I installed WireGuard on my host and set this configuration /etc/wireguard/wg0.conf
:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = [REDACTED]
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.2/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.3/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.4/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.5/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.6/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.7/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.8/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.9/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.10/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.11/32
Nmap scan when wg0 is down:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-16 03:26 CDT
Host is up (0.050s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
179/tcp filtered bgp
Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds
Nmap scan when wg0 is up:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-16 03:27 CDT
All 1000 scanned ports are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 201.43 seconds
I also cannot connect to host via ssh. How to fix this issue?
Upd. Fixed my changing server WireGuard IP to 10.0.1.1. 10.0.0.1 was already taken
AllowdIPs defines the traffic to be routed. These are single IPs, not subnets.
Edit: discussion talking about this same problem to illustrate: https://forum.gl-inet.com/t/split-tunnel-via-vpn-policy-or-via-wireguard-allowedips-config/31318
I don’t think that’s what the setting does. Anyway, I have them set to a /32 IP in my server config and it works nonetheless. I get full access to the /24 behind the server from the client.
That’s exactly what it does. Easy to see if OP new how to read their route tables.
Here’s another: https://serverfault.com/questions/1102455/wireguard-policy-based-routing
What are you trying to say? That reply also shows AllowedIPs set to a /32 on the server side.
For Peers. There’s no other route in OPs post. Like they said, when wg0 goes up, he can’t reach anything else. All that happens is this interface comes out, changes the routing tables and forwarding, but doesn’t go anywhere. It needs to be routed to the existing default gateway of the host. All this does is blackhole to the wg0 interface.
Like I said in another thread on this post, I’m pretty sure that’s because they are forwarding input but not output in the PostUp rules. Setting a /32 in AllowedIPs works fine for me.
Thanks for help. Everything is fixed, read post update
Oh yeah, can’t use the same IP range as your LAN, that will lead to problems. :D Glad it’s fixed.
Out of curiosity, does forwarding work now without the output (-o) command in PostUp?
I left PostUp as is and didn’t try removing -o))
What “other route” are you expecting to see? My configuration looks very similar to OPs though I have an extra iptables entry in PostUp:
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
Is that what you mean?
Thanks for help. Everything is fixed, read post update