN 的 Virtual Network 里放置一台 Linux 虚拟机。按照上述连接里的说明安装软件。接下来开始操作。

1 登录

SSH 登录虚拟机后,执行命令,并按照输出,用浏览器登录 Azure 账号,完成认证。

如果是中国区 Azure,先需要设置服务器

如果需要切换回海外版本

2 添加更新服务

参考 DDNS 的玩法,让客户端定期更新IP。服务端可以简单地将数据记录到数据库、文件、或者任何地方,配置一个 cron 来执行更新检测和 Gateway IP 更新。

3 更新 Gateway IP

这里会有个问题,如果源 IP 和新 IP 相同,update 可能会出一个莫名其妙的404 错误。

看了眼 –verbose –debug 的输出,这个 update 命令先发送了一条命令到服务端,然后轮询等待任务更新。可能这个任务服务端直接判定不需要执行,所以返回的 operation id 无效。



Azure Site-to-Site VPN with Dynamic Client IP by @sskaje: https://sskaje.me/2019/08/azure-site-to-site-vpn-with-dynamic-client-ip/

Incoming search terms:

MacOS VPN Auto Add Routes



I tested on macOS 10.14, L2TP VPN.

I connect to my office VPN to work remotely, but I don’t want to send all traffic to VPN interface. Usually, I open a Terminal.app and execute commands after VPN connected:

192.168.2.0/24 is address block used in my office, 192.168.100.1 is VPN gateway address.

It’s really inconvenient. But I have a new solution: networksetup.

Usage: networksetup -setadditionalroutes <networkservice> [ <dest> <mask> <gateway> ]*
        Set additional IPv4 routes associated with <networkservice>
        by specifying one or more [ <dest> <mask> <gateway> ] tuples.
        Remove additional routes by specifying no arguments.
        If <gateway> is “”, the route is direct to the interface

First, find your service name.

Find your VPN connection name, in my case ‘My Office’.

If you have multiple route entries to add,

L2TP is a Point-to-Point VPN, the gateway address is not that important, that’s why I use “” instead of 192.168.100.1.



MacOS VPN Auto Add Routes by @sskaje: https://sskaje.me/2019/04/macos-vpn-auto-add-routes/

Hijack DnsPod HttpDNS



劫持DNS是个很简单的工作,家用路由器基本都自带dnsmasq,直接加解析就行。

之前某次尝试劫持某视频App的广告接口解析到一个空的本地服务器上,发现该App使用了DnsPod的HttpDNS服务,所以传统的DNS劫持方案不好用。而EdgeRouter的DPI功能也没有对外开放墙一般的高级接口,所以这次用NAT来实现。

Continue reading “Hijack DnsPod HttpDNS” »

Hijack DnsPod HttpDNS by @sskaje: https://sskaje.me/2019/04/hijack-dnspod-httpdns/

Incoming search terms:

Asus Merlin Policy Based Routing



之前写过一个版本,基于380.x的,一开始好用,最近过来发现不好使了。索性把家里路由升级到384.9,重新配置。

拓扑结构基本不变,增加了需求让两边家里能互通,所以把NAT关了。

这回直接简化,搞了个github的repo,https://github.com/sskaje/merlin-pbr,把jffs的配置脚本放进去了,依旧是 dnsmasq + ipset,但是openvpn-event脚本 也可以手工维护路由列表,自动走openvpn的网卡。



Asus Merlin Policy Based Routing by @sskaje: https://sskaje.me/2019/02/asus-merlin-policy-based-routing/

Incoming search terms: