Actually false alarm :(. Can only get it to work if i add a policy rule in my router vpn client to send all traffic from host running wireguard through the WAN and thus skipping VPN which is not ideal as when i am routing all traffic through wireguard ideally i want it to use the vpn tunnel on my router. -- Arpit On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta wrote: > Got it working :). > > Did not need to change any client or server settings. However needed to > add another policy rule in my vpn client. Rule states > > Source: wireguard server > destination: 192.168.100.0/24 (so any of my wireguard clients) > interface: WAN > > So this way wireguard traffic does not go through the VPN. > -- > Arpit > > > On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta wrote: > >> Tried changing the allowed ip's to what was suggested and it did not >> work. Same behavior as before. Also my configs were working as expected >> before i had my router connected to a vpn service. >> >> It required me to add the following route policy for my vpn client on my >> router >> >> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN. >> So if it matters if i connected to wireguard using the ip address of the >> ISP vs the IP address of the VPN? >> >> >> -- >> Arpit >> >> >> On Wed, Mar 6, 2019 at 1:18 AM XRP wrote: >> >>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote: >>> > On my server my conf is >>> > >>> > [Interface] >>> > Address = 192.168.100.1/32 >>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o >>> > %i -j >>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD >>> > -o %i >>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >>> > ListenPort = 54930 >>> > PrivateKey = xxxxx >>> > >>> > [Peer] >>> > PublicKey = xxxx >>> > AllowedIPs = 192.168.100.2/32 >>> > >>> > >>> > on my client my config is >>> > >>> > [Interface] >>> > Address = 192.168.100.2 >>> > PrivateKey = xxxxx >>> > ListenPort = 21841 >>> > DNS = 192.168.1.63 >>> > >>> > [Peer] >>> > PublicKey = xxxx >>> > Endpoint = ddns:xxx >>> > AllowedIPs = 192.168.1.0/24 >>> > >>> > # This is for if you're behind a NAT and >>> > # want the connection to be kept alive. >>> > PersistentKeepalive = 25 >>> >>> Try changing AllowedIPs in the client config to: >>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24 >>> >>> Also, if you want to masquerade the traffic to the internet you need to >>> add 0.0.0.0./0 to the client or change the destination IP to the server >>> node via a NAT rule, otherwise it's going to be rejected because the IP >>> packet doesn't have an AllowedIP address, I think. (The source needs to >>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is >>> that's why you couldn't complete the handshake. >>> >>>