VPN - excluding local IPs

Thu Mar 21 19:50:09 CET 2019

On Thu, 21 Feb 2019 16:08:50 +0100
Andreas Hatzl <andreas at hatzl.org> wrote:

> Hi,
> 
> I have successfully set up a wireguard VPN between my notebook
> (Manjaro behind NAT) and my virtual server (ubuntu 18.04). The only
> "issue" left is that I can't connect to local devices on the client
> while using wireguard. Is there a way to exclude an IP range from
> using wireguard? 
> 
> my client config:
> [Interface]
> Address = 10.x.y.z/32
> PrivateKey = xyz
> 
> [Peer]
> PublicKey =xyz
> Endpoint = xyz:51820
> AllowedIPs = 0.0.0.0/0
> PersistentKeepalive = 21
> 
> I am aware that the solution for this has most likely been posted a
> lot of times but I can't find anything on the Wireguard page or
> Google.
> 
> It would be great if somebody could help me with this.
> 
> Thanks
> 
> Andreas

That's odd, if I understood correctly, your setup looks kinda this, if
not, please correct me:

|---------|
|notebook |
|---------|
172.16.0.2/24 private
10.0.0.0.2/24 inside tunnel

-------------------|
Example LAN device |
-------------------|
172.16.0.3/24 private

        private 172.16.0.1/24
     |--------------------|
-----|   router with NAT  |-------------
     |--------------------|
          2.3.4.5 public

1.2.3.4 public
10.0.0.1/24 inside tunnel
-----------------|
WireGuard server |
-----------------|

So in this example before connecting to VPN notebook would have:
direct route to 172.16.0.0/24
default route via 172.16.0.1

After connecting to VPN, assuming that VPN setup overrides default
route:
direct route to 172.16.0.0/24
direct route to 10.0.0.0/24
static route to 1.2.3.4 via 172.16.0.1 (for encrypted WG traffic)
default route via 10.0.0.1

In that case there would not be any problem for notebook to communicate
with "example LAN device" unless firewall on the notebook or the "LAN
device" interferes.

As far as I know there is no straightforward way to exclude networks
from AllowedIPs, but you can enumerate all public IPv4 prefixes, like
Android WireGuard client does:

200.0.0.0/5,172.64.0.0/10,172.128.0.0/9,12.0.0.0/6,16.0.0.0/4,11.0.0.0/8,
32.0.0.0/3,128.0.0.0/3,196.0.0.0/6,64.0.0.0/2,172.0.0.0/12,194.0.0.0/7,
192.160.0.0/13,192.0.0.0/9,192.170.0.0/15,160.0.0.0/5,192.128.0.0/11,
193.0.0.0/8,208.0.0.0/4,192.172.0.0/14,176.0.0.0/4,192.169.0.0/16,
0.0.0.0/5,174.0.0.0/7,192.176.0.0/12,192.192.0.0/10,8.0.0.0/7,
172.32.0.0/11,173.0.0.0/8,168.0.0.0/6

But if you just replace 0.0.0.0/0 with this in AllowedIPs line without
fixing routing then WireGuard will just reject packets which don't
belong to these prefixes. Network stack of the notebook should route
packets to the LAN, AllowedIPs is more of a precaution in this case.