cant connect to wireguard when router connected to a vpn service
David Kerr
david at kerr.net
Thu Mar 7 09:04:44 CET 2019
I'm a little confused as to the network architecture. Are your running a
wireguard VPN inside of your OpenVPN? Or do you have two VPN's connecting
into your host independently? Either way, the first thing I would look at
is your ip route tables. You need to make sure that packets that arrive on
one interface (e.g. wg0) are replied to over that same interface and are
not directed out somewhere else by virtue of the default route pointing
elsewhere.
David
On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta <g.arpit at gmail.com> wrote:
> Actually false alarm :(.
>
> Can only get it to work if i add a policy rule in my router vpn client to
> send all traffic from host running wireguard through the WAN and thus
> skipping VPN which is not ideal as when i am routing all traffic through
> wireguard ideally i want it to use the vpn tunnel on my router.
>
>
> --
> Arpit
>
>
> On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit at gmail.com> wrote:
>
>> Got it working :).
>>
>> Did not need to change any client or server settings. However needed to
>> add another policy rule in my vpn client. Rule states
>>
>> Source: wireguard server
>> destination: 192.168.100.0/24 (so any of my wireguard clients)
>> interface: WAN
>>
>> So this way wireguard traffic does not go through the VPN.
>> --
>> Arpit
>>
>>
>> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit at gmail.com> wrote:
>>
>>> Tried changing the allowed ip's to what was suggested and it did not
>>> work. Same behavior as before. Also my configs were working as expected
>>> before i had my router connected to a vpn service.
>>>
>>> It required me to add the following route policy for my vpn client on my
>>> router
>>>
>>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN.
>>> So if it matters if i connected to wireguard using the ip address of the
>>> ISP vs the IP address of the VPN?
>>>
>>>
>>> --
>>> Arpit
>>>
>>>
>>> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp at airmail.cc> wrote:
>>>
>>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
>>>> > On my server my conf is
>>>> >
>>>> > [Interface]
>>>> > Address = 192.168.100.1/32
>>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>>>> > %i -j
>>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
>>>> > -o %i
>>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>>> > ListenPort = 54930
>>>> > PrivateKey = xxxxx
>>>> >
>>>> > [Peer]
>>>> > PublicKey = xxxx
>>>> > AllowedIPs = 192.168.100.2/32
>>>> >
>>>> >
>>>> > on my client my config is
>>>> >
>>>> > [Interface]
>>>> > Address = 192.168.100.2
>>>> > PrivateKey = xxxxx
>>>> > ListenPort = 21841
>>>> > DNS = 192.168.1.63
>>>> >
>>>> > [Peer]
>>>> > PublicKey = xxxx
>>>> > Endpoint = ddns:xxx
>>>> > AllowedIPs = 192.168.1.0/24
>>>> >
>>>> > # This is for if you're behind a NAT and
>>>> > # want the connection to be kept alive.
>>>> > PersistentKeepalive = 25
>>>>
>>>> Try changing AllowedIPs in the client config to:
>>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24
>>>>
>>>> Also, if you want to masquerade the traffic to the internet you need to
>>>> add 0.0.0.0./0 to the client or change the destination IP to the server
>>>> node via a NAT rule, otherwise it's going to be rejected because the IP
>>>> packet doesn't have an AllowedIP address, I think. (The source needs to
>>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
>>>> that's why you couldn't complete the handshake.
>>>>
>>>> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190307/f6aa9464/attachment.html>
More information about the WireGuard
mailing list