Actually false alarm :(.

Can only get it to work if i add a policy rule in my router vpn client to send all traffic from host running wireguard through the WAN and thus skipping VPN which is not ideal as when i am routing all traffic through wireguard ideally i want it to use the vpn tunnel on my router.


On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <> wrote:
Got it working :).

Did not need to change any client or server settings. However needed to add another policy rule in my vpn client. Rule states

Source: wireguard server
destination: (so any of my wireguard clients)
interface: WAN

So this way wireguard traffic does not go through the VPN. 

On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta <> wrote:
Tried changing the allowed ip's to what was suggested and it did not work. Same behavior as before. Also my configs were working as expected before i had my router connected to a vpn service.

It required me to add the following route policy for my vpn client on my router

Source IP:, Destination: will go throuh the VPN. So if it matters if i connected to wireguard using the ip address of the ISP vs the IP address of the VPN?


On Wed, Mar 6, 2019 at 1:18 AM XRP <> wrote:
On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote:
> On my server my conf is
> [Interface]
> Address =
> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
> %i -j
> ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD
> -o %i
> -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> ListenPort = 54930
> PrivateKey = xxxxx
> [Peer]
> PublicKey = xxxx
> AllowedIPs =
> on my client my config is
> [Interface]
> Address =
> PrivateKey = xxxxx
> ListenPort = 21841
> DNS =
> [Peer]
> PublicKey = xxxx
> Endpoint = ddns:xxx
> AllowedIPs =
> # This is for if you're behind a NAT and
> # want the connection to be kept alive.
> PersistentKeepalive = 25

Try changing AllowedIPs in the client config to:
AllowedIPs =,

Also, if you want to masquerade the traffic to the internet you need to
add to the client or change the destination IP to the server
node via a NAT rule, otherwise it's going to be rejected because the IP
packet doesn't have an AllowedIP address, I think. (The source needs to
match, so either or My guess is
that's why you couldn't complete the handshake.