cant connect to wireguard when router connected to a vpn service

cant connect to wireguard when router connected to a vpn service

[Arpit Gupta]

[-- Attachment #1.1: Type: text/plain, Size: 3569 bytes --]

Hi All

A novice user here and looking for some pointers on how i could fix this
issue.

I had been successfully using wireguard to get access to my local network.
Recently i started looking into a VPN service that i could connect to my
router. So i started playing with mullvad vpn and setup my router to have a
vpn client so all my network traffic goes via vpn. I followed the following
guide https://mullvad.net/en/guides/asus-merlin-and-mullvad-vpn/

Ever since i enabled this i am not able to connect to wireguard from
outside my home network. What is interesting is that when i check the
status of the connections on the server the endpoint entry has the correct
ip but the latest handshake time does not get updated and i no longer have
access to my internal network.

peer: xxxx
  endpoint: 73.xx.xx.xx:1543
  allowed ips: 192.168.100.x/32
  latest handshake: 21 minutes, 24 seconds ago
  transfer: 1.24 MiB received, 5.46 MiB sent

Logs from the wireguard client on my android phone have the following:

03-06 00:23:51.800 28912 17051 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Starting...
03-06 00:23:51.800 28912 28935 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Routine: sequential receiver - started
03-06 00:23:51.800 28912 28935 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Routine: nonce worker - started
03-06 00:23:51.800 28912 28935 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Routine: sequential sender - started
03-06 00:23:51.800 28912 17051 I WireGuard/GoBackend/wg0: Device started
03-06 00:23:52.551 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Sending handshake initiation
03-06 00:23:52.567 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Awaiting keypair
03-06 00:23:57.557 28912 15089 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Sending handshake initiation
03-06 00:24:02.561 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Handshake did not complete after 5 seconds, retrying (try 2)
03-06 00:24:02.561 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Sending handshake initiation


I can connect to my network using ISP or VPN IP. The above issue is what i
am running into when i use the isp ip address to talk to wireguard.

I tried using VPN IP to talk to wireguard but i could not get port
forwarding to work.  I have confirmed port forwarding via mullvad is
working as i am using it for other services. As per the mullvad guide i had
added the following rule to forward the port to wireguard.

#iptables -t nat -A PREROUTING -i tun+ -p udp --dport 9934 -j DNAT
--to-destination 192.168.1.63:54930


So i am not sure if there are additional forwarding rules required and/or
policy rules for the vpn client to get this setup working.

On my server my conf is

[Interface]
Address = 192.168.100.1/32
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j
ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i
-j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 54930
PrivateKey = xxxxx

[Peer]
PublicKey = xxxx
AllowedIPs = 192.168.100.2/32


on my client my config is

[Interface]
Address = 192.168.100.2
PrivateKey = xxxxx
ListenPort = 21841
DNS = 192.168.1.63

[Peer]
PublicKey = xxxx
Endpoint = ddns:xxx
AllowedIPs = 192.168.1.0/24

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

--
Arpit

[-- Attachment #1.2: Type: text/html, Size: 4497 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: cant connect to wireguard when router connected to a vpn service

[XRP]

On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
> On my server my conf is
> 
> [Interface]
> Address = 192.168.100.1/32
> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
> %i -j
> ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
> -o %i
> -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> ListenPort = 54930
> PrivateKey = xxxxx
> 
> [Peer]
> PublicKey = xxxx
> AllowedIPs = 192.168.100.2/32
> 
> 
> on my client my config is
> 
> [Interface]
> Address = 192.168.100.2
> PrivateKey = xxxxx
> ListenPort = 21841
> DNS = 192.168.1.63
> 
> [Peer]
> PublicKey = xxxx
> Endpoint = ddns:xxx
> AllowedIPs = 192.168.1.0/24
> 
> # This is for if you're behind a NAT and
> # want the connection to be kept alive.
> PersistentKeepalive = 25

Try changing AllowedIPs in the client config to:
AllowedIPs = 192.168.100.1/32,192.168.1.0/24

Also, if you want to masquerade the traffic to the internet you need to
add 0.0.0.0./0 to the client or change the destination IP to the server
node via a NAT rule, otherwise it's going to be rejected because the IP
packet doesn't have an AllowedIP address, I think. (The source needs to
match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
that's why you couldn't complete the handshake.

