Can't reach networks behind Wireguard VPN server. Split-tunneligt config on client

Question

I have Wireguard server in my corporate network.

I can successfully connect to it from internet (using port publication).

Wireguard server has two interfaces:

1: eth0: 192.168.30.100/24 
2: wg0: 192.168.99.1/24

Here is ip route output:

default via 192.168.30.1 dev eth0 proto static
192.168.30.0/24 dev eth0 proto kernel scope link src 192.168.30.100
192.168.99.0/24 dev wg0 proto kernel scope link src 192.168.99.1

Here is Wireguard's server netplan:

network:
 version: 2
 renderer: networkd
 ethernets:
    eth0:
      addresses:
      - 192.168.30.100/24
      gateway4: 192.168.30.1

Wireguard client (Windows) have split-tunneling setup, designed to reach corporate networks via Wireguard server, and everything else via regular gateway. Here is Wireguard's client setup:

[Interface]
PrivateKey = ***
Address = 192.168.99.201/32
PostUp = powershell -command "$wgInterface = Get-NetAdapter -Name WG-server; 
route add 0.0.0.0 mask 0.0.0.0 0.0.0.0 if $wgInterface.ifIndex metric 9999; 
Set-NetIPInterface -InterfaceIndex $wgInterface.ifIndex -InterfaceMetric 9999; 
route add 192.168.99.0/24 0.0.0.0 if $wgInterface.ifIndex; 
route add 192.168.30.0/24 192.168.99.1 if $wgInterface.ifIndex;"
PreDown = powershell -command "$wgInterface = Get-NetAdapter -Name WG-server; 
route delete 0.0.0.0 mask 0.0.0.0 0.0.0.0 if $wgInterface.ifIndex metric 9999;
Set-NetIPInterface -InterfaceIndex $wgInterface.ifIndex -InterfaceMetric 9999; 
route delete 192.168.99.0/24 0.0.0.0 if $wgInterface.ifIndex; 
route delete 192.168.30.0/24 192.168.99.1 if $wgInterface.ifIndex;"
Table = off
[Peer]
PublicKey = ***
AllowedIPs = 0.0.0.0/0
Endpoint = 37.228.89.163:4226

So, after that I got such a routing table on my Wireguard client (Windows):

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.124     55
          0.0.0.0          0.0.0.0         On-link    192.168.99.201  19998
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.0.0    255.255.255.0         On-link     192.168.0.124    311
    192.168.0.124  255.255.255.255         On-link     192.168.0.124    311
    192.168.0.255  255.255.255.255         On-link     192.168.0.124    311
     192.168.30.0    255.255.255.0     192.168.99.1   192.168.99.201  10000
     192.168.99.0    255.255.255.0         On-link    192.168.99.201  10000
   192.168.99.201  255.255.255.255         On-link    192.168.99.201  10255
   192.168.99.255  255.255.255.255         On-link    192.168.99.201  10255
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.0.124    311
        224.0.0.0        240.0.0.0         On-link    192.168.99.201  10255
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.0.124    311
  255.255.255.255  255.255.255.255         On-link    192.168.99.201  10255

By the way, here is interfaces config on client:

PS C:\Windows\system32> netsh interface ip show address
Configuration for interface "Wi-Fi"
    DHCP enabled:                         Yes
    IP Address:                           192.168.0.124
    Subnet Prefix:                        192.168.0.0/24 (mask 255.255.255.0)
    Default Gateway:                      192.168.0.1
    Gateway Metric:                       0
    InterfaceMetric:                      55
Configuration for interface "WG-server"
    DHCP enabled:                         No
    IP Address:                           192.168.99.201
    Subnet Prefix:                        192.168.99.201/32 (mask 255.255.255.255)
    Default Gateway:                      0.0.0.0
    Gateway Metric:                       9999
    InterfaceMetric:                      9999

So... from Wireguard server I can ping:

192.168.30.1 - internal corporate gateway
192.168.30.99 - some internal corporate host
192.168.99.201 - wireguard client

From corporate gateway (ip = 192.168.30.1) I can ping (with static route to 192.168.99.0/24):

192.168.30.100 - wireguard eth0 interface (amazing, right? =))
192.168.99.1 - wireguard wg0 interface

But I CANT ping 192.168.99.201 - Wireguard client.

Also, I can ping from Wireguarg client:

192.168.99.1 - wg server
192.168.30.100 - wg eth0 interface

But I CANT ping 192.168.30.1 or any other hosts in corporate network.

Seems Wireguard server does not route traffic correctly, or did I make a mistake somewhere.

Here is a pic for you) net setup

Any ideas?

score 4 · Answer 1 · answered Jun 11 '22 at 08:35

Solution was quiet simple.

There is no need of any scripts to get split-tunneling.

1. Add this lines in wg0.conf:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

2. Modify clients WG config in this way:

[Peer]
AllowedIPs = 192.168.99.0/24, 192.168.30.0/24

3. Enable net.ipv4.ip_forward = 1 on WG server.

So, I got no routes to internet through WG server, only for that specified networks.

Here is more details: https://iliasa.eu/wireguard-how-to-access-a-peers-local-network/

score 0 · Answer 2 · edited Jun 10 '22 at 11:44

0

I don't know about wireguard at all, but common VPN setups allow split tunneling using Add-VPNConnectionRoute. Could you please check it? Thanks in advance. =)

edited Jun 10 '22 at 11:44

Sai Chandini Routhu

627
4
9

answered Jun 10 '22 at 01:55

White Lynx

1
2

Can't reach networks behind Wireguard VPN server. Split-tunneligt config on client

2 Answers2