Man this was a pebkac issue :). The way i was using wireguard before was i would always leave it on even when i was at home. However now when i am home my wireless is connected to mullvad vpn. So when i tried to connect to wireguard using the vpn ip it did not work. When i switched my phone's wifi off and then used the vpn ip to connect to wireguard it worked just fine. Now i willl do some research on how can i make this work at home and outside :). Sorry for all the noise. Thanks -- Arpit On Thu, Mar 7, 2019 at 9:54 AM Arpit Gupta wrote: > I am noob in networking commands so looking for any pointers :). I think > the issue is packets are getting directed some where else because of a > default route. > > Here is info on my setup. > > Wireguard running on host: 192.168.1.63 > > Router: 192.168.1.1 is also running a VPN Client and is connected to > mullvad vpn service. This sets up a tunnel on my router. I have a policy > rule setup on my router that sends all traffic from 192.168.1.0/24 > through the vpn tunnel. > > I setup port forwarding according to mullvad guides on my router. I have > confirmed port forwarding in mullvad is working as i am forwarding ports to > other services without any issues. > > iptables -t nat -A PREROUTING -i tun+ -p tcp --dport xxxx -j DNAT > --to-destination 192.168.1.63:54930 > iptables -t nat -A PREROUTING -i tun+ -p udp --dport xxxx -j DNAT > --to-destination 192.168.1.63:54930 > > However even with these rules i am not able to connect to wireguard when > using my vpn ip. > > > Now if i add a route to my vpn client that states all traffic from > 192.168.1.63 goes through the wan then i can connect to wireguard but using > my isp's ip address. With this setup i only have access to lan. My ideal > setup so that i dont need to switch to different wireguard tunnel when i > leave my home network is that i be able access my lan as well as route all > traffic via mullvad. > > > So i think the issue i need to solve is how come i am not able to reach > wireguard even with port forwarding setup in mullvad when using my vpn ip. > > -- > Arpit > > > On Thu, Mar 7, 2019 at 12:04 AM David Kerr wrote: > >> I'm a little confused as to the network architecture. Are your running a >> wireguard VPN inside of your OpenVPN? Or do you have two VPN's connecting >> into your host independently? Either way, the first thing I would look at >> is your ip route tables. You need to make sure that packets that arrive on >> one interface (e.g. wg0) are replied to over that same interface and are >> not directed out somewhere else by virtue of the default route pointing >> elsewhere. >> >> David >> >> On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta wrote: >> >>> Actually false alarm :(. >>> >>> Can only get it to work if i add a policy rule in my router vpn client >>> to send all traffic from host running wireguard through the WAN and thus >>> skipping VPN which is not ideal as when i am routing all traffic through >>> wireguard ideally i want it to use the vpn tunnel on my router. >>> >>> >>> -- >>> Arpit >>> >>> >>> On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta wrote: >>> >>>> Got it working :). >>>> >>>> Did not need to change any client or server settings. However needed to >>>> add another policy rule in my vpn client. Rule states >>>> >>>> Source: wireguard server >>>> destination: 192.168.100.0/24 (so any of my wireguard clients) >>>> interface: WAN >>>> >>>> So this way wireguard traffic does not go through the VPN. >>>> -- >>>> Arpit >>>> >>>> >>>> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta wrote: >>>> >>>>> Tried changing the allowed ip's to what was suggested and it did not >>>>> work. Same behavior as before. Also my configs were working as expected >>>>> before i had my router connected to a vpn service. >>>>> >>>>> It required me to add the following route policy for my vpn client on >>>>> my router >>>>> >>>>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the >>>>> VPN. So if it matters if i connected to wireguard using the ip address of >>>>> the ISP vs the IP address of the VPN? >>>>> >>>>> >>>>> -- >>>>> Arpit >>>>> >>>>> >>>>> On Wed, Mar 6, 2019 at 1:18 AM XRP wrote: >>>>> >>>>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote: >>>>>> > On my server my conf is >>>>>> > >>>>>> > [Interface] >>>>>> > Address = 192.168.100.1/32 >>>>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o >>>>>> > %i -j >>>>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >>>>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD >>>>>> > -o %i >>>>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >>>>>> > ListenPort = 54930 >>>>>> > PrivateKey = xxxxx >>>>>> > >>>>>> > [Peer] >>>>>> > PublicKey = xxxx >>>>>> > AllowedIPs = 192.168.100.2/32 >>>>>> > >>>>>> > >>>>>> > on my client my config is >>>>>> > >>>>>> > [Interface] >>>>>> > Address = 192.168.100.2 >>>>>> > PrivateKey = xxxxx >>>>>> > ListenPort = 21841 >>>>>> > DNS = 192.168.1.63 >>>>>> > >>>>>> > [Peer] >>>>>> > PublicKey = xxxx >>>>>> > Endpoint = ddns:xxx >>>>>> > AllowedIPs = 192.168.1.0/24 >>>>>> > >>>>>> > # This is for if you're behind a NAT and >>>>>> > # want the connection to be kept alive. >>>>>> > PersistentKeepalive = 25 >>>>>> >>>>>> Try changing AllowedIPs in the client config to: >>>>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24 >>>>>> >>>>>> Also, if you want to masquerade the traffic to the internet you need >>>>>> to >>>>>> add 0.0.0.0./0 to the client or change the destination IP to the >>>>>> server >>>>>> node via a NAT rule, otherwise it's going to be rejected because the >>>>>> IP >>>>>> packet doesn't have an AllowedIP address, I think. (The source needs >>>>>> to >>>>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is >>>>>> that's why you couldn't complete the handshake. >>>>>> >>>>>> _______________________________________________ >>> WireGuard mailing list >>> WireGuard@lists.zx2c4.com >>> https://lists.zx2c4.com/mailman/listinfo/wireguard >>> >>