From: Arpit Gupta <g.arpit@gmail.com>
To: David Kerr <david@kerr.net>
Cc: wireguard@lists.zx2c4.com
Subject: Re: cant connect to wireguard when router connected to a vpn service
Date: Thu, 7 Mar 2019 11:18:26 -0800 [thread overview]
Message-ID: <CAGCGytJgXWOjk2YuTau9TB6QCqD_W9r5CkuaN1tcBnJuHEcjnw@mail.gmail.com> (raw)
In-Reply-To: <CAGCGytL6SoA4pJRE1wJ2r9V80WMeyXKMyVatTm+N0Ox4-a-d0w@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 6172 bytes --]
Man this was a pebkac issue :).
The way i was using wireguard before was i would always leave it on even
when i was at home. However now when i am home my wireless is connected to
mullvad vpn. So when i tried to connect to wireguard using the vpn ip it
did not work. When i switched my phone's wifi off and then used the vpn ip
to connect to wireguard it worked just fine.
Now i willl do some research on how can i make this work at home and
outside :).
Sorry for all the noise.
Thanks
--
Arpit
On Thu, Mar 7, 2019 at 9:54 AM Arpit Gupta <g.arpit@gmail.com> wrote:
> I am noob in networking commands so looking for any pointers :). I think
> the issue is packets are getting directed some where else because of a
> default route.
>
> Here is info on my setup.
>
> Wireguard running on host: 192.168.1.63
>
> Router: 192.168.1.1 is also running a VPN Client and is connected to
> mullvad vpn service. This sets up a tunnel on my router. I have a policy
> rule setup on my router that sends all traffic from 192.168.1.0/24
> through the vpn tunnel.
>
> I setup port forwarding according to mullvad guides on my router. I have
> confirmed port forwarding in mullvad is working as i am forwarding ports to
> other services without any issues.
>
> iptables -t nat -A PREROUTING -i tun+ -p tcp --dport xxxx -j DNAT
> --to-destination 192.168.1.63:54930
> iptables -t nat -A PREROUTING -i tun+ -p udp --dport xxxx -j DNAT
> --to-destination 192.168.1.63:54930
>
> However even with these rules i am not able to connect to wireguard when
> using my vpn ip.
>
>
> Now if i add a route to my vpn client that states all traffic from
> 192.168.1.63 goes through the wan then i can connect to wireguard but using
> my isp's ip address. With this setup i only have access to lan. My ideal
> setup so that i dont need to switch to different wireguard tunnel when i
> leave my home network is that i be able access my lan as well as route all
> traffic via mullvad.
>
>
> So i think the issue i need to solve is how come i am not able to reach
> wireguard even with port forwarding setup in mullvad when using my vpn ip.
>
> --
> Arpit
>
>
> On Thu, Mar 7, 2019 at 12:04 AM David Kerr <david@kerr.net> wrote:
>
>> I'm a little confused as to the network architecture. Are your running a
>> wireguard VPN inside of your OpenVPN? Or do you have two VPN's connecting
>> into your host independently? Either way, the first thing I would look at
>> is your ip route tables. You need to make sure that packets that arrive on
>> one interface (e.g. wg0) are replied to over that same interface and are
>> not directed out somewhere else by virtue of the default route pointing
>> elsewhere.
>>
>> David
>>
>> On Wed, Mar 6, 2019 at 1:23 PM Arpit Gupta <g.arpit@gmail.com> wrote:
>>
>>> Actually false alarm :(.
>>>
>>> Can only get it to work if i add a policy rule in my router vpn client
>>> to send all traffic from host running wireguard through the WAN and thus
>>> skipping VPN which is not ideal as when i am routing all traffic through
>>> wireguard ideally i want it to use the vpn tunnel on my router.
>>>
>>>
>>> --
>>> Arpit
>>>
>>>
>>> On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit@gmail.com> wrote:
>>>
>>>> Got it working :).
