I am noob in networking commands so looking for any pointers :). I think the issue is packets are getting directed some where else because of a default route. Here is info on my setup. Wireguard running on host: 192.168.1.63 Router: 192.168.1.1 is also running a VPN Client and is connected to mullvad vpn service. This sets up a tunnel on my router. I have a policy rule setup on my router that sends all traffic from 192.168.1.0/24 through the vpn tunnel. I setup port forwarding according to mullvad guides on my router. I have confirmed port forwarding in mullvad is working as i am forwarding ports to other services without any issues. iptables -t nat -A PREROUTING -i tun+ -p tcp --dport xxxx -j DNAT --to-destination 192.168.1.63:54930 iptables -t nat -A PREROUTING -i tun+ -p udp --dport xxxx -j DNAT --to-destination 192.168.1.63:54930 However even with these rules i am not able to connect to wireguard when using my vpn ip. Now if i add a route to my vpn client that states all traffic from 192.168.1.63 goes through the wan then i can connect to wireguard but using my isp's ip address. With this setup i only have access to lan. My ideal setup so that i dont need to switch to different wireguard tunnel when i leave my home network is that i be able access my lan as well as route all traffic via mullvad. So i think the issue i need to solve is how come i am not able to reach wireguard even with port forwarding setup in mullvad when using my vpn ip. -- Arpit On Thu, Mar 7, 2019 at 12:04 AM David Kerr wrote: > I'm a little confused as to the network architecture. Are your running a > wireguard VPN inside of your OpenVPN? Or do you have two VPN's connecting > into your host independently? Either way, the first thing I would look at > is your ip route tables. You need to make sure that packets that arrive on > one interface (e.g. wg0) are replied to over that same interface and are > not directed out somewhere else by virtue of the default route pointing > elsewhere. > > David > > On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta wrote: > >> Actually false alarm :(. >> >> Can only get it to work if i add a policy rule in my router vpn client to >> send all traffic from host running wireguard through the WAN and thus >> skipping VPN which is not ideal as when i am routing all traffic through >> wireguard ideally i want it to use the vpn tunnel on my router. >> >> >> -- >> Arpit >> >> >> On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta wrote: >> >>> Got it working :). >>> >>> Did not need to change any client or server settings. However needed to >>> add another policy rule in my vpn client. Rule states >>> >>> Source: wireguard server >>> destination: 192.168.100.0/24 (so any of my wireguard clients) >>> interface: WAN >>> >>> So this way wireguard traffic does not go through the VPN. >>> -- >>> Arpit >>> >>> >>> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta wrote: >>> >>>> Tried changing the allowed ip's to what was suggested and it did not >>>> work. Same behavior as before. Also my configs were working as expected >>>> before i had my router connected to a vpn service. >>>> >>>> It required me to add the following route policy for my vpn client on >>>> my router >>>> >>>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the >>>> VPN. So if it matters if i connected to wireguard using the ip address of >>>> the ISP vs the IP address of the VPN? >>>> >>>> >>>> -- >>>> Arpit >>>> >>>> >>>> On Wed, Mar 6, 2019 at 1:18 AM XRP wrote: >>>> >>>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote: >>>>> > On my server my conf is >>>>> > >>>>> > [Interface] >>>>> > Address = 192.168.100.1/32 >>>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o >>>>> > %i -j >>>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >>>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD >>>>> > -o %i >>>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >>>>> > ListenPort = 54930 >>>>> > PrivateKey = xxxxx >>>>> > >>>>> > [Peer] >>>>> > PublicKey = xxxx >>>>> > AllowedIPs = 192.168.100.2/32 >>>>> > >>>>> > >>>>> > on my client my config is >>>>> > >>>>> > [Interface] >>>>> > Address = 192.168.100.2 >>>>> > PrivateKey = xxxxx >>>>> > ListenPort = 21841 >>>>> > DNS = 192.168.1.63 >>>>> > >>>>> > [Peer] >>>>> > PublicKey = xxxx >>>>> > Endpoint = ddns:xxx >>>>> > AllowedIPs = 192.168.1.0/24 >>>>> > >>>>> > # This is for if you're behind a NAT and >>>>> > # want the connection to be kept alive. >>>>> > PersistentKeepalive = 25 >>>>> >>>>> Try changing AllowedIPs in the client config to: >>>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24 >>>>> >>>>> Also, if you want to masquerade the traffic to the internet you need to >>>>> add 0.0.0.0./0 to the client or change the destination IP to the server >>>>> node via a NAT rule, otherwise it's going to be rejected because the IP >>>>> packet doesn't have an AllowedIP address, I think. (The source needs to >>>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is >>>>> that's why you couldn't complete the handshake. >>>>> >>>>> _______________________________________________ >> WireGuard mailing list >> WireGuard@lists.zx2c4.com >> https://lists.zx2c4.com/mailman/listinfo/wireguard >> >