No more internal connection (e.g. SSH) when Wireguard is active

Hi everyone,

I am trying to set up a Wireguard connection between a VPS and one of my homelab servers. The connection works fine (and speed is much better than setting WG up through pfSense), but when I “activate” the WG connection, all internal connections to that internal homelab server do not work anymore, e.g. SSH. My internal IP “structure” is 10.23... Please find the configs below:

Server (VPS with this guide: https://github.com/notthebee/ansible-easy-vpn):

[Interface]

PrivateKey = ...

Address = 10.8.0.1/24

ListenPort = 51820

PreUp =

PostUp = iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;

PreDown =

PostDown =

# Client: srvr (...)

[Peer]

PublicKey = ...

PresharedKey = ...

AllowedIPs = 10.8.0.4/32

Client (Ubuntu):

[Interface]

PrivateKey = ...

Address = 10.8.0.4/24

[Peer]

PublicKey = ...

PresharedKey = ...

AllowedIPs = 0.0.0.0/0

PersistentKeepalive = 25

Endpoint = wg.url:51820

Based on some googling I played around with the AllowedIPs on the client side, but I either have the correct VPN connection with routing traffic through the VPS OR local traffic working to the homelab server, not both.

I found this list online to cover all non-local IPs

AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4`

This should cover all non-local IP ranges. Unfortunately, no luck. The wireguard connection goes through, but no traffic is going through.

Thanks so much for some guidance!

I don’t know about Wireguard, but many VPNs force all traffic to go through the tunnel by default. This is independent from allowed IP addresses. So I would search in that direction.

I would keep AllowedIPs = 0.0.0.0/0 and then add another route to the local network(s) at the client machine.

Can you show us your client routing table?

Probably a stupid question, but how do I do that?

It sounds like you want a direct tunnel between two machines. I imagine you’d need to set the allowed IP’s to only be the IP ranges you want to be used over the tunnel. I always doubt myself on wireguard confgs but I’d expect that by you setting the Ubuntu config to allowedIPs = everything that it’s trying to route inter-lan traffic through the VPS

I usually only set it to 0.0.0.0/0 if I’m setting up a privacy based VPN solution where I can force all my traffic over the tunnel when using public wifi, such as at a hotel.

What is your goal in terms of connectivity? Which machines/networks should be able to talk to which other machines/networkt?

the client should route all traffic that leaves my network (10.23..) towards the internet through WG and all the rest is internal and should not go through WG.

Looks like it’s time to create a diagram. It’s unclear if this is a point to point VPN as you say you want all traffic to route through the VPN, but you also want other 10.23.x.y clients to be able to talk to the Ubuntu client? If that’s the case I’d expect your non-wireguard clients to have a route to the Ubuntu server, but the responses from the Ubuntu server wouldn’t go back to the sender, they’d end up being routed to the VPS and then would be dropped.

https://www.diagrams.net/ is a handy web app that doesn’t need an account and has a desktop client if you prefer that.

1 Like

I see this wasn’t answered. Simply type route:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 100 0 0 enp37s0
default _gateway 0.0.0.0 UG 600 0 0 wlp38s0
10.10.10.0 0.0.0.0 255.255.255.0 U 100 0 0 enp37s0
10.10.10.0 0.0.0.0 255.255.255.0 U 100 0 0 enp37s0
10.10.10.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp38s0
10.100.100.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0

This is my device when my wireguard tunnel is up.

Maybe this is of any help:
https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/

…and maybe it’s also worth scrolling down and reading this:
https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/#a-better-alternative

2 Likes

Thanks! Will try those out!

You can try using this:

AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1

This is less restrictive when trying to access your internal network. I got that when I disabled the killswitch in the WG Client on Windows.

Thanks! This brought the solution. I had to add the routes to the gateway of the VLAN to the wg config on the client side.

1 Like