cant connect to wireguard when router connected to a vpn service

Arpit Gupta g.arpit at gmail.com
Thu Mar 7 18:54:06 CET 2019 

I am noob in networking commands so looking for any pointers :). I think
the issue is packets are getting directed some where else because of a
default route.

Here is info on my setup.

Wireguard running on host: 192.168.1.63

Router: 192.168.1.1 is also running a VPN Client and is connected to
mullvad vpn service. This sets up a tunnel on my router. I have a policy
rule setup on my router that sends all traffic from 192.168.1.0/24 through
the vpn tunnel.

I setup port forwarding according to mullvad guides on my router. I have
confirmed port forwarding in mullvad is working as i am forwarding ports to
other services without any issues.

iptables -t nat -A PREROUTING -i tun+ -p tcp --dport xxxx -j DNAT
--to-destination 192.168.1.63:54930
iptables -t nat -A PREROUTING -i tun+ -p udp --dport xxxx -j DNAT
--to-destination 192.168.1.63:54930

However even with these rules i am not able to connect to wireguard when
using my vpn ip.


Now if i add a route to my vpn client that states all traffic from
192.168.1.63 goes through the wan then i can connect to wireguard but using
my isp's ip address. With this setup i only have access to lan. My ideal
setup so that i dont need to switch to different wireguard tunnel when i
leave my home network is that i be able access my lan as well as route all
traffic via mullvad.


So i think the issue i need to solve is how come i am not able to reach
wireguard even with port forwarding setup in mullvad when using my vpn ip.

--
Arpit


On Thu, Mar 7, 2019 at 12:04 AM David Kerr <david at kerr.net> wrote:

> I'm a little confused as to the network architecture.  Are your running a
> wireguard VPN inside of your OpenVPN?  Or do you have two VPN's connecting
> into your host independently?  Either way, the first thing I would look at
> is your ip route tables.  You need to make sure that packets that arrive on
> one interface (e.g. wg0) are replied to over that same interface and are
> not directed out somewhere else by virtue of the default route pointing
> elsewhere.
>
> David
>
> On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta <g.arpit at gmail.com> wrote:
>
>> Actually false alarm :(.
>>
>> Can only get it to work if i add a policy rule in my router vpn client to
>> send all traffic from host running wireguard through the WAN and thus
>> skipping VPN which is not ideal as when i am routing all traffic through
>> wireguard ideally i want it to use the vpn tunnel on my router.
>>
>>
>> --
>> Arpit
>>
>>
>> On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit at gmail.com> wrote:
>>
>>> Got it working :).
>>>
>>> Did not need to change any client or server settings. However needed to
>>> add another policy rule in my vpn client. Rule states
>>>
>>> Source: wireguard server
>>> destination: 192.168.100.0/24 (so any of my wireguard clients)
>>> interface: WAN
>>>
>>> So this way wireguard traffic does not go through the VPN.
>>> --
>>> Arpit
>>>
>>>
>>> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit at gmail.com> wrote:
>>>
>>>> Tried changing the allowed ip's to what was suggested and it did not
>>>> work. Same behavior as before. Also my configs were working as expected
>>>> before i had my router connected to a vpn service.
>>>>
>>>> It required me to add the following route policy for my vpn client on
>>>> my router
>>>>
>>>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the
>>>> VPN. So if it matters if i connected to wireguard using the ip address of
>>>> the ISP vs the IP address of the VPN?
>>>>
>>>>
>>>> --
>>>> Arpit
>>>>
>>>>
>>>> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp at airmail.cc> wrote:
>>>>
>>>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
>>>>> > On my server my conf is
>>>>> >
>>>>> > [Interface]
>>>>> > Address = 192.168.100.1/32
>>>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>>>>> > %i -j
>>>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
>>>>> > -o %i
>>>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>>>> > ListenPort = 54930
>>>>> > PrivateKey = xxxxx
>>>>> >
>>>>> > [Peer]
>>>>> > PublicKey = xxxx
>>>>> > AllowedIPs = 192.168.100.2/32
>>>>> >
>>>>> >
>>>>> > on my client my config is
>>>>> >
>>>>> > [Interface]
>>>>> > Address = 192.168.100.2
>>>>> > PrivateKey = xxxxx
>>>>> > ListenPort = 21841
>>>>> > DNS = 192.168.1.63
>>>>> >
>>>>> > [Peer]
>>>>> > PublicKey = xxxx
>>>>> > Endpoint = ddns:xxx
>>>>> > AllowedIPs = 192.168.1.0/24
>>>>> >
>>>>> > # This is for if you're behind a NAT and
>>>>> > # want the connection to be kept alive.
>>>>> > PersistentKeepalive = 25
>>>>>
>>>>> Try changing AllowedIPs in the client config to:
>>>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24
>>>>>
>>>>> Also, if you want to masquerade the traffic to the internet you need to
>>>>> add 0.0.0.0./0 to the client or change the destination IP to the server
>>>>> node via a NAT rule, otherwise it's going to be rejected because the IP
>>>>> packet doesn't have an AllowedIP address, I think. (The source needs to
>>>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
>>>>> that's why you couldn't complete the handshake.
>>>>>
>>>>> _______________________________________________
>> WireGuard mailing list
>> WireGuard at lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190307/ef0bda97/attachment.html>

More information about the WireGuard mailing list