cant connect to wireguard when router connected to a vpn service

Arpit Gupta g.arpit at gmail.com
Wed Mar 6 17:20:53 CET 2019


Got it working :).

Did not need to change any client or server settings. However needed to add
another policy rule in my vpn client. Rule states

Source: wireguard server
destination: 192.168.100.0/24 (so any of my wireguard clients)
interface: WAN

So this way wireguard traffic does not go through the VPN.
--
Arpit


On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit at gmail.com> wrote:

> Tried changing the allowed ip's to what was suggested and it did not work.
> Same behavior as before. Also my configs were working as expected before i
> had my router connected to a vpn service.
>
> It required me to add the following route policy for my vpn client on my
> router
>
> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN.
> So if it matters if i connected to wireguard using the ip address of the
> ISP vs the IP address of the VPN?
>
>
> --
> Arpit
>
>
> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp at airmail.cc> wrote:
>
>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
>> > On my server my conf is
>> >
>> > [Interface]
>> > Address = 192.168.100.1/32
>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>> > %i -j
>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
>> > -o %i
>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>> > ListenPort = 54930
>> > PrivateKey = xxxxx
>> >
>> > [Peer]
>> > PublicKey = xxxx
>> > AllowedIPs = 192.168.100.2/32
>> >
>> >
>> > on my client my config is
>> >
>> > [Interface]
>> > Address = 192.168.100.2
>> > PrivateKey = xxxxx
>> > ListenPort = 21841
>> > DNS = 192.168.1.63
>> >
>> > [Peer]
>> > PublicKey = xxxx
>> > Endpoint = ddns:xxx
>> > AllowedIPs = 192.168.1.0/24
>> >
>> > # This is for if you're behind a NAT and
>> > # want the connection to be kept alive.
>> > PersistentKeepalive = 25
>>
>> Try changing AllowedIPs in the client config to:
>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24
>>
>> Also, if you want to masquerade the traffic to the internet you need to
>> add 0.0.0.0./0 to the client or change the destination IP to the server
>> node via a NAT rule, otherwise it's going to be rejected because the IP
>> packet doesn't have an AllowedIP address, I think. (The source needs to
>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
>> that's why you couldn't complete the handshake.
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190306/8bbbab9f/attachment.html>


More information about the WireGuard mailing list