Development discussion of WireGuard
 help / color / mirror / Atom feed
From: Oliver Benning <obenning@fieldeffect.com>
To: "wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: Issues with excluding private IPs
Date: Thu, 15 Aug 2019 01:36:49 +0000	[thread overview]
Message-ID: <CH2PR12MB42307DB3AAC719186C705171C8AC0@CH2PR12MB4230.namprd12.prod.outlook.com> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 1341 bytes --]

My setup (may be unrelated):

I have a public endpoint hosted on Digital Ocean, which I connect to simply through its external IP address as the endpoint. It was setup using Streisand.

The endpoint itself acts as a DNS resolver within the tunnel for ad blocking purposes, so the WireGuard profile uses the endpoint's internal IP address in the DNS field. This setup has been documented online.

The issue (on both Mac and iPhone clients):
I would like to exclude private IPs from the tunnel to connect to internal resources. Connection works fine with AllowedIPs=0.0.0.0/0, it does not work when using the "Exclude private IPs option".

Log just shows:
[NET] peer(5m6B…jmno) - Sending handshake initiation
[NET] peer(5m6B…jmno) - Failed to send handshake initiation write udp4 0.0.0.0:63865->[EXTERNAL-IP]:51820: sendto: network is unreachable

I also have tried using a set of CDR blocks such that the droplet's external ip is excluded from the range and that did not work either. If I have a misconception about the configuration or there is something I should try please let me know.

Recommendation
This may have a been recommended below but I would highly suggest a list of IPs to subtract from the tunnel. My ideal scenario would be:


AllowedIPs = 0.0.0.0/0

ExceptedIPs = 192.168.1.0/24


Cheers,
Oliver


[-- Attachment #1.2: Type: text/html, Size: 5609 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

             reply	other threads:[~2019-08-25 15:51 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-15  1:36 Oliver Benning [this message]
2019-08-25 19:18 ` Derrick Lyndon Pallas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CH2PR12MB42307DB3AAC719186C705171C8AC0@CH2PR12MB4230.namprd12.prod.outlook.com \
    --to=obenning@fieldeffect.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).