* cant connect to wireguard when router connected to a vpn service @ 2019-03-06 8:40 Arpit Gupta 2019-03-06 9:18 ` XRP 0 siblings, 1 reply; 8+ messages in thread From: Arpit Gupta @ 2019-03-06 8:40 UTC (permalink / raw) To: wireguard [-- Attachment #1.1: Type: text/plain, Size: 3569 bytes --] Hi All A novice user here and looking for some pointers on how i could fix this issue. I had been successfully using wireguard to get access to my local network. Recently i started looking into a VPN service that i could connect to my router. So i started playing with mullvad vpn and setup my router to have a vpn client so all my network traffic goes via vpn. I followed the following guide https://mullvad.net/en/guides/asus-merlin-and-mullvad-vpn/ Ever since i enabled this i am not able to connect to wireguard from outside my home network. What is interesting is that when i check the status of the connections on the server the endpoint entry has the correct ip but the latest handshake time does not get updated and i no longer have access to my internal network. peer: xxxx endpoint: 73.xx.xx.xx:1543 allowed ips: 192.168.100.x/32 latest handshake: 21 minutes, 24 seconds ago transfer: 1.24 MiB received, 5.46 MiB sent Logs from the wireguard client on my android phone have the following: 03-06 00:23:51.800 28912 17051 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Starting... 03-06 00:23:51.800 28912 28935 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Routine: sequential receiver - started 03-06 00:23:51.800 28912 28935 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Routine: nonce worker - started 03-06 00:23:51.800 28912 28935 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Routine: sequential sender - started 03-06 00:23:51.800 28912 17051 I WireGuard/GoBackend/wg0: Device started 03-06 00:23:52.551 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Sending handshake initiation 03-06 00:23:52.567 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Awaiting keypair 03-06 00:23:57.557 28912 15089 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Sending handshake initiation 03-06 00:24:02.561 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Handshake did not complete after 5 seconds, retrying (try 2) 03-06 00:24:02.561 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Sending handshake initiation I can connect to my network using ISP or VPN IP. The above issue is what i am running into when i use the isp ip address to talk to wireguard. I tried using VPN IP to talk to wireguard but i could not get port forwarding to work. I have confirmed port forwarding via mullvad is working as i am using it for other services. As per the mullvad guide i had added the following rule to forward the port to wireguard. #iptables -t nat -A PREROUTING -i tun+ -p udp --dport 9934 -j DNAT --to-destination 192.168.1.63:54930 So i am not sure if there are additional forwarding rules required and/or policy rules for the vpn client to get this setup working. On my server my conf is [Interface] Address = 192.168.100.1/32 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 54930 PrivateKey = xxxxx [Peer] PublicKey = xxxx AllowedIPs = 192.168.100.2/32 on my client my config is [Interface] Address = 192.168.100.2 PrivateKey = xxxxx ListenPort = 21841 DNS = 192.168.1.63 [Peer] PublicKey = xxxx Endpoint = ddns:xxx AllowedIPs = 192.168.1.0/24 # This is for if you're behind a NAT and # want the connection to be kept alive. PersistentKeepalive = 25 -- Arpit [-- Attachment #1.2: Type: text/html, Size: 4497 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cant connect to wireguard when router connected to a vpn service 2019-03-06 8:40 cant connect to wireguard when router connected to a vpn service Arpit Gupta @ 2019-03-06 9:18 ` XRP 2019-03-06 15:59 ` Arpit Gupta 0 siblings, 1 reply; 8+ messages in thread From: XRP @ 2019-03-06 9:18 UTC (permalink / raw) To: Arpit Gupta, wireguard On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote: > On my server my conf is > > [Interface] > Address = 192.168.100.1/32 > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o > %i -j > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD > -o %i > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE > ListenPort = 54930 > PrivateKey = xxxxx > > [Peer] > PublicKey = xxxx > AllowedIPs = 192.168.100.2/32 > > > on my client my config is > > [Interface] > Address = 192.168.100.2 > PrivateKey = xxxxx > ListenPort = 21841 > DNS = 192.168.1.63 > > [Peer] > PublicKey = xxxx > Endpoint = ddns:xxx > AllowedIPs = 192.168.1.0/24 > > # This is for if you're behind a NAT and > # want the connection to be kept alive. > PersistentKeepalive = 25 Try changing AllowedIPs in the client config to: AllowedIPs = 192.168.100.1/32,192.168.1.0/24 Also, if you want to masquerade the traffic to the internet you need to add 0.0.0.0./0 to the client or change the destination IP to the server node via a NAT rule, otherwise it's going to be rejected because the IP packet doesn't have an AllowedIP address, I think. (The source needs to match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is that's why you couldn't complete the handshake. _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cant connect to wireguard when router connected to a vpn service 2019-03-06 9:18 ` XRP @ 2019-03-06 15:59 ` Arpit Gupta 2019-03-06 16:20 ` Arpit Gupta 0 siblings, 1 reply; 8+ messages in thread From: Arpit Gupta @ 2019-03-06 15:59 UTC (permalink / raw) To: XRP; +Cc: wireguard [-- Attachment #1.1: Type: text/plain, Size: 1964 bytes --] Tried changing the allowed ip's to what was suggested and it did not work. Same behavior as before. Also my configs were working as expected before i had my router connected to a vpn service. It required me to add the following route policy for my vpn client on my router Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN. So if it matters if i connected to wireguard using the ip address of the ISP vs the IP address of the VPN? -- Arpit On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote: > On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote: > > On my server my conf is > > > > [Interface] > > Address = 192.168.100.1/32 > > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o > > %i -j > > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD > > -o %i > > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE > > ListenPort = 54930 > > PrivateKey = xxxxx > > > > [Peer] > > PublicKey = xxxx > > AllowedIPs = 192.168.100.2/32 > > > > > > on my client my config is > > > > [Interface] > > Address = 192.168.100.2 > > PrivateKey = xxxxx > > ListenPort = 21841 > > DNS = 192.168.1.63 > > > > [Peer] > > PublicKey = xxxx > > Endpoint = ddns:xxx > > AllowedIPs = 192.168.1.0/24 > > > > # This is for if you're behind a NAT and > > # want the connection to be kept alive. > > PersistentKeepalive = 25 > > Try changing AllowedIPs in the client config to: > AllowedIPs = 192.168.100.1/32,192.168.1.0/24 > > Also, if you want to masquerade the traffic to the internet you need to > add 0.0.0.0./0 to the client or change the destination IP to the server > node via a NAT rule, otherwise it's going to be rejected because the IP > packet doesn't have an AllowedIP address, I think. (The source needs to > match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is > that's why you couldn't complete the handshake. > > [-- Attachment #1.2: Type: text/html, Size: 3157 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cant connect to wireguard when router connected to a vpn service 2019-03-06 15:59 ` Arpit Gupta @ 2019-03-06 16:20 ` Arpit Gupta 2019-03-06 18:22 ` Arpit Gupta 0 siblings, 1 reply; 8+ messages in thread From: Arpit Gupta @ 2019-03-06 16:20 UTC (permalink / raw) To: XRP; +Cc: wireguard [-- Attachment #1.1: Type: text/plain, Size: 2432 bytes --] Got it working :). Did not need to change any client or server settings. However needed to add another policy rule in my vpn client. Rule states Source: wireguard server destination: 192.168.100.0/24 (so any of my wireguard clients) interface: WAN So this way wireguard traffic does not go through the VPN. -- Arpit On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit@gmail.com> wrote: > Tried changing the allowed ip's to what was suggested and it did not work. > Same behavior as before. Also my configs were working as expected before i > had my router connected to a vpn service. > > It required me to add the following route policy for my vpn client on my > router > > Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN. > So if