Multihop
Multihop routes client traffic through an exit server instead of sending it
directly to the internet. The daemon runs two WireGuard interfaces: one serves clients
(wg_phantom_main), the other connects to the exit tunnel
(wg_phantom_exit). Firewall rules handle the traffic forwarding between them.
Topology
Traffic Flow
When a packet from a client reaches the daemon, firewall rules take over:
Firewall Rules
When multihop is enabled, the multihop-exit preset is applied. There are three main
rule groups:
Policy Routing
Table 200 (mh) is created. Traffic from the client subnet is directed to this table:
Forward Rules
Masquerade
Client IPs appear to the exit server as the daemon's tunnel address (SNAT).