Windows Wireguard with Multiple Endpoints in Different Subnets
cyberurchin at gmail.com
cyberurchin at gmail.com
Fri Jan 24 13:55:17 CET 2020
Hi Folks,
Here are two question that I have concerning the Windows version of Wireguard.
My setup is as follows: A Windows machine with two Ethernet ports connects to two Linux clients, one on each end. There are two subnets defined for the two ports, 192.168.0.0/24 and 192.168.6.0/24. I need a secure tunnel from the Windows machine to each of the two Linux clients but the two Linux clients do not need to talk to each other.
a) Under Linux, I can define several Wireguad tunnels that work independetly but this doesn't seem to be the case in Windows. In fact, when I activate one tunnel, the other one is automatically deactivated. Why is that?
My work-around looks a little bit like hack but works, in principle. I've defined only one tunnel that includes the two Linux clients as peers even though they are in two different subnets:
[Interface]
PrivateKey = +OdjntqCs/OcJGsdGXXXXXMShNsdUW9EQW33HhvOVlQ=
ListenPort = 51820
Address = 192.168.8.6/24
[Peer]
PublicKey = ujRh46KyQrA0OlJZ77dXXXXXhUd4TaqKkoBhFj6ZlBk=
AllowedIPs = 192.168.8.3/32
Endpoint = 192.168.6.2:51820
[Peer]
PublicKey = 32VGe+PnVCtDio12GcrhKXXXXXlOWqy4ncD6G0U1Mhc=
AllowedIPs = 192.168.8.4/32
Endpoint = 192.168.0.201:51820
So far, so good.
b) The configuration described above breaks when I define a default gateway, e.g. 192.168.0.1. In this case, Wireguard messes up the packages that should go to 192.168.6.2 (the Linux client on the network where the gateway not is) and sends them to 192.168.0.1 (the default gateway). Ping commands to 192.168.6.2, however, work, in the sense that the routing table itself is still ok. It looks like this:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.202 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.0.0 255.255.255.0 On-link 192.168.0.202 281
192.168.0.202 255.255.255.255 On-link 192.168.0.202 281
192.168.0.255 255.255.255.255 On-link 192.168.0.202 281
192.168.6.0 255.255.255.0 On-link 192.168.6.3 311
192.168.6.3 255.255.255.255 On-link 192.168.6.3 311
192.168.6.255 255.255.255.255 On-link 192.168.6.3 311
192.168.8.0 255.255.255.0 On-link 192.168.8.6 261
192.168.8.3 255.255.255.255 On-link 192.168.8.6 5
192.168.8.4 255.255.255.255 On-link 192.168.8.6 5
192.168.8.6 255.255.255.255 On-link 192.168.8.6 261
192.168.8.255 255.255.255.255 On-link 192.168.8.6 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.0.202 281
224.0.0.0 240.0.0.0 On-link 192.168.6.3 311
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.0.202 281
255.255.255.255 255.255.255.255 On-link 192.168.6.3 311
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.0.1 Default
===========================================================================
Any ideas?
There is no IPv6. If I remove the default gateway, the two tunnels work again.
Ah, yes, and a final note - there is a related issue here:
https://lists.zx2c4.com/pipermail/wireguard/2019-September/004493.html
The answer to that post also seems to answer my question, too, but I'd like to get confirmation and maybe the world has moved on in the meantime.
Cheers,
Ingo
More information about the WireGuard
mailing list