it matters if i connected to wireguard using the ip address of the > ISP vs the IP address of the VPN? > > > -- > Arpit > > > On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote: > >> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote: >> > On my server my conf is >> > >> > [Interface] >> > Address = 192.168.100.1/32 >> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o >> > %i -j >> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD >> > -o %i >> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >> > ListenPort = 54930 >> > PrivateKey = xxxxx >> > >> > [Peer] >> > PublicKey = xxxx >> > AllowedIPs = 192.168.100.2/32 >> > >> > >> > on my client my config is >> > >> > [Interface] >> > Address = 192.168.100.2 >> > PrivateKey = xxxxx >> > ListenPort = 21841 >> > DNS = 192.168.1.63 >> > >> > [Peer] >> > PublicKey = xxxx >> > Endpoint = ddns:xxx >> > AllowedIPs = 192.168.1.0/24 >> > >> > # This is for if you're behind a NAT and >> > # want the connection to be kept alive. >> > PersistentKeepalive = 25 >> >> Try changing AllowedIPs in the client config to: >> AllowedIPs = 192.168.100.1/32,192.168.1.0/24 >> >> Also, if you want to masquerade the traffic to the internet you need to >> add 0.0.0.0./0 to the client or change the destination IP to the server >> node via a NAT rule, otherwise it's going to be rejected because the IP >> packet doesn't have an AllowedIP address, I think. (The source needs to >> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is >> that's why you couldn't complete the handshake. >> >> [-- Attachment #1.2: Type: text/html, Size: 4106 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cant connect to wireguard when router connected to a vpn service 2019-03-06 16:20 ` Arpit Gupta @ 2019-03-06 18:22 ` Arpit Gupta 2019-03-07 8:04 ` David Kerr 0 siblings, 1 reply; 8+ messages in thread From: Arpit Gupta @ 2019-03-06 18:22 UTC (permalink / raw) To: XRP; +Cc: wireguard [-- Attachment #1.1: Type: text/plain, Size: 2914 bytes --] Actually false alarm :(. Can only get it to work if i add a policy rule in my router vpn client to send all traffic from host running wireguard through the WAN and thus skipping VPN which is not ideal as when i am routing all traffic through wireguard ideally i want it to use the vpn tunnel on my router. -- Arpit On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit@gmail.com> wrote: > Got it working :). > > Did not need to change any client or server settings. However needed to > add another policy rule in my vpn client. Rule states > > Source: wireguard server > destination: 192.168.100.0/24 (so any of my wireguard clients) > interface: WAN > > So this way wireguard traffic does not go through the VPN. > -- > Arpit > > > On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit@gmail.com> wrote: > >> Tried changing the allowed ip's to what was suggested and it did not >> work. Same behavior as before. Also my configs were working as expected >> before i had my router connected to a vpn service. >> >> It required me to add the following route policy for my vpn client on my >> router >> >> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN. >> So if it matters if i connected to wireguard using the ip address of the >> ISP vs the IP address of the VPN? >> >> >> -- >> Arpit >> >> >> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote: >> >>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote: >>> > On my server my conf is >>> > >>> > [Interface] >>> > Address = 192.168.100.1/32 >>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o >>> > %i -j >>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD >>> > -o %i >>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >>> > ListenPort = 54930 >>> > PrivateKey = xxxxx >>> > >>> > [Peer] >>> > PublicKey = xxxx >>> > AllowedIPs = 192.168.100.2/32 >>> > >>> > >>> > on my client my config is >>> > >>> > [Interface] >>> > Address = 192.168.100.2 >>> > PrivateKey = xxxxx >>> > ListenPort = 21841 >>> > DNS = 192.168.1.63 >>> > >>> > [Peer] >>> > PublicKey = xxxx >>> > Endpoint = ddns:xxx >>> > AllowedIPs = 192.168.1.0/24 >>> > >>> > # This is for if you're behind a NAT and >>> > # want the connection to be kept alive. >>> > PersistentKeepalive = 25 >>> >>> Try changing AllowedIPs in the client config to: >>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24 >>> >>> Also, if you want to masquerade the traffic to the internet you need to >>> add 0.0.0.0./0 to the client or change the destination IP to the server >>> node via a NAT rule, otherwise it's going to be rejected because the IP >>> packet doesn't have an AllowedIP address, I think. (The source needs to >>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is >>> that's why you couldn't complete the handshake. >>> >>> [-- Attachment #1.2: Type: text/html, Size: 5013 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cant connect to wireguard when router connected to a vpn service 2019-03-06 18:22 ` Arpit Gupta @ 2019-03-07 8:04 ` David Kerr 2019-03-07 17:54 ` Arpit Gupta 0 siblings, 1 reply; 8+ messages in thread From: David Kerr @ 2019-03-07 8:04 UTC (permalink / raw) To: Arpit Gupta; +Cc: wireguard [-- Attachment #1.1: Type: text/plain, Size: 3708 bytes --] I'm a little confused as to the network architecture. Are your running a wireguard VPN inside of your OpenVPN? Or do you have two VPN's connecting into your host independently? Either way, the first thing I would look at is your ip route tables. You need to make sure that packets that arrive on one interface (e.g. wg0) are replied to over that same interface and are not directed out somewhere else by virtue of the default route pointing elsewhere. David On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta <g.arpit@gmail.com> wrote: > Actually false alarm :(. > > Can only get it to work if i add a policy rule in my router vpn client to > send all traffic from host running wireguard through the WAN and thus > skipping VPN which is not ideal as when i am routing all traffic through > wireguard ideally i want it to use the vpn tunnel on my router. > > > -- > Arpit > > > On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit@gmail.com> wrote: > >> Got it working :). >> >> Did not need to change any client or server settings. However needed to >> add another policy rule in my vpn client. Rule states >> >> Source: wireguard server >> destination: 192.168.100.0/24 (so any of my wireguard clients) >> interface: WAN >> >> So this way wireguard traffic does not go through the VPN. >> -- >> Arpit >> >> >> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit@gmail.com> wrote: >> >>> Tried changing the allowed ip's to what was suggested and it did not >>> work. Same behavior as before. Also my configs were working as expected >>> before i had my router connected to a vpn service. >>> >>> It required me to add the following route policy for my vpn client on my >>> router >>> >>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN. >>> So if it matters if i connected to wireguard using the ip address of the >>> ISP vs the IP address of the VPN? >>> >>> >>> -- >>> Arpit >>> >>> >>> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote: >>> >>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote: >>>> > On my server my conf is >>>> > >>>> > [Interface] >>>> > Address = 192.168.100.1/32 >>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o >>>> > %i -j >>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD >>>> > -o %i >>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >>>> > ListenPort = 54930 >>>> > PrivateKey = xxxxx >>>> > >>>> > [Peer] >>>> > PublicKey = xxxx >>>> > AllowedIPs = 192.168.100.2/32 >>>> > >>>> > >>>> > on my client my config is >>>> > >>>> > [Interface] >>>> > Address = 192.168.100.2 >>>> > PrivateKey = xxxxx >>>> > ListenPort = 21841 >>>> > DNS = 192.168.1.63 >>>> > >>>> > [Peer] >>>> > PublicKey = xxxx >>>> > Endpoint = ddns:xxx >>>> > AllowedIPs = 192.168.1.0/24 >>>> > >>>> > # This is for if you're behind a NAT and >>>> > # want the connection to be kept alive. >>>> > PersistentKeepalive = 25 >>>> >>>> Try changing AllowedIPs in the client config to: >>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24 >>>> >>>> Also, if you want to masquerade the traffic to the internet you need to >>>> add 0.0.0.0./0 to the client or change the destination IP to the server >>>> node via a NAT rule, otherwise it's going to be rejected because the IP >>>> packet doesn't have an AllowedIP address, I think. (The source needs to >>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is >>>> that's why