4

I have created a wireguard VPN server, but the clients cannot access some networks behind the server,

wireguard-server
eno1: 10.10.10.2/24 (GW)
eno2: 10.10.11.2/24
wg0: 10.66.66.1/24

I want the client of wireguard VPN can access to network 10.10.11.0/24 (it works with 10.10.10.2/24).

route -n

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.10.1      0.0.0.0         UG    0      0        0 eno1
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 eno1
10.10.11.0      0.0.0.0         255.255.255.0   U     0      0        0 eno2
10.66.66.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0

iptable -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 44021 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -i eno1 -o wg0 -j ACCEPT

I tried with ip route and masquerade iptable but it didn't work, Please.

Solved!

Solved by adding this lines in wg0.conf:

     PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno2 -j MASQUERADE
     PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno2 -j MASQUERADE
Improve this question
3
  • 1
    Does this solution work for you?
    – harrymc
    Commented May 26, 2023 at 19:08
  • It's work! Thank you! very much! Harry!
    – Arthurency
    Commented May 27, 2023 at 0:29
  • @Arthurency hello, answers should be posted below questions, not in them.
    – Destroy666
    Commented May 27, 2023 at 1:17

1 Answer 1

Reset to default
2

The post Can't reach networks behind Wireguard VPN server. Split-tunneligt config on client has this answer :

Solution was quiet simple.

There is no need of any scripts to get split-tunneling.

1. Add this lines in wg0.conf:

  PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

2. Modify clients WG config in this way:

 [Peer] AllowedIPs = 192.168.99.0/24, 192.168.30.0/24

3. Enable net.ipv4.ip_forward = 1 on WG server.

So, I got no routes to internet through WG server, only for that specified networks.

Here is more details: https://iliasa.eu/wireguard-how-to-access-a-peers-local-network/

Item 1 was enough to solve the poster's problem.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .