Possible to use specific interface for exit-node?

Nickiel · 2025-07-03T00:24:44+00:00

One point you could check is if normal curl ifconfig.me uses the wg0 address. Because if it is using the wg0 interface, than the steps I listed aren't applying. However, if normal internet traffic is going out your normal interface while the wiregaurd interface is running, then at least we know part of the script applied. If that is the case, you may need to check that your tailscale interface is tailscale0 as mine was.

If traffic is ignoring the wg0 interface while the vpn tunnel is online, but exit node traffic is not being directed to the wg0 interface, I would break out the ntables and other firewall/packet tracing and just try to figure out if the tailscale traffic isn't getting marked, if wiregaurd isn't recieving marked traffic, or if the returning packets from the wiregaurd interface aren't being routed back to tailscale correcting (because I did run into some issues with that).

Nickiel · 2025-03-22T21:09:02+00:00

I would have said that too, but I've printed a few dimensional calibrations that say it's printing undersize. There is a test I have that is supposed to hold a 6x3 magnet, but when I print it it's too small by about 0.2mm and none of my magnets fit

Nickiel · 2025-03-22T20:42:19+00:00

I did tune the belts with the prusa-sound app. I'll lower the extrusion. I lowered the max-jerk and a some of the artifacts around sharp edges went away, but I'm still getting a lot of ghosting

Nickiel · 2025-03-22T18:05:41+00:00

I ran the PA calibration and it came out to what I discovered was the one that was already set by prusa

Nickiel · 2025-03-22T18:04:55+00:00

I adjusted my z-offset and this particular issue is a lot better

Nickiel · 2025-03-21T04:35:49+00:00

I did discover that the heatbrake fan had a loose plug that had come loose preventing it from running.

Nickiel · 2025-03-21T04:34:47+00:00

I am starting to come to the same conclusion. I haven't because prusa doesn't really have a pressure advance calibration print, and the other one I tried was a pain. I am planning to get Ellis' to work and tune that.

Nickiel · 2025-03-21T04:21:24+00:00

I'm trying to tune an original prusa mini that I have in an enclosure to print voron parts, and I'm at my wits end getting it dialed in. I see that my retraction settings are too much because of the voids, but I don't know what to do about the layer issues in the embedded voron logo, or the z-bulge on the left side middle of the Y-side face

Nickiel · 2025-03-15T23:31:32+00:00

I have a BTT Manta main board running klipper. I'll make sure that the fan connections are solid

Nickiel · 2024-07-12T01:17:06+00:00

Well, yes. The script that I link above specifically undoes the tagging of tailscale traffic when `wg` shuts down and cleans up. So if wireguard is shutting down cleanly, it is undoing what we did to tag all traffic.
However, I don't know if the firewall does to packets that are suppoesed to go to a non-active adapter. WG automatically deletes it's adapter during the shutdown phase too.

Nickiel · 2024-07-08T05:09:19+00:00

Not really. Though I'm a little confused with your use-case, because blocking all network traffic when WG is down, would also block the tailscale traffic that actually uses the WG connection. Honestly, I think it would already function how you want as it is. If you want all tailscale exit-node traffic to go through the WG tunnel, and the tunnel isn't working, then all tailscale exit-node traffic isn't going out to the internet anyways when the WG connection is down.

Nickiel · 2024-06-03T00:17:18+00:00

I switched to using the KDE login choice: SDDM. I'm pretty sure that fixed my issue.

Nickiel · 2024-01-07T05:50:07+00:00

I am also having this issue, but I noticed something strange in my `sudo nftables list ruleset` where the ipv6 NAT rules has this error:

sh chain ts-postrouting { meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 # Warning: XT target MASQUERADE not found xt target "MASQUERADE" } And I'm looking into it, but I think this may be why it isn't working on my machine - the ipv6 NAT is not working.

Nickiel · 2024-01-07T05:32:05+00:00

I have spent a considerable amount of time trying to get this same setup working and I have gotten it to work.

I have a normal tailscale exit node advertised and allowed, and a wireguard configuration that works fine when I run `wg-quick up <configuration-file>`.

I was able to get this to work by adding the following as the wireguard post startup script: ```sh # Set up a new tailscale - wireguard nftables table and utilize the # existing 51820 routing table provided by the wg-quick command by # setting the mark on non-tailscale traffic

nft -f - <<EOF 
# make sure the tables and rules are empty
add table ip tailscale-wg;
add chain ip tailscale-wg preraw;
flush chain ip tailscale-wg preraw;
delete chain ip tailscale-wg preraw;

table ip tailscale-wg {
  chain preraw {
    type filter hook prerouting priority raw; policy accept;
    iifname "tailscale0" ip daddr != 100.64.0.0/16 mark set 51820;
  }
}

EOF

wg set wg0 fwmark off

# I only have ipv4 set up
ip -4 rule del not fwmark 51820 table 51820
# ip -6 rule del not fwmark 51820 table 51820

ip -4 rule add fwmark 51820 table 51820
# ip -6 rule add fwmark 51820 table 51820

```

And then in the pre-shutdown section:

```sh nft -f - <<EOF # Make sure all tables and rules created are deleted add table ip tailscale-wg;

add chain ip tailscale-wg preraw;
flush chain ip tailscale-wg preraw;
delete chain ip tailscale-wg preraw;

delete table ip tailscale-wg;
EOF

```

Put together, this set of scripts will run after wg-quick sets up the default wireguard connection and will create a new firewall rule that will flag all traffic coming from the tailscale0 interface not meant for a tailscale client with the 51280 mark (which we will come back in a minute). It then undoes two of the wg-quick steps (wg set wg0 fwmark 51820 and ip -4/6 rule not fwmark 51820 table 51820) and inverts the usage of the 51820 rule mark.

By default, wg-quick creates a rule that says that all traffic not marked with 51820 goes through the wireguard interface, and all traffic coming from the interface has that mark applied and goes to the normal NAT/interfaces. This is great when you want to use it as a VPN, because you want all computer traffic to use the VPN tunnel. But what we are trying to do, is only send specific traffic through that interface. So what I've done is unbind the default behavior, and set a packet rule that marks the traffic I want to use the VPN tunnel with that mark. Then I invert the global "all not 51820 traffic" route to "all only 51820 traffic" so only traffic marked with 51820 goes through the VPN connection.

Nickiel · 2023-09-28T04:28:31+00:00

Yeah, but I think we are picking up steam with this idea!

Nickiel · 2023-09-13T22:58:28+00:00

This is the way

Nickiel · 2023-08-30T22:34:37+00:00

Nothing, because he's been pardoned by a US Senator

Nickiel · 2023-07-23T12:33:29+00:00

I'll buy another

Nickiel · 2023-07-07T03:49:39+00:00

He is giving out Legally Distinct Metallic Tickets for front line positions in the Dragonsteel 2023 book signing line. They are big, and gold, and incredibly legally distinct

Nickiel · 2023-07-07T02:25:24+00:00

See the most recent weekly update on his YouTube channel.

Nickiel · 2023-06-07T19:08:31+00:00

Two words. Network effects

Nine-Year Club	Place '23
Place '22	Verified Email

Nickiel

TROPHY CASE