you couldn't complete the handshake. >>>> >>>> _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > [-- Attachment #1.2: Type: text/html, Size: 6451 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cant connect to wireguard when router connected to a vpn service 2019-03-07 8:04 ` David Kerr @ 2019-03-07 17:54 ` Arpit Gupta 2019-03-07 19:18 ` Arpit Gupta 0 siblings, 1 reply; 8+ messages in thread From: Arpit Gupta @ 2019-03-07 17:54 UTC (permalink / raw) To: David Kerr; +Cc: wireguard [-- Attachment #1.1: Type: text/plain, Size: 5388 bytes --] I am noob in networking commands so looking for any pointers :). I think the issue is packets are getting directed some where else because of a default route. Here is info on my setup. Wireguard running on host: 192.168.1.63 Router: 192.168.1.1 is also running a VPN Client and is connected to mullvad vpn service. This sets up a tunnel on my router. I have a policy rule setup on my router that sends all traffic from 192.168.1.0/24 through the vpn tunnel. I setup port forwarding according to mullvad guides on my router. I have confirmed port forwarding in mullvad is working as i am forwarding ports to other services without any issues. iptables -t nat -A PREROUTING -i tun+ -p tcp --dport xxxx -j DNAT --to-destination 192.168.1.63:54930 iptables -t nat -A PREROUTING -i tun+ -p udp --dport xxxx -j DNAT --to-destination 192.168.1.63:54930 However even with these rules i am not able to connect to wireguard when using my vpn ip. Now if i add a route to my vpn client that states all traffic from 192.168.1.63 goes through the wan then i can connect to wireguard but using my isp's ip address. With this setup i only have access to lan. My ideal setup so that i dont need to switch to different wireguard tunnel when i leave my home network is that i be able access my lan as well as route all traffic via mullvad. So i think the issue i need to solve is how come i am not able to reach wireguard even with port forwarding setup in mullvad when using my vpn ip. -- Arpit On Thu, Mar 7, 2019 at 12:04 AM David Kerr <david@kerr.net> wrote: > I'm a little confused as to the network architecture. Are your running a > wireguard VPN inside of your OpenVPN? Or do you have two VPN's connecting > into your host independently? Either way, the first thing I would look at > is your ip route tables. You need to make sure that packets that arrive on > one interface (e.g. wg0) are replied to over that same interface and are > not directed out somewhere else by virtue of the default route pointing > elsewhere. > > David > > On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta <g.arpit@gmail.com> wrote: > >> Actually false alarm :(. >> >> Can only get it to work if i add a policy rule in my router vpn client to >> send all traffic from host running wireguard through the WAN and thus >> skipping VPN which is not ideal as when i am routing all traffic through >> wireguard ideally i want it to use the vpn tunnel on my router. >> >> >> -- >> Arpit >> >> >> On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit@gmail.com> wrote: >> >>> Got it working :). >>> >>> Did not need to change any client or server settings. However needed to >>> add another policy rule in my vpn client. Rule states >>> >>> Source: wireguard server >>> destination: 192.168.100.0/24 (so any of my wireguard clients) >>> interface: WAN >>> >>> So this way wireguard traffic does not go through the VPN. >>> -- >>> Arpit >>> >>> >>> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit@gmail.com> wrote: >>> >>>> Tried changing the allowed ip's to what was suggested and it did not >>>> work. Same behavior as before. Also my configs were working as expected >>>> before i had my router connected to a vpn service. >>>> >>>> It required me to add the following route policy for my vpn client on >>>> my router >>>> >>>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the >>>> VPN. So if it matters if i connected to wireguard using the ip address of >>>> the ISP vs the IP address of the VPN? >>>> >>>> >>>> -- >>>> Arpit >>>> >>>> >>>> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote: >>>> >>>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote: >>>>> > On my server my conf is >>>>> > >>>>> > [Interface] >>>>> > Address = 192.168.100.1/32 >>>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o >>>>> > %i -j >>>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >>>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD >>>>> > -o %i >>>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >>>>> > ListenPort = 54930 >>>>> > PrivateKey = xxxxx >>>>> > >>>>> > [Peer] >>>>> > PublicKey = xxxx >>>>> > AllowedIPs = 192.168.100.2/32 >>>>> > >>>>> > >>>>> > on my client my config is >>>>> > >>>>> > [Interface] >>>>> > Address = 192.168.100.2 >>>>> > PrivateKey = xxxxx >>>>> > ListenPort = 21841 >>>>> > DNS = 192.168.1.63 >>>>> > >>>>> > [Peer] >>>>> > PublicKey = xxxx >>>>> > Endpoint = ddns:xxx >>>>> > AllowedIPs = 192.168.1.0/24 >>>>> > >>>>> > # This is for if you're behind a NAT and >>>>> > # want the connection to be kept alive. >>>>> > PersistentKeepalive = 25 >>>>> >>>>> Try changing AllowedIPs in the client config to: >>>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24 >>>>> >>>>> Also, if you want to masquerade the traffic to the internet you need to >>>>> add 0.0.0.0./0 to the client or change the destination IP to the server >>>>> node via a NAT rule, otherwise it's going to be rejected because the IP >>>>> packet doesn't have an AllowedIP address, I think. (The source needs to >>>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is >>>>> that's why you couldn't complete the handshake. >>>>> >>>>> _______________________________________________ >> WireGuard mailing list >> WireGuard@lists.zx2c4.com >> https://lists.zx2c4.com/mailman/listinfo/wireguard >> > [-- Attachment #1.2: Type: text/html, Size: 8895 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cant connect to wireguard when router connected to a vpn service 2019-03-07 17:54 ` Arpit Gupta @ 2019-03-07 19:18 ` Arpit Gupta 0 siblings, 0 replies; 8+ messages in thread From: Arpit Gupta @ 2019-03-07 19:18 UTC (permalink / raw) To: David Kerr; +Cc: wireguard [-- Attachment #1.1: Type: text/plain, Size: 6172 bytes --] Man this was a pebkac issue :). The way i was using wireguard before was i would always leave it on even when i was at home. However now when i am home my wireless is connected to mullvad vpn. So when i tried to connect to wireguard using the vpn ip it did not work. When i switched my phone's wifi off and then used the vpn ip to connect to wireguard it worked just fine. Now i willl do some research on how can i make this work at home and outside :). Sorry for all the noise. Thanks -- Arpit On Thu, Mar 7, 2019 at 9:54 AM Arpit Gupta <g.arpit@gmail.com> wrote: > I am noob in networking commands so looking for any pointers :). I think > the issue is packets are getting directed some where else because of a > default route. > > Here is info on my setup. > > Wireguard running on host: 192.168.1.63 > > Router: 192.168.1.1 is also running a VPN Client and is connected to > mullvad vpn service. This sets up a tunnel on my router. I have a policy > rule setup on my router that sends all traffic from 192.168.1.0/24 > through the vpn tunnel. > > I setup port forwarding according to mullvad guides on my router. I have > confirmed port forwarding in mullvad is working as i am forwarding ports to > other services without any issues. > > iptables -t nat -A PREROUTING -i tun+ -p tcp --dport xxxx -j DNAT > --to-destination 192.168.1.63:54930 > iptables -t nat -A PREROUTING -i tun+ -p udp --dport xxxx -j DNAT > --to-destination 192.168.1.63:54930 > > However even with these rules i am not able to connect to wireguard when > using my vpn ip. > > > Now if i add a route to my vpn client that states all traffic from > 192.168.1.63 goes through the wan then i can connect to wireguard but using > my isp's ip address. With this setup i only have access to lan. My ideal > setup so that i dont need to switch to different wireguard tunnel when i > leave my home network is that i be able access my lan as well as route all > traffic via mullvad. > > > So i think the issue i need to solve is how come i am not able to reach > wireguard even with port forwarding setup in mullvad when using my vpn ip. > > -- > Arpit > > > On Thu, Mar 7, 2019 at 12:04 AM David Kerr <david@kerr.net> wrote: > >> I'm a little confused as to the network architecture. Are your running a >> wireguard VPN inside of your OpenVPN? Or