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: cant connect to wireguard when router connected to a vpn service

[Arpit Gupta]

[-- Attachment #1.1: Type: text/plain, Size: 1964 bytes --]

Tried changing the allowed ip's to what was suggested and it did not work.
Same behavior as before. Also my configs were working as expected before i
had my router connected to a vpn service.

It required me to add the following route policy for my vpn client on my
router

Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN. So
if it matters if i connected to wireguard using the ip address of the ISP
vs the IP address of the VPN?


--
Arpit


On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote:

> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
> > On my server my conf is
> >
> > [Interface]
> > Address = 192.168.100.1/32
> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
> > %i -j
> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
> > -o %i
> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> > ListenPort = 54930
> > PrivateKey = xxxxx
> >
> > [Peer]
> > PublicKey = xxxx
> > AllowedIPs = 192.168.100.2/32
> >
> >
> > on my client my config is
> >
> > [Interface]
> > Address = 192.168.100.2
> > PrivateKey = xxxxx
> > ListenPort = 21841
> > DNS = 192.168.1.63
> >
> > [Peer]
> > PublicKey = xxxx
> > Endpoint = ddns:xxx
> > AllowedIPs = 192.168.1.0/24
> >
> > # This is for if you're behind a NAT and
> > # want the connection to be kept alive.
> > PersistentKeepalive = 25
>
> Try changing AllowedIPs in the client config to:
> AllowedIPs = 192.168.100.1/32,192.168.1.0/24
>
> Also, if you want to masquerade the traffic to the internet you need to
> add 0.0.0.0./0 to the client or change the destination IP to the server
> node via a NAT rule, otherwise it's going to be rejected because the IP
> packet doesn't have an AllowedIP address, I think. (The source needs to
> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
> that's why you couldn't complete the handshake.
>
>

[-- Attachment #1.2: Type: text/html, Size: 3157 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: cant connect to wireguard when router connected to a vpn service

[Arpit Gupta]

[-- Attachment #1.1: Type: text/plain, Size: 2432 bytes --]

Got it working :).

Did not need to change any client or server settings. However needed to add
another policy rule in my vpn client. Rule states

Source: wireguard server
destination: 192.168.100.0/24 (so any of my wireguard clients)
interface: WAN

So this way wireguard traffic does not go through the VPN.
--
Arpit


On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit@gmail.com> wrote:

> Tried changing the allowed ip's to what was suggested and it did not work.
> Same behavior as before. Also my configs were working as expected before i
> had my router connected to a vpn service.
>
> It required me to add the following route policy for my vpn client on my
> router
>
> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN.
> So if it matters if i connected to wireguard using the ip address of the
> ISP vs the IP address of the VPN?
>
>
> --
> Arpit
>
>
> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote:
>
>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
>> > On my server my conf is
>> >
>> > [Interface]
>> > Address = 192.168.100.1/32
>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>> > %i -j
>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
>> > -o %i
>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>> > ListenPort = 54930
>> > PrivateKey = xxxxx
>> >
>> > [Peer]
>> > PublicKey = xxxx
>> > AllowedIPs = 192.168.100.2/32
>> >
>> >
>> > on my client my config is
>> >
>> > [Interface]
>> > Address = 192.168.100.2
>> > PrivateKey = xxxxx
>> > ListenPort = 21841
>> > DNS = 192.168.1.63
>> >
>> > [Peer]
>> > PublicKey = xxxx
>> > Endpoint = ddns:xxx
>> > AllowedIPs = 192.168.1.0/24
>> >
>> > # This is for if you're behind a NAT and
>> > # want the connection to be kept alive.
>> > PersistentKeepalive = 25
>>
>> Try changing AllowedIPs in the client config to:
>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24
>>
>> Also, if you want to masquerade the traffic to the internet you need to
>> add 0.0.0.0./0 to the client or change the destination IP to the server
>> node via a NAT rule, otherwise it's going to be rejected because the IP
>> packet doesn't have an AllowedIP address, I think. (The source needs to
>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
>> that's why you couldn't complete the handshake.
>>
>>

[-- Attachment #1.2: Type: text/html, Size: 4106 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: cant connect to wireguard when router connected to a vpn service

[Arpit Gupta]

[-- Attachment #1.1: Type: text/plain, Size: 2914 bytes --]

Actually false alarm :(.

Can only get it to work if i add a policy rule in my router vpn client to
send all traffic from host running wireguard through the WAN and thus
skipping VPN which is not ideal as when i am routing all traffic through
wireguard ideally i want it to use the vpn tunnel on my router.


