Issues with excluding private IPs

Issues with excluding private IPs

[Oliver Benning]

[-- Attachment #1.1: Type: text/plain, Size: 1341 bytes --]

My setup (may be unrelated):

I have a public endpoint hosted on Digital Ocean, which I connect to simply through its external IP address as the endpoint. It was setup using Streisand.

The endpoint itself acts as a DNS resolver within the tunnel for ad blocking purposes, so the WireGuard profile uses the endpoint's internal IP address in the DNS field. This setup has been documented online.

The issue (on both Mac and iPhone clients):
I would like to exclude private IPs from the tunnel to connect to internal resources. Connection works fine with AllowedIPs=0.0.0.0/0, it does not work when using the "Exclude private IPs option".

Log just shows:
[NET] peer(5m6B…jmno) - Sending handshake initiation
[NET] peer(5m6B…jmno) - Failed to send handshake initiation write udp4 0.0.0.0:63865->[EXTERNAL-IP]:51820: sendto: network is unreachable

I also have tried using a set of CDR blocks such that the droplet's external ip is excluded from the range and that did not work either. If I have a misconception about the configuration or there is something I should try please let me know.

Recommendation
This may have a been recommended below but I would highly suggest a list of IPs to subtract from the tunnel. My ideal scenario would be:


AllowedIPs = 0.0.0.0/0

ExceptedIPs = 192.168.1.0/24


Cheers,
Oliver


[-- Attachment #1.2: Type: text/html, Size: 5609 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Issues with excluding private IPs

[Derrick Lyndon Pallas]

[-- Attachment #1.1: Type: text/plain, Size: 1699 bytes --]

Doesn't a routing rule solve this issue?

~Derrick • iPhone

> On Aug 14, 2019, at 6:36 PM, Oliver Benning <obenning@fieldeffect.com> wrote:
> 
> My setup (may be unrelated):
> 
> I have a public endpoint hosted on Digital Ocean, which I connect to simply through its external IP address as the endpoint. It was setup using Streisand.
> 
> The endpoint itself acts as a DNS resolver within the tunnel for ad blocking purposes, so the WireGuard profile uses the endpoint's internal IP address in the DNS field. This setup has been documented online.
> 
> The issue (on both Mac and iPhone clients):
> I would like to exclude private IPs from the tunnel to connect to internal resources. Connection works fine with AllowedIPs=0.0.0.0/0, it does not work when using the "Exclude private IPs option".
> 
> Log just shows:
> [NET] peer(5m6B…jmno) - Sending handshake initiation
> [NET] peer(5m6B…jmno) - Failed to send handshake initiation write udp4 0.0.0.0:63865->[EXTERNAL-IP]:51820: sendto: network is unreachable
> 
> I also have tried using a set of CDR blocks such that the droplet's external ip is excluded from the range and that did not work either. If I have a misconception about the configuration or there is something I should try please let me know.
> 
> Recommendation
> This may have a been recommended below but I would highly suggest a list of IPs to subtract from the tunnel. My ideal scenario would be:
> 
> AllowedIPs = 0.0.0.0/0
> ExceptedIPs = 192.168.1.0/24
> 
> Cheers,
> Oliver
> 
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

[-- Attachment #1.2: Type: text/html, Size: 6302 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard