VPN - excluding local IPs

VPN - excluding local IPs

[Andreas Hatzl]

Hi,

I have successfully set up a wireguard VPN between my notebook (Manjaro behind 
NAT) and my virtual server (ubuntu 18.04). The only "issue" left is that I 
can't connect to local devices on the client while using wireguard. Is there a 
way to exclude an IP range from using wireguard? 

my client config:
[Interface]
Address = 10.x.y.z/32
PrivateKey = xyz

[Peer]
PublicKey =xyz
Endpoint = xyz:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21

I am aware that the solution for this has most likely been posted a lot of 
times but I can't find anything on the Wireguard page or Google.

It would be great if somebody could help me with this.

Thanks

Andreas


_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: VPN - excluding local IPs

[Anatoli]

[-- Attachment #1.1: Type: text/plain, Size: 1656 bytes --]

Andreas,

Check the Table option here: 
https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8.

wg-quick adds some routes and rules, you can see them with: ip rule show 
(check the line containing fwmark, it ends with the routing table 
number) and then check the routes in the corresponding table with: ip 
route show table xxx. Basically, if you omit the Table option, wg-quick 
will add the necessary routes to send all traffic via the tunnel when 
you specify AllowedIPs = 0.0.0.0/0. You can add routes to your local 
networks/devices for connections to them to go outside the tunnel in the 
PostUp option in the wg-quick config.

Regards,
Anatoli

*From:* Andreas Hatzl <andreas@hatzl.org>
*Sent:* Thursday, February 21, 2019 12:08
*To:* Wireguard Mailing List <wireguard@lists.zx2c4.com>
*Subject:* VPN - excluding local IPs

Hi,

I have successfully set up a wireguard VPN between my notebook (Manjaro behind
NAT) and my virtual server (ubuntu 18.04). The only "issue" left is that I
can't connect to local devices on the client while using wireguard. Is there a
way to exclude an IP range from using wireguard?

my client config:
[Interface]
Address = 10.x.y.z/32
PrivateKey = xyz

[Peer]
PublicKey =xyz
Endpoint = xyz:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21

I am aware that the solution for this has most likely been posted a lot of
times but I can't find anything on the Wireguard page or Google.

It would be great if somebody could help me with this.

Thanks

Andreas


_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard



[-- Attachment #1.2: Type: text/html, Size: 3234 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: VPN - excluding local IPs

[Dmitrii Tcvetkov]

On Thu, 21 Feb 2019 16:08:50 +0100
Andreas Hatzl <andreas@hatzl.org> wrote:

> Hi,
> 
> I have successfully set up a wireguard VPN between my notebook
> (Manjaro behind NAT) and my virtual server (ubuntu 18.04). The only
> "issue" left is that I can't connect to local devices on the client
> while using wireguard. Is there a way to exclude an IP range from
> using wireguard? 
> 
> my client config:
> [Interface]
> Address = 10.x.y.z/32
> PrivateKey = xyz
> 
> [Peer]
> PublicKey =xyz
> Endpoint = xyz:51820
> AllowedIPs = 0.0.0.0/0
> PersistentKeepalive = 21
> 
> I am aware that the solution for this has most likely been posted a
> lot of times but I can't find anything on the Wireguard page or
> Google.
> 
> It would be great if somebody could help me with this.
> 
> Thanks
> 
> Andreas

That's odd, if I understood correctly, your setup looks kinda this, if
not, please correct me:

|---------|
|notebook |
|---------|
172.16.0.2/24 private
10.0.0.0.2/24 inside tunnel


-------------------|
Example LAN device |
-------------------|
172.16.0.3/24 private


        private 172.16.0.1/24
     |--------------------|
-----|   router with NAT  |-------------
     |--------------------|
          2.3.4.5 public


1.2.3.4 public
10.0.0.1/24 inside tunnel
-----------------|
WireGuard server |
-----------------|

So in this example before connecting to VPN notebook would have:
direct route to 172.16.0.0/24
default route via 172.16.0.1

After connecting to VPN, assuming that VPN setup overrides default
route:
direct route to 172.16.0.0/24
direct route to 10.0.0.0/24
static route to 1.2.3.4 via 172.16.0.1 (for encrypted WG traffic)
default route via 10.0.0.1

In that case there would not be any problem for notebook to communicate
with "example LAN device" unless firewall on the notebook or the "LAN
device" interferes.

As far as I know there is no straightforward way to exclude networks
from AllowedIPs, but you can enumerate all public IPv4 prefixes, like
Android WireGuard client does:

200.0.0.0/5,172.64.0.0/10,172.128.0.0/9,12.0.0.0/6,16.0.0.0/4,11.0.0.0/8,
32.0.0.0/3,128.0.0.0/3,196.0.0.0/6,64.0.0.0/2,172.0.0.0/12,194.0.0.0/7,
192.160.0.0/13,192.0.0.0/9,192.170.0.0/15,160.0.0.0/5,192.128.0.0/11,
193.0.0.0/8,208.0.0.0/4,192.172.0.0/14,176.0.0.0/4,192.169.0.0/16,
0.0.0.0/5,174.0.0.0/7,192.176.0.0/12,192.192.0.0/10,8.0.0.0/7,
172.32.0.0/11,173.0.0.0/8,168.0.0.0/6

But if you just replace 0.0.0.0/0 with this in AllowedIPs line without
fixing routing then WireGuard will just reject packets which don't
belong to these prefixes. Network stack of the notebook should route
packets to the LAN, AllowedIPs is more of a precaution in this case.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard