cant connect to wireguard when router connected to a vpn service

Arpit Gupta g.arpit at gmail.com
Wed Mar 6 19:22:42 CET 2019


Actually false alarm :(.

Can only get it to work if i add a policy rule in my router vpn client to
send all traffic from host running wireguard through the WAN and thus
skipping VPN which is not ideal as when i am routing all traffic through
wireguard ideally i want it to use the vpn tunnel on my router.


--
Arpit


On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit at gmail.com> wrote:

> Got it working :).
>
> Did not need to change any client or server settings. However needed to
> add another policy rule in my vpn client. Rule states
>
> Source: wireguard server
> destination: 192.168.100.0/24 (so any of my wireguard clients)
> interface: WAN
>
> So this way wireguard traffic does not go through the VPN.
> --
> Arpit
>
>
> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit at gmail.com> wrote:
>
>> Tried changing the allowed ip's to what was suggested and it did not
>> work. Same behavior as before. Also my configs were working as expected
>> before i had my router connected to a vpn service.
>>
>> It required me to add the following route policy for my vpn client on my
>> router
>>
>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN.
>> So if it matters if i connected to wireguard using the ip address of the
>> ISP vs the IP address of the VPN?
>>
>>
>> --
>> Arpit
>>
>>
>> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp at airmail.cc> wrote:
>>
>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
>>> > On my server my conf is
>>> >
>>> > [Interface]
>>> > Address = 192.168.100.1/32
>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>>> > %i -j
>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
>>> > -o %i
>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>> > ListenPort = 54930
>>> > PrivateKey = xxxxx
>>> >
>>> > [Peer]
>>> > PublicKey = xxxx
>>> > AllowedIPs = 192.168.100.2/32
>>> >
>>> >
>>> > on my client my config is
>>> >
>>> > [Interface]
>>> > Address = 192.168.100.2
>>> > PrivateKey = xxxxx
>>> > ListenPort = 21841
>>> > DNS = 192.168.1.63
>>> >
>>> > [Peer]
>>> > PublicKey = xxxx
>>> > Endpoint = ddns:xxx
>>> > AllowedIPs = 192.168.1.0/24
>>> >
>>> > # This is for if you're behind a NAT and
>>> > # want the connection to be kept alive.
>>> > PersistentKeepalive = 25
>>>
>>> Try changing AllowedIPs in the client config to:
>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24
>>>
>>> Also, if you want to masquerade the traffic to the internet you need to
>>> add 0.0.0.0./0 to the client or change the destination IP to the server
>>> node via a NAT rule, otherwise it's going to be rejected because the IP
>>> packet doesn't have an AllowedIP address, I think. (The source needs to
>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
>>> that's why you couldn't complete the handshake.
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190306/b6c14c86/attachment-0001.html>


More information about the WireGuard mailing list