--
Arpit


On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit@gmail.com> wrote:

> Got it working :).
>
> Did not need to change any client or server settings. However needed to
> add another policy rule in my vpn client. Rule states
>
> Source: wireguard server
> destination: 192.168.100.0/24 (so any of my wireguard clients)
> interface: WAN
>
> So this way wireguard traffic does not go through the VPN.
> --
> Arpit
>
>
> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit@gmail.com> wrote:
>
>> Tried changing the allowed ip's to what was suggested and it did not
>> work. Same behavior as before. Also my configs were working as expected
>> before i had my router connected to a vpn service.
>>
>> It required me to add the following route policy for my vpn client on my
>> router
>>
>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN.
>> So if it matters if i connected to wireguard using the ip address of the
>> ISP vs the IP address of the VPN?
>>
>>
>> --
>> Arpit
>>
>>
>> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote:
>>
>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
>>> > On my server my conf is
>>> >
>>> > [Interface]
>>> > Address = 192.168.100.1/32
>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>>> > %i -j
>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
>>> > -o %i
>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>> > ListenPort = 54930
>>> > PrivateKey = xxxxx
>>> >
>>> > [Peer]
>>> > PublicKey = xxxx
>>> > AllowedIPs = 192.168.100.2/32
>>> >
>>> >
>>> > on my client my config is
>>> >
>>> > [Interface]
>>> > Address = 192.168.100.2
>>> > PrivateKey = xxxxx
>>> > ListenPort = 21841
>>> > DNS = 192.168.1.63
>>> >
>>> > [Peer]
>>> > PublicKey = xxxx
>>> > Endpoint = ddns:xxx
>>> > AllowedIPs = 192.168.1.0/24
>>> >
>>> > # This is for if you're behind a NAT and
>>> > # want the connection to be kept alive.
>>> > PersistentKeepalive = 25
>>>
>>> Try changing AllowedIPs in the client config to:
>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24
>>>
>>> Also, if you want to masquerade the traffic to the internet you need to
>>> add 0.0.0.0./0 to the client or change the destination IP to the server
>>> node via a NAT rule, otherwise it's going to be rejected because the IP
>>> packet doesn't have an AllowedIP address, I think. (The source needs to
>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
>>> that's why you couldn't complete the handshake.
>>>
>>>

[-- Attachment #1.2: Type: text/html, Size: 5013 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: cant connect to wireguard when router connected to a vpn service

[David Kerr]

[-- Attachment #1.1: Type: text/plain, Size: 3708 bytes --]

I'm a little confused as to the network architecture.  Are your running a
wireguard VPN inside of your OpenVPN?  Or do you have two VPN's connecting
into your host independently?  Either way, the first thing I would look at
is your ip route tables.  You need to make sure that packets that arrive on
one interface (e.g. wg0) are replied to over that same interface and are
not directed out somewhere else by virtue of the default route pointing
elsewhere.

David

On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta <g.arpit@gmail.com> wrote:

> Actually false alarm :(.
>
> Can only get it to work if i add a policy rule in my router vpn client to
> send all traffic from host running wireguard through the WAN and thus
> skipping VPN which is not ideal as when i am routing all traffic through
> wireguard ideally i want it to use the vpn tunnel on my router.
>
>
> --
> Arpit
>
>
> On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit@gmail.com> wrote:
>
>> Got it working :).
>>
>> Did not need to change any client or server settings. However needed to
>> add another policy rule in my vpn client. Rule states
>>
>> Source: wireguard server
>> destination: 192.168.100.0/24 (so any of my wireguard clients)
>> interface: WAN
>>
>> So this way wireguard traffic does not go through the VPN.
>> --
>> Arpit
>>
>>
>> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit@gmail.com> wrote:
>>
>>> Tried changing the allowed ip's to what was suggested and it did not
>>> work. Same behavior as before. Also my configs were working as expected
>>> before i had my router connected to a vpn service.
>>>
>>> It required me to add the following route policy for my vpn client on my
>>> router
>>>
>>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN.
>>> So if it matters if i connected to wireguard using the ip address of the
>>> ISP vs the IP address of the VPN?
>>>
>>>
>>> --
>>> Arpit
>>>
>>>
>>> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote:
>>>
>>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
>>>> > On my server my conf is
>>>> >
>>>> > [Interface]
>>>> > Address = 192.168.100.1/32
>>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>>>> > %i -j
>>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
>>>> > -o %i
>>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>>> > ListenPort = 54930
>>>> > PrivateKey = xxxxx
>>>> >
>>>> > [Peer]
>>>> > PublicKey = xxxx
>>>> > AllowedIPs = 192.168.100.2/32
>>>> >
>>>> >
>>>> > on my client my config is
>>>> >
>>>> > [Interface]
>>>> > Address = 192.168.100.2
>>>> > PrivateKey = xxxxx
>>>> > ListenPort = 21841
>>>> > DNS = 192.168.1.63
>>>> >
>>>> > [Peer]
>>>> > PublicKey = xxxx
>>>> > Endpoint = ddns:xxx
>>>> > AllowedIPs = 192.168.1.0/24
>>>> >
>>>> > # This is for if you're behind a NAT and
>>>> > # want the connection to be kept alive.
>>>> > PersistentKeepalive = 25
>>>>
>>>> Try changing AllowedIPs in the client config to:
>>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24
>>>>
>>>> Also, if you want to masquerade the traffic to the internet you need to
>>>> add 0.0.0.0./0 to the client or change the destination IP to the server
>>>> node via a NAT rule, otherwise it's going to be rejected because the IP
>>>> packet doesn't have an AllowedIP address, I think. (The source needs to
>>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
>>>> that's why you couldn't complete the handshake.
>>>>
>>>> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 6451 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: cant connect to wireguard when router connected to a vpn service

[Arpit Gupta]

[-- Attachment #1.1: Type: text/plain, Size: 5388 bytes --]

I am noob in networking commands so looking for any pointers :). I think
the issue is packets are getting directed some where else because of a
default route.

Here is info on my setup.

Wireguard running on host: 192.168.1.63

Router: 192.168.1.1 is also running a VPN Client and is connected to
mullvad vpn service. This sets up a tunnel on my router. I have a policy
rule setup on my router that sends all traffic from 192.168.1.0/24 through
the vpn tunnel.

I setup port forwarding according to mullvad guides on my router. I have
confirmed port forwarding in mullvad is working as i am forwarding ports to
other services without any issues.

iptables -t nat -A PREROUTING -i tun+ -p tcp --dport xxxx -j DNAT
--to-destination 192.168.1.63:54930
iptables -t nat -A PREROUTING -i tun+ -p udp --dport xxxx -j DNAT
--to-destination 192.168.1.63:54930

However even with these rules i am not able to connect to wireguard when
using my vpn ip.


Now if i add a route to my vpn client that states all traffic from
192.168.1.63 goes through the wan then i can connect to wireguard but using
my isp's ip address. With this setup i only have access to lan. My ideal
setup so that i dont need to switch to different wireguard tunnel when i
leave my home network is that i be able access my lan as well as route all
traffic via mullvad.


So i think the issue i need to solve is how come i am not able to reach
wireguard even with port forwarding setup in mullvad when using my vpn ip.

--
Arpit


On Thu, Mar 7, 2019 at 12:04 AM David Kerr <david@kerr.net> wrote:

> I'm a little confused as to the network architecture.  Are your running a
> wireguard VPN inside of your OpenVPN?  Or do you have two VPN's connecting
> into your host independently?  Either way, the first thing I would look at
> is your ip route tables.  You need to make sure that packets that arrive on
> one interface (e.g. wg0) are replied to over that same interface and are
> not directed out somewhere else by virtue of the default route pointing
> elsewhere.
>
> David
>
> On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta <g.arpit@gmail.com> wrote:
>
>> Actually false alarm :(.
>>
>> Can only get it to work if i add a policy rule in my router vpn client to
>> send all traffic from host running wireguard through the WAN and thus
>> skipping VPN which is not ideal as when i am routing all traffic through
>> wireguard ideally i want it to use the vpn tunnel on my router.
>>
>>
>> --
>> Arpit
>>
>>
>> On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit@gmail.com> wrote:
>>
>>> Got it working :).
>>>
>>> Did not need to change any client or server settings. However needed to
>>> add another policy rule in my vpn client. Rule states
>>>
>>> Source: wireguard server
>>> destination: 192.168.100.0/24 (so any of my wireguard clients)
>>> interface: WAN
>>>
>>> So this way wireguard traffic does not go through the VPN.
>>> --
>>> Arpit
>>>
>>>
>>> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit@gmail.com> wrote:
>>>
>>>> Tried changing the allowed ip's to what was suggested and it did not
>>>> work. Same behavior as before. Also my configs were working as expected
>>>> before i had my router connected to a vpn service.
>>>>
>>>> It required me to add the following route policy for my vpn client on
>>>> my router
>>>>
>>>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the
>>>> VPN. So if it matters if i connected to wireguard using the ip address of
>>>> the ISP vs the IP address of the VPN?
>>>>
>>>>
>>>> --
>>>> Arpit
>>>>
>>>>
>>>> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote:
>>>>
>>>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
>>>>> > On my server my conf is
>>>>> >
>>>>> > [Interface]
>>>>> > Address = 192.168.100.1/32
>>>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>>>>> > %i -j
>>>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
>>>>> > -o %i
>>>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>>>> > ListenPort = 54930
>>>>> > PrivateKey = xxxxx
>>>>> >
>>>>> > [Peer]
>>>>> > PublicKey = xxxx
>>>>> > AllowedIPs = 192.168.100.2/32
>>>>> >
>>>>> >
>>>>> > on my client my config is
>>>>> >
>>>>> > [Interface]
>>>>> > Address = 192.168.100.2
>>>>> > PrivateKey = xxxxx
>>>>> > ListenPort = 21841
>>>>> > DNS = 192.168.1.63
>>>>> >
>>>>> > [Peer]
>>>>> > PublicKey = xxxx
>>>>> > Endpoint = ddns:xxx
>>>>> > AllowedIPs = 192.168.1.0/24
>>>>> >
>>>>> > # This is for if you're behind a NAT and
>>>>> > # want the connection to be kept alive.
>>>>> > PersistentKeepalive = 25
>>>>>
>>>>> Try changing AllowedIPs in the client config to:
>>>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24
>>>>>
>>>>> Also, if you want to masquerade the traffic to the internet you need to
>>>>> add 0.0.0.0./0 to the client or change the destination IP to the server
>>>>> node via a NAT rule, otherwise it's going to be rejected because the IP
>>>>> packet doesn't have an AllowedIP address, I think. (The source needs to
>>>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
>>>>> that's why you couldn't complete the handshake.
>>>>>
>>>>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
>>
>

[-- Attachment #1.2: Type: text/html, Size: 8895 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: cant connect to wireguard when router connected to a vpn service

[Arpit Gupta]

[-- Attachment #1.1: Type: text/plain, Size: 6172 bytes --]

Man this was a pebkac issue :).

The way i was using wireguard before was i would always leave it on even
when i was at home. However now when i am home my wireless is connected to
mullvad vpn. So when i tried to connect to wireguard using the vpn ip it
did not work. When i switched my phone's wifi off and then used the vpn ip
to connect to wireguard it worked just fine.

Now i willl do some research on how can i make this work at home and
outside :).

Sorry for all the noise.

Thanks
--
Arpit


On Thu, Mar 7, 2019 at 9:54 AM Arpit Gupta <g.arpit@gmail.com> wrote:

