Got it working :). Did not need to change any client or server settings. However needed to add another policy rule in my vpn client. Rule states Source: wireguard server destination: 192.168.100.0/24 (so any of my wireguard clients) interface: WAN So this way wireguard traffic does not go through the VPN. -- Arpit On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta wrote: > Tried changing the allowed ip's to what was suggested and it did not work. > Same behavior as before. Also my configs were working as expected before i > had my router connected to a vpn service. > > It required me to add the following route policy for my vpn client on my > router > > Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN. > So if it matters if i connected to wireguard using the ip address of the > ISP vs the IP address of the VPN? > > > -- > Arpit > > > On Wed, Mar 6, 2019 at 1:18 AM XRP wrote: > >> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote: >> > On my server my conf is >> > >> > [Interface] >> > Address = 192.168.100.1/32 >> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o >> > %i -j >> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD >> > -o %i >> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >> > ListenPort = 54930 >> > PrivateKey = xxxxx >> > >> > [Peer] >> > PublicKey = xxxx >> > AllowedIPs = 192.168.100.2/32 >> > >> > >> > on my client my config is >> > >> > [Interface] >> > Address = 192.168.100.2 >> > PrivateKey = xxxxx >> > ListenPort = 21841 >> > DNS = 192.168.1.63 >> > >> > [Peer] >> > PublicKey = xxxx >> > Endpoint = ddns:xxx >> > AllowedIPs = 192.168.1.0/24 >> > >> > # This is for if you're behind a NAT and >> > # want the connection to be kept alive. >> > PersistentKeepalive = 25 >> >> Try changing AllowedIPs in the client config to: >> AllowedIPs = 192.168.100.1/32,192.168.1.0/24 >> >> Also, if you want to masquerade the traffic to the internet you need to >> add 0.0.0.0./0 to the client or change the destination IP to the server >> node via a NAT rule, otherwise it's going to be rejected because the IP >> packet doesn't have an AllowedIP address, I think. (The source needs to >> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is >> that's why you couldn't complete the handshake. >> >>