do you have two VPN's connecting >> into your host independently? Either way, the first thing I would look at >> is your ip route tables. You need to make sure that packets that arrive on >> one interface (e.g. wg0) are replied to over that same interface and are >> not directed out somewhere else by virtue of the default route pointing >> elsewhere. >> >> David >> >> On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta <g.arpit@gmail.com> wrote: >> >>> Actually false alarm :(. >>> >>> Can only get it to work if i add a policy rule in my router vpn client >>> to send all traffic from host running wireguard through the WAN and thus >>> skipping VPN which is not ideal as when i am routing all traffic through >>> wireguard ideally i want it to use the vpn tunnel on my router. >>> >>> >>> -- >>> Arpit >>> >>> >>> On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit@gmail.com> wrote: >>> >>>> Got it working :). >>>> >>>> Did not need to change any client or server settings. However needed to >>>> add another policy rule in my vpn client. Rule states >>>> >>>> Source: wireguard server >>>> destination: 192.168.100.0/24 (so any of my wireguard clients) >>>> interface: WAN >>>> >>>> So this way wireguard traffic does not go through the VPN. >>>> -- >>>> Arpit >>>> >>>> >>>> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit@gmail.com> wrote: >>>> >>>>> Tried changing the allowed ip's to what was suggested and it did not >>>>> work. Same behavior as before. Also my configs were working as expected >>>>> before i had my router connected to a vpn service. >>>>> >>>>> It required me to add the following route policy for my vpn client on >>>>> my router >>>>> >>>>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the >>>>> VPN. So if it matters if i connected to wireguard using the ip address of >>>>> the ISP vs the IP address of the VPN? >>>>> >>>>> >>>>> -- >>>>> Arpit >>>>> >>>>> >>>>> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote: >>>>> >>>>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote: >>>>>> > On my server my conf is >>>>>> > >>>>>> > [Interface] >>>>>> > Address = 192.168.100.1/32 >>>>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o >>>>>> > %i -j >>>>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >>>>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD >>>>>> > -o %i >>>>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >>>>>> > ListenPort = 54930 >>>>>> > PrivateKey = xxxxx >>>>>> > >>>>>> > [Peer] >>>>>> > PublicKey = xxxx >>>>>> > AllowedIPs = 192.168.100.2/32 >>>>>> > >>>>>> > >>>>>> > on my client my config is >>>>>> > >>>>>> > [Interface] >>>>>> > Address = 192.168.100.2 >>>>>> > PrivateKey = xxxxx >>>>>> > ListenPort = 21841 >>>>>> > DNS = 192.168.1.63 >>>>>> > >>>>>> > [Peer] >>>>>> > PublicKey = xxxx >>>>>> > Endpoint = ddns:xxx >>>>>> > AllowedIPs = 192.168.1.0/24 >>>>>> > >>>>>> > # This is for if you're behind a NAT and >>>>>> > # want the connection to be kept alive. >>>>>> > PersistentKeepalive = 25 >>>>>> >>>>>> Try changing AllowedIPs in the client config to: >>>>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24 >>>>>> >>>>>> Also, if you want to masquerade the traffic to the internet you need >>>>>> to >>>>>> add 0.0.0.0./0 to the client or change the destination IP to the >>>>>> server >>>>>> node via a NAT rule, otherwise it's going to be rejected because the >>>>>> IP >>>>>> packet doesn't have an AllowedIP address, I think. (The source needs >>>>>> to >>>>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is >>>>>> that's why you couldn't complete the handshake. >>>>>> >>>>>> _______________________________________________ >>> WireGuard mailing list >>> WireGuard@lists.zx2c4.com >>> https://lists.zx2c4.com/mailman/listinfo/wireguard >>> >> [-- Attachment #1.2: Type: text/html, Size: 10150 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-03-20 22:37 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-03-06 8:40 cant connect to wireguard when router connected to a vpn service Arpit Gupta 2019-03-06 9:18 ` XRP 2019-03-06 15:59 ` Arpit Gupta 2019-03-06 16:20 ` Arpit Gupta 2019-03-06 18:22 ` Arpit Gupta 2019-03-07 8:04 ` David Kerr 2019-03-07 17:54 ` Arpit Gupta 2019-03-07 19:18 ` Arpit Gupta
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.