>>>>
>>>> Did not need to change any client or server settings. However needed to
>>>> add another policy rule in my vpn client. Rule states
>>>>
>>>> Source: wireguard server
>>>> destination: 192.168.100.0/24 (so any of my wireguard clients)
>>>> interface: WAN
>>>>
>>>> So this way wireguard traffic does not go through the VPN.
>>>> --
>>>> Arpit
>>>>
>>>>
>>>> On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <g.arpit@gmail.com> wrote:
>>>>
>>>>> Tried changing the allowed ip's to what was suggested and it did not
>>>>> work. Same behavior as before. Also my configs were working as expected
>>>>> before i had my router connected to a vpn service.
>>>>>
>>>>> It required me to add the following route policy for my vpn client on
>>>>> my router
>>>>>
>>>>> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the
>>>>> VPN. So if it matters if i connected to wireguard using the ip address of
>>>>> the ISP vs the IP address of the VPN?
>>>>>
>>>>>
>>>>> --
>>>>> Arpit
>>>>>
>>>>>
>>>>> On Wed, Mar 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote:
>>>>>
>>>>>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
>>>>>> > On my server my conf is
>>>>>> >
>>>>>> > [Interface]
>>>>>> > Address = 192.168.100.1/32
>>>>>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
>>>>>> > %i -j
>>>>>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>>>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
>>>>>> > -o %i
>>>>>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>>>>> > ListenPort = 54930
>>>>>> > PrivateKey = xxxxx
>>>>>> >
>>>>>> > [Peer]
>>>>>> > PublicKey = xxxx
>>>>>> > AllowedIPs = 192.168.100.2/32
>>>>>> >
>>>>>> >
>>>>>> > on my client my config is
>>>>>> >
>>>>>> > [Interface]
>>>>>> > Address = 192.168.100.2
>>>>>> > PrivateKey = xxxxx
>>>>>> > ListenPort = 21841
>>>>>> > DNS = 192.168.1.63
>>>>>> >
>>>>>> > [Peer]
>>>>>> > PublicKey = xxxx
>>>>>> > Endpoint = ddns:xxx
>>>>>> > AllowedIPs = 192.168.1.0/24
>>>>>> >
>>>>>> > # This is for if you're behind a NAT and
>>>>>> > # want the connection to be kept alive.
>>>>>> > PersistentKeepalive = 25
>>>>>>
>>>>>> Try changing AllowedIPs in the client config to:
>>>>>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24
>>>>>>
>>>>>> Also, if you want to masquerade the traffic to the internet you need
>>>>>> to
>>>>>> add 0.0.0.0./0 to the client or change the destination IP to the
>>>>>> server
>>>>>> node via a NAT rule, otherwise it's going to be rejected because the
>>>>>> IP
>>>>>> packet doesn't have an AllowedIP address, I think. (The source needs
>>>>>> to
>>>>>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
>>>>>> that's why you couldn't complete the handshake.
>>>>>>
>>>>>> _______________________________________________
>>> WireGuard mailing list
>>> WireGuard@lists.zx2c4.com
>>> https://lists.zx2c4.com/mailman/listinfo/wireguard
>>>
>>
[-- Attachment #1.2: Type: text/html, Size: 10150 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
prev parent reply other threads:[~2019-03-07 19:18 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-06 8:40 Arpit Gupta
2019-03-06 9:18 ` XRP
2019-03-06 15:59 ` Arpit Gupta
2019-03-06 16:20 ` Arpit Gupta
2019-03-06 18:22 ` Arpit Gupta
2019-03-07 8:04 ` David Kerr
2019-03-07 17:54 ` Arpit Gupta
2019-03-07 19:18 ` Arpit Gupta [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGCGytJgXWOjk2YuTau9TB6QCqD_W9r5CkuaN1tcBnJuHEcjnw@mail.gmail.com \
--to=g.arpit@gmail.com \
--cc=david@kerr.net \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).