Thank you for all who answered. This is working as expected now and I have a better understanding of how the AllowedIPs config works as well. -jeremy On 2023-01-04 06:47, Contact@nagel-mail.com wrote: > Hello, > As I understand your question, you are trying to accomplish, that only > your WireGuard network ( extracted from your config some 10.0.0.0/8 > network. The 192.168.128.0/17 would be a home network?) > Will be routed from your client to your WireGuard server. The rest > should just leave your client network card and routed from your local > network. For that you simply have to set: AllowedIPs = 10.10.10.1/32 > Or the whole 10.x/x Network you are using. > Hope I understood your question correctly. > > Mit freundlichen Grüßen / best regards > > J. Nagel > Fachinformatiker Systemintegration > > Contact@Nagel-Mail.com > >> Am 04.01.2023 um 14:47 schrieb Jeremy Hansen : >> >> I have a remote network that I've tied in to my WG server. I'm >> noticing that all traffic from this remote network that goes outbound >> to the internet is getting routed through my wireguard server. >> >> Client config: >> [Interface] >> PrivateKey = XXXX >> Address = 10.10.10.10/32 >> ListenPort = 51821 >> >> [Peer] >> PublicKey = XXXX >> Endpoint = 11.11.11.11:51821 <- IP of the WG server. >> AllowedIPs = 0.0.0.0/0, ::/0 >> PersistentKeepAlive=25 >> >> >> Server config: >> [Interface] >> PrivateKey = XXXX >> Address = 10.10.10.1/32 >> ListenPort = 51821 >> >> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o >> %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE >> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o >> %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE >> >> # IP forwarding >> PreUp = sysctl -w net.ipv4.ip_forward=1 >> >> [Peer] >> PublicKey = XXXX >> AllowedIPs = 10.10.10.10/32, 192.168.128.0/17 <- Client's internal >> network. >> >> >> My goal is that regular outbound traffic just goes out the client >> node's outside routable interface and traffic between the internal >> networks goes through wireguard. >> >> For example, I'm seeing email being sent through the MTA I have >> configured on the "client" is showing up as originating from the >> outbound IP of the "server". >> >> Thanks! >> <0x1BF1B863.asc>