<div dir="ltr">Actually false alarm :(.<div><br></div><div>Can only get it to work if i add a policy rule in my router vpn client to send all traffic from host running wireguard through the WAN and thus skipping VPN which is not ideal as when i am routing all traffic through wireguard ideally i want it to use the vpn tunnel on my router.</div><div><br></div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>--</div>Arpit</div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <<a href="mailto:g.arpit@gmail.com">g.arpit@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Got it working :).<div><br></div><div>Did not need to change any client or server settings. However needed to add another policy rule in my vpn client. Rule states</div><div><br></div><div>Source: wireguard server</div><div>destination: <a href="http://192.168.100.0/24" target="_blank">192.168.100.0/24</a> (so any of my wireguard clients)</div><div>interface: WAN</div><div><br></div><div>So this way wireguard traffic does not go through the VPN. <br clear="all"><div><div dir="ltr" class="gmail-m_3041124942920358459gmail_signature"><div dir="ltr"><div>--</div>Arpit</div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <<a href="mailto:g.arpit@gmail.com" target="_blank">g.arpit@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Tried changing the allowed ip's to what was suggested and it did not work. Same behavior as before. Also my configs were working as expected before i had my router connected to a vpn service.<div><br></div><div>It required me to add the following route policy for my vpn client on my router</div><div><br></div><div>Source IP: <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a>, Destination: 0.0.0.0 will go throuh the VPN. So if it matters if i connected to wireguard using the ip address of the ISP vs the IP address of the VPN?</div><div><br></div><div><br clear="all"><div><div dir="ltr" class="gmail-m_3041124942920358459gmail-m_6695934501888018956gmail_signature"><div dir="ltr"><div>--</div>Arpit</div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:<br>
> On my server my conf is<br>
> <br>
> [Interface]<br>
> Address = <a href="http://192.168.100.1/32" rel="noreferrer" target="_blank">192.168.100.1/32</a><br>
> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o<br>
> %i -j<br>
> ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br>
> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD<br>
> -o %i<br>
> -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE<br>
> ListenPort = 54930<br>
> PrivateKey = xxxxx<br>
> <br>
> [Peer]<br>
> PublicKey = xxxx<br>
> AllowedIPs = <a href="http://192.168.100.2/32" rel="noreferrer" target="_blank">192.168.100.2/32</a><br>
> <br>
> <br>
> on my client my config is<br>
> <br>
> [Interface]<br>
> Address = 192.168.100.2<br>
> PrivateKey = xxxxx<br>
> ListenPort = 21841<br>
> DNS = 192.168.1.63<br>
> <br>
> [Peer]<br>
> PublicKey = xxxx<br>
> Endpoint = ddns:xxx<br>
> AllowedIPs = <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a><br>
> <br>
> # This is for if you're behind a NAT and<br>
> # want the connection to be kept alive.<br>
> PersistentKeepalive = 25<br>
<br>
Try changing AllowedIPs in the client config to:<br>
AllowedIPs = <a href="http://192.168.100.1/32,192.168.1.0/24" rel="noreferrer" target="_blank">192.168.100.1/32,192.168.1.0/24</a><br>
<br>
Also, if you want to masquerade the traffic to the internet you need to<br>
add 0.0.0.0./0 to the client or change the destination IP to the server<br>
node via a NAT rule, otherwise it's going to be rejected because the IP<br>
packet doesn't have an AllowedIP address, I think. (The source needs to<br>
match, so either <a href="http://192.168.100.1/32" rel="noreferrer" target="_blank">192.168.100.1/32</a> or <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a>). My guess is<br>
that's why you couldn't complete the handshake.<br>
<br>
</blockquote></div>
</blockquote></div>
</blockquote></div>