WireGuard Tunnel: Difference between revisions

Jump to navigation Jump to search
no edit summary
No edit summary
No edit summary
}
</nowiki>}}
 
=== Excluding subnets ===
 
If your client is on a LAN, you will probably want to configure your client in a way that it can still access other devices on the LAN directly and not through the tunnel. This can be done by further configuring the AllowedIPs setting.
 
For this, we will be using this very nice [https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/ AllowedIPs calculator tool].
 
For example, let's say your client is on a LAN that uses a subnet of <code>192.168.1.0/24</code>, and you want to route its internet connection to the tunnel, but still be able to access devices on the LAN. To do this, open the tool linked above, and put <code>0.0.0.0/0</code> in the Allowed IPs field. Then, put <code>192.168.1.0/24</code> in the Disallowed IPs field. This will give you a value like this:
 
{{code|lang=ini|<nowiki>
AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.168.0.0/24, 192.168.2.0/23, 192.168.4.0/22, 192.168.8.0/21, 192.168.16.0/20, 192.168.32.0/19, 192.168.64.0/18, 192.168.128.0/17, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3
</nowiki>}}
 
Use it in your client's wg0.conf like so:
 
{{code|lang=ini|<nowiki>
[Interface]
PrivateKey = /ExampleClientPrivateKey1=
Address = 10.0.32.2/24
 
[Peer]
PublicKey = /ExampleServerPublicKey=
AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.168.0.0/24, 192.168.2.0/23, 192.168.4.0/22, 192.168.8.0/21, 192.168.16.0/20, 192.168.32.0/19, 192.168.64.0/18, 192.168.128.0/17, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3
Endpoint = server ip:51820
</nowiki>}}
 
Restart the tunnel:
 
{{code|lang=bash|
sudo systemctl restart wg-quick@wg0
}}
 
If all went well, connections to public IPs should now be routed through the tunnel while the LAN subnet is still accessible.
 
== Port Forwarding ==

Navigation menu