Can't connect to host after enabling WireGuard tunnel

atzanteol , 2 hours ago

What does your client config look like? What IP are you connecting to for nmap/ssh?

user_naa OP , 2 hours ago

I didn’t connect any client yet.

Muehe , 2 hours ago

I think the problem might be your PostUp/PostDown lines have an in-interface (-i) but are missing an out-interface (-o) for the forwarding. Try this:

<span style="color:#323232;">PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
</span><span style="color:#323232;">PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
</span>

just_another_person , 5 hours ago

Because the default route is changing. You have ALL traffic being routed over Wireguard here. How would you expect that to allow the interface routing to work for the local network if you’re telling this to punt all traffic to this specific connection?

user_naa OP , 4 hours ago

What is correct config?

user_naa OP , 3 hours ago

I removed all PostUp rules and cleared iptables but still the same problem

just_another_person , 2 hours ago

Well, I mean…I can’t give you an entire tutorial on how Wireguard works here, but you have it way wrong.

If you’re not sure of the concepts and what you’re trying to do, I don’t know how to answer any questions for you. If you’re not familiar with what split-tunneling, subnet routing, and routing tables…you need to get way familiar before you start messing with this.

Your rules aren’t the problem. You’re only allowing a single IP at a time across many connections here. Learn to read your routing tables and debug from there.

Muehe , 2 hours ago

You have ALL traffic being routed over Wireguard here.

Please correct me if I’m wrong, but isn’t it the other way around? All Wireguard traffic is forwarded to the local interface.

just_another_person , 2 hours ago

AllowdIPs defines the traffic to be routed. These are single IPs, not subnets.

Edit: discussion talking about this same problem to illustrate: forum.gl-inet.com/t/…/31318

Muehe , 2 hours ago

I don’t think that’s what the setting does. Anyway, I have them set to a /32 IP in my server config and it works nonetheless. I get full access to the /24 behind the server from the client.

just_another_person , 2 hours ago

That’s exactly what it does. Easy to see if OP new how to read their route tables.

Here’s another: serverfault.com/…/wireguard-policy-based-routing

Muehe , 2 hours ago

What are you trying to say? That reply also shows AllowedIPs set to a /32 on the server side.

just_another_person , 2 hours ago

For Peers. There’s no other route in OPs post. Like they said, when wg0 goes up, he can’t reach anything else. All that happens is this interface comes out, changes the routing tables and forwarding, but doesn’t go anywhere. It needs to be routed to the existing default gateway of the host. All this does is blackhole to the wg0 interface.

Muehe , 2 hours ago

Like I said in another thread on this post, I’m pretty sure that’s because they are forwarding input but not output in the PostUp rules. Setting a /32 in AllowedIPs works fine for me.