TCB13 , 2 months ago (edited 2 months ago)

Wireguard will definitely not work first try.

And… why not? OpenVPN is 10 times worse because of the mess they’ve made with push route and other options.

your clients should have AllowedIPs set to 0.0.0.0/0, ::/0 in their repecive configuration file. I found this pretty counterintuitive, b

Why would you? Those are the IPs that the client is able to access through the VPN tunnel and 0.0.0.0/0, ::/0 means all IP addresses, totally NOT counterintuitive.

You need to tell sysctl to forward IP traffic,

Yes, maybe… but not permanently at least. You can setup it on the server conf file via PostUp and PostDown:

<span style="color:#323232;">[Interface]
</span><span style="color:#323232;">PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
</span><span style="color:#323232;">PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
</span>

If required prepend sysctl -w net.ipv4.ip_forward=1; sysctl -w net.ipv6.conf.all.forwarding=1; to PostUp and remove with =0 on PostDown.

The downside of you described is that you’re enabling IP Forwarding permanently and even if the WG tunnel is down. This may pose a few security concern in some situations.