<div dir="ltr">Man this was a pebkac issue :).<div><br></div><div>The way i was using wireguard before was i would always leave it on even when i was at home. However now when i am home my wireless is connected to mullvad vpn. So when i tried to connect to wireguard using the vpn ip it did not work. When i switched my phone's wifi off and then used the vpn ip to connect to wireguard it worked just fine.</div><div><br></div><div>Now i willl do some research on how can i make this work at home and outside :).</div><div><br></div><div>Sorry for all the noise.</div><div><br></div><div>Thanks<br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>--</div>Arpit</div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 7, 2019 at 9:54 AM Arpit Gupta <<a href="mailto:g.arpit@gmail.com">g.arpit@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr">I am noob in networking commands so looking for any pointers :). I think the issue is packets are getting directed some where else because of a default route. <div><br></div><div>Here is info on my setup.</div><div><br></div><div>Wireguard running on host: 192.168.1.63</div><div><br></div><div>Router: 192.168.1.1 is also running a VPN Client and is connected to mullvad vpn service. This sets up a tunnel on my router. I have a policy rule setup on my router that sends all traffic from <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> through the vpn tunnel.</div><div><br></div><div>I setup port forwarding according to mullvad guides on my router. I have confirmed port forwarding in mullvad is working as i am forwarding ports to other services without any issues.</div><div><br></div><div>iptables -t nat -A PREROUTING -i tun+ -p tcp --dport xxxx -j DNAT --to-destination <a href="http://192.168.1.63:54930" target="_blank">192.168.1.63:54930</a></div><div>iptables -t nat -A PREROUTING -i tun+ -p udp --dport xxxx -j DNAT --to-destination <a href="http://192.168.1.63:54930" target="_blank">192.168.1.63:54930</a> <br></div><div><br></div><div>However even with these rules i am not able to connect to wireguard when using my vpn ip.</div><div><br></div><div><br></div><div>Now if i add a route to my vpn client that states all traffic from 192.168.1.63 goes through the wan then i can connect to wireguard but using my isp's ip address. With this setup i only have access to lan. My ideal setup so that i dont need to switch to different wireguard tunnel when i leave my home network is that i be able access my lan as well as route all traffic via mullvad.</div><div><br></div><div><br></div><div>So i think the issue i need to solve is how come i am not able to reach wireguard even with port forwarding setup in mullvad when using my vpn ip.</div><div><br clear="all"><div><div dir="ltr" class="gmail-m_654336866890567803gmail_signature"><div dir="ltr"><div>--</div>Arpit</div></div></div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 7, 2019 at 12:04 AM David Kerr <<a href="mailto:david@kerr.net" target="_blank">david@kerr.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">I'm a little confused as to the network architecture. Are your running a wireguard VPN inside of your OpenVPN? Or do you have two VPN's connecting into your host independently? Either way, the first thing I would look at is your ip route tables. You need to make sure that packets that arrive on one interface (e.g. wg0) are replied to over that same interface and are not directed out somewhere else by virtue of the default route pointing elsewhere.</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">David</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta <<a href="mailto:g.arpit@gmail.com" target="_blank">g.arpit@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Actually false alarm :(.<div><br></div><div>Can only get it to work if i add a policy rule in my router vpn client to send all traffic from host running wireguard through the WAN and thus skipping VPN which is not ideal as when i am routing all traffic through wireguard ideally i want it to use the vpn tunnel on my router.</div><div><br></div><div><br clear="all"><div><div dir="ltr" class="gmail-m_654336866890567803gmail-m_1937317055147639516gmail-m_-1703305025749338391gmail_signature"><div dir="ltr"><div>--</div>Arpit</div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <<a href="mailto:g.arpit@gmail.com" target="_blank">g.arpit@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Got it working :).<div><br></div><div>Did not need to change any client or server settings. However needed to add another policy rule in my vpn client. Rule states</div><div><br></div><div>Source: wireguard server</div><div>destination: <a href="http://192.168.100.0/24" target="_blank">192.168.100.0/24</a> (so any of my wireguard clients)</div><div>interface: WAN</div><div><br></div><div>So this way wireguard traffic does not go through the VPN. <br clear="all"><div><div dir="ltr" class="gmail-m_654336866890567803gmail-m_1937317055147639516gmail-m_-1703305025749338391gmail-m_3041124942920358459gmail_signature"><div dir="ltr"><div>--</div>Arpit</div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <<a href="mailto:g.arpit@gmail.com" target="_blank">g.arpit@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Tried changing the allowed ip's to what was suggested and it did not work. Same behavior as before. Also my configs were working as expected before i had my router connected to a vpn service.<div><br></div><div>It required me to add the following route policy for my vpn client on my router</div><div><br></div><div>Source IP: <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a>, Destination: 0.0.0.0 will go throuh the VPN. So if it matters if i connected to wireguard using the ip address of the ISP vs the IP address of the VPN?</div><div><br></div><div><br clear="all"><div><div dir="ltr" class="gmail-m_654336866890567803gmail-m_1937317055147639516gmail-m_-1703305025749338391gmail-m_3041124942920358459gmail-m_6695934501888018956gmail_signature"><div dir="ltr"><div>--</div>Arpit</div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:<br>
> On my server my conf is<br>
> <br>
> [Interface]<br>
> Address = <a href="http://192.168.100.1/32" rel="noreferrer" target="_blank">192.168.100.1/32</a><br>
> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o<br>
> %i -j<br>
> ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br>
> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD<br>
> -o %i<br>
> -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE<br>
> ListenPort = 54930<br>
> PrivateKey = xxxxx<br>
> <br>
> [Peer]<br>
> PublicKey = xxxx<br>
> AllowedIPs = <a href="http://192.168.100.2/32" rel="noreferrer" target="_blank">192.168.100.2/32</a><br>
> <br>
> <br>
> on my client my config is<br>
> <br>
> [Interface]<br>
> Address = 192.168.100.2<br>
> PrivateKey = xxxxx<br>
> ListenPort = 21841<br>
> DNS = 192.168.1.63<br>
> <br>
> [Peer]<br>
> PublicKey = xxxx<br>
> Endpoint = ddns:xxx<br>
> AllowedIPs = <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a><br>
> <br>
> # This is for if you're behind a NAT and<br>
> # want the connection to be kept alive.<br>
> PersistentKeepalive = 25<br>
<br>
Try changing AllowedIPs in the client config to:<br>
AllowedIPs = <a href="http://192.168.100.1/32,192.168.1.0/24" rel="noreferrer" target="_blank">192.168.100.1/32,192.168.1.0/24</a><br>
<br>
Also, if you want to masquerade the traffic to the internet you need to<br>
add 0.0.0.0./0 to the client or change the destination IP to the server<br>
node via a NAT rule, otherwise it's going to be rejected because the IP<br>
packet doesn't have an AllowedIP address, I think. (The source needs to<br>
match, so either <a href="http://192.168.100.1/32" rel="noreferrer" target="_blank">192.168.100.1/32</a> or <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a>). My guess is<br>
that's why you couldn't complete the handshake.<br>
<br>
</blockquote></div>
</blockquote></div>
</blockquote></div>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div>
</blockquote></div>
</blockquote></div>