> I am noob in networking commands so looking for any pointers :). I think
> the issue is packets are getting directed some where else because of a
> default route.
>
> Here is info on my setup.
>
> Wireguard running on host: 192.168.1.63
>
> Router: 192.168.1.1 is also running a VPN Client and is connected to
> mullvad vpn service. This sets up a tunnel on my router. I have a policy
> rule setup on my router that sends all traffic from 192.168.1.0/24
> through the vpn tunnel.
>
> I setup port forwarding according to mullvad guides on my router. I have
> confirmed port forwarding in mullvad is working as i am forwarding ports to
> other services without any issues.
>
> iptables -t nat -A PREROUTING -i tun+ -p tcp --dport xxxx -j DNAT
> --to-destination 192.168.1.63:54930
> iptables -t nat -A PREROUTING -i tun+ -p udp --dport xxxx -j DNAT
> --to-destination 192.168.1.63:54930
>
> However even with these rules i am not able to connect to wireguard when
> using my vpn ip.
>
>
> Now if i add a route to my vpn client that states all traffic from
> 192.168.1.63 goes through the wan then i can connect to wireguard but using
> my isp's ip address. With this setup i only have access to lan. My ideal
> setup so that i dont need to switch to different wireguard tunnel when i
> leave my home network is that i be able access my lan as well as route all
> traffic via mullvad.
>
>
> So i think the issue i need to solve is how come i am not able to reach
> wireguard even with port forwarding setup in mullvad when using my vpn ip.
>
> --
> Arpit
>
>
> On Thu, Mar 7, 2019 at 12:04 AM David Kerr <david@kerr.net> wrote:
>
>> I'm a little confused as to the network architecture.  Are your running a
>> wireguard VPN inside of your OpenVPN?  Or do you have two VPN's connecting
>> into your host independently?  Either way, the first thing I would look at
>> is your ip route tables.  You need to make sure that packets that arrive on
>> one interface (e.g. wg0) are replied to over that same interface and are
>> not directed out somewhere else by virtue of the default route pointing
>> elsewhere.
>>
>> David
>>
>> On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta <g.arpit@gmail.com> wrote:
>>
>>> Actually false alarm :(.
>>>
>>> Can only get it to work if i add a policy rule in my router vpn client
>>> to send all traffic from host running wireguard through the WAN and thus
>>> skipping VPN which is not ideal as when i am routing all traffic through
>>> wireguard ideally i want it to use the vpn tunnel on my router.
>>>
>>>
>>> --
>>> Arpit
>>>
>>>
>>> On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit@gmail.com> wrote:
>>>
>>>> Got it working :).
>>>>
>>>> Did not need to change any client or server settings. However needed to
>>>> add another policy rule in my vpn client. Rule states
>>>>
>>>> Source: wireguard server
>>>> destination: 192.168.100.0/24 (so any of my wireguard clients)
>>>> interface: WAN
>>>>
>>>> So this way wireguard traffic does not go through the VPN.
>>>> --
>>>> Arpit
>>>>
>>>>
>>>> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit@gmail.com> wrote:
>>>>
>>>>> Tried changing the allowed ip's to what was suggested and it did not
>>>>> work. Same behavior as before. Also my configs were working as expected
>>>>> before i had my router connected to a vpn service.
>>>>>
>>>>> It required me to add the following route policy for my vpn client on
>>>>> my router
>>>>>
>>>>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the
>>>>> VPN. So if it matters if i connected to wireguard using the ip address of
>>>>> the ISP vs the IP address of the VPN?
>>>>>
>>>>>
>>>>> --
>>>>> Arpit
>>>>>
>>>>>
>>>>> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote:
>>>>>
>>>>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
>>>>>> > On my server my conf is
>>>>>> >
>>>>>> > [Interface]
>>>>>> > Address = 192.168.100.1/32
>>>>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>>>>>> > %i -j
>>>>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
>>>>>> > -o %i
>>>>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>>>>> > ListenPort = 54930
>>>>>> > PrivateKey = xxxxx
>>>>>> >
>>>>>> > [Peer]
>>>>>> > PublicKey = xxxx
>>>>>> > AllowedIPs = 192.168.100.2/32
>>>>>> >
>>>>>> >
>>>>>> > on my client my config is
>>>>>> >
>>>>>> > [Interface]
>>>>>> > Address = 192.168.100.2
>>>>>> > PrivateKey = xxxxx
>>>>>> > ListenPort = 21841
>>>>>> > DNS = 192.168.1.63
>>>>>> >
>>>>>> > [Peer]
>>>>>> > PublicKey = xxxx
>>>>>> > Endpoint = ddns:xxx
>>>>>> > AllowedIPs = 192.168.1.0/24
>>>>>> >
>>>>>> > # This is for if you're behind a NAT and
>>>>>> > # want the connection to be kept alive.
>>>>>> > PersistentKeepalive = 25
>>>>>>
>>>>>> Try changing AllowedIPs in the client config to:
>>>>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24
>>>>>>
>>>>>> Also, if you want to masquerade the traffic to the internet you need
>>>>>> to
>>>>>> add 0.0.0.0./0 to the client or change the destination IP to the
>>>>>> server
>>>>>> node via a NAT rule, otherwise it's going to be rejected because the
>>>>>> IP
>>>>>> packet doesn't have an AllowedIP address, I think. (The source needs
>>>>>> to
>>>>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
>>>>>> that's why you couldn't complete the handshake.
>>>>>>
>>>>>> _______________________________________________
>>> WireGuard mailing list
>>> WireGuard@lists.zx2c4.com
>>> https://lists.zx2c4.com/mailman/listinfo/wireguard
>>>
>>

[-- Attachment #1.2: Type: text/html, Size: 10150 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard