cant connect to wireguard when router connected to a vpn service

Thu Mar 7 20:18:26 CET 2019

Man this was a pebkac issue :).

The way i was using wireguard before was i would always leave it on even
when i was at home. However now when i am home my wireless is connected to
mullvad vpn. So when i tried to connect to wireguard using the vpn ip it
did not work. When i switched my phone's wifi off and then used the vpn ip
to connect to wireguard it worked just fine.

Now i willl do some research on how can i make this work at home and
outside :).

Sorry for all the noise.

Thanks
--
Arpit

On Thu, Mar 7, 2019 at 9:54 AM Arpit Gupta <g.arpit at gmail.com> wrote:

> I am noob in networking commands so looking for any pointers :). I think
> the issue is packets are getting directed some where else because of a
> default route.
>
> Here is info on my setup.
>
> Wireguard running on host: 192.168.1.63
>
> Router: 192.168.1.1 is also running a VPN Client and is connected to
> mullvad vpn service. This sets up a tunnel on my router. I have a policy
> rule setup on my router that sends all traffic from 192.168.1.0/24
> through the vpn tunnel.
>
> I setup port forwarding according to mullvad guides on my router. I have
> confirmed port forwarding in mullvad is working as i am forwarding ports to
> other services without any issues.
>
> iptables -t nat -A PREROUTING -i tun+ -p tcp --dport xxxx -j DNAT
> --to-destination 192.168.1.63:54930
> iptables -t nat -A PREROUTING -i tun+ -p udp --dport xxxx -j DNAT
> --to-destination 192.168.1.63:54930
>
> However even with these rules i am not able to connect to wireguard when
> using my vpn ip.
>
>
> Now if i add a route to my vpn client that states all traffic from
> 192.168.1.63 goes through the wan then i can connect to wireguard but using
> my isp's ip address. With this setup i only have access to lan. My ideal
> setup so that i dont need to switch to different wireguard tunnel when i
> leave my home network is that i be able access my lan as well as route all
> traffic via mullvad.
>
>
> So i think the issue i need to solve is how come i am not able to reach
> wireguard even with port forwarding setup in mullvad when using my vpn ip.
>
> --
> Arpit
>
>
> On Thu, Mar 7, 2019 at 12:04 AM David Kerr <david at kerr.net> wrote:
>
>> I'm a little confused as to the network architecture.  Are your running a
>> wireguard VPN inside of your OpenVPN?  Or do you have two VPN's connecting
>> into your host independently?  Either way, the first thing I would look at
>> is your ip route tables.  You need to make sure that packets that arrive on
>> one interface (e.g. wg0) are replied to over that same interface and are
>> not directed out somewhere else by virtue of the default route pointing
>> elsewhere.
>>
>> David
>>
>> On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta <g.arpit at gmail.com> wrote:
>>
>>> Actually false alarm :(.
>>>
>>> Can only get it to work if i add a policy rule in my router vpn client
>>> to send all traffic from host running wireguard through the WAN and thus
>>> skipping VPN which is not ideal as when i am routing all traffic through
>>> wireguard ideally i want it to use the vpn tunnel on my router.
>>>
>>>
>>> --
>>> Arpit
>>>
>>>
>>> On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit at gmail.com> wrote:
>>>
>>>> Got it working :).
>>>>
>>>> Did not need to change any client or server settings. However needed to
>>>> add another policy rule in my vpn client. Rule states
>>>>
>>>> Source: wireguard server
>>>> destination: 192.168.100.0/24 (so any of my wireguard clients)
>>>> interface: WAN
>>>>
>>>> So this way wireguard traffic does not go through the VPN.
>>>> --
>>>> Arpit
>>>>
>>>>
>>>> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit at gmail.com> wrote:
>>>>
>>>>> Tried changing the allowed ip's to what was suggested and it did not
>>>>> work. Same behavior as before. Also my configs were working as expected
>>>>> before i had my router connected to a vpn service.
>>>>>
>>>>> It required me to add the following route policy for my vpn client on
>>>>> my router
>>>>>
>>>>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the
>>>>> VPN. So if it matters if i connected to wireguard using the ip address of
>>>>> the ISP vs the IP address of the VPN?
>>>>>
>>>>>
>>>>> --
>>>>> Arpit
>>>>>
>>>>>
>>>>> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp at airmail.cc> wrote:
>>>>>
>>>>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
>>>>>> > On my server my conf is
>>>>>> >
>>>>>> > [Interface]
>>>>>> > Address = 192.168.100.1/32
>>>>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>>>>>> > %i -j
>>>>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
>>>>>> > -o %i
>>>>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>>>>> > ListenPort = 54930
>>>>>> > PrivateKey = xxxxx
>>>>>> >
>>>>>> > [Peer]
>>>>>> > PublicKey = xxxx
>>>>>> > AllowedIPs = 192.168.100.2/32
>>>>>> >
>>>>>> >
>>>>>> > on my client my config is
>>>>>> >
>>>>>> > [Interface]
>>>>>> > Address = 192.168.100.2
>>>>>> > PrivateKey = xxxxx
>>>>>> > ListenPort = 21841
>>>>>> > DNS = 192.168.1.63
>>>>>> >
>>>>>> > [Peer]
>>>>>> > PublicKey = xxxx
>>>>>> > Endpoint = ddns:xxx
>>>>>> > AllowedIPs = 192.168.1.0/24
>>>>>> >
>>>>>> > # This is for if you're behind a NAT and
>>>>>> > # want the connection to be kept alive.
>>>>>> > PersistentKeepalive = 25
>>>>>>
>>>>>> Try changing AllowedIPs in the client config to:
>>>>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24
>>>>>>
>>>>>> Also, if you want to masquerade the traffic to the internet you need
>>>>>> to
>>>>>> add 0.0.0.0./0 to the client or change the destination IP to the
>>>>>> server
>>>>>> node via a NAT rule, otherwise it's going to be rejected because the
>>>>>> IP
>>>>>> packet doesn't have an AllowedIP address, I think. (The source needs
>>>>>> to
>>>>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
>>>>>> that's why you couldn't complete the handshake.
>>>>>>
>>>>>> _______________________________________________
>>> WireGuard mailing list
>>> WireGuard at lists.zx2c4.com
>>> https://lists.zx2c4.com/mailman/listinfo/wireguard
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190307/729138cd/attachment-0001.html>