Wireguard - Only route peer traffice through VPN, keep Internet traffic un-tunneled?

rbrown · January 12, 2022, 6:59pm

I have a working Wireguard setup, however on the clients, I only want them using the VPN for resources on it’s network, but Internet traffic go through the ISP without being tunneled through the VPN.

My wireguard peer network is currently using 10.66.66.x as the network. From everything I’ve read, the recommendation is to change the entry:

AllowedIPs = 0.0.0.0/0

To only the VPN network:

AllowedIPs = 10.66.66.0/24

After making this change and restarting the wireguard service I can still access the wireguard peers on the 10.66.66.x network but can no longer access the Internet at all…

If I set it back to 0.0.0.0/0, then everything works but if I do something like:

traceroute google.com

Then it shows it going through the vpn gateway and not the default ISP gateway…

computersavvy · January 12, 2022, 10:21pm

Is the vpn tunnel used to access only machines in the 10.66.66.0/24 network or are there also machines behind that with different IPs that need access via the vpn?

If you only need to access a specific subnet via the vpn then a script to remove the default route that is automatically created by the vpn and to add a route to that specific subnet when started should be all that is needed.

For example, if your machine gets 10.66.66.2 as its IP and the vpn creates a default route via the other end of that vpn at 10.66.66.1 then you would need to remove the default route via 10.66.66.1 and add a route to the subnet 10.66.66.0/24 via 10.66.66.1. The subnet may be different than the 10.66.66.0/24 so use the appropriate subnet for that route via that interface and IP.

When that is done only the traffic specifically addressed via the vpn route will go that way and the original default route will send all other traffic via the internet.

You can see the actual routing with the vpn down using ip a and post it here, then do the same ip a with the vpn up and post that. We can then look at the changes in the routing and make suggestions based on what is actually happening.

sampsonf · January 13, 2022, 1:54am

Check the DNS IP you are using while wireguard is connected.

If you are using DNS on the WG side, but no in the subnet of 10.66.66.0/24, with the new AllowedIPs, you cannot reach the DNS.

rbrown · January 13, 2022, 1:26pm

Here is the relevant information from the ip a command for the wireless and wg0 interfaces.

VPN Down:

3: wlp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c8:58:c0:a4:f5:8d brd ff:ff:ff:ff:ff:ff
    inet 192.168.184.183/24 brd 192.168.184.255 scope global dynamic noprefixroute wlp6s0
       valid_lft 23623sec preferred_lft 23623sec

VPN Up:

3: wlp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c8:58:c0:a4:f5:8d brd ff:ff:ff:ff:ff:ff
    inet 192.168.184.183/24 brd 192.168.184.255 scope global dynamic noprefixroute wlp6s0
       valid_lft 23680sec preferred_lft 23680sec
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.66.66.8/32 scope global wg0
       valid_lft forever preferred_lft forever

computersavvy · January 13, 2022, 2:32pm

OOPs,
I also intended to ask for the ip r output in both conditions. I missed that so please post those outputs as well.

The ip a command shows the interface config and the ip r command shows the routing.

rbrown · January 13, 2022, 9:04pm

Edit: Oops, I said ip a when I meant ip r… corrected now…

ip r without VPN

default via 192.168.184.1 dev wlp6s0 proto dhcp metric 600 
192.168.184.0/24 dev wlp6s0 proto kernel scope link src 192.168.184.183 metric 600

ip r with VPN

default via 192.168.184.1 dev wlp6s0 proto dhcp metric 600 
10.66.66.0/24 dev wg0 scope link 
192.168.184.0/24 dev wlp6s0 proto kernel scope link src 192.168.184.183 metric 600

rbrown · January 22, 2022, 12:54pm

Were you able to find anything on the ip r info I posted?

muyukha · July 27, 2022, 12:45pm

@Rodney, You need to add PostUp and PostDown rules to your interface configuration

run:
ip route list table main default the IP address that the system uses as its default gateway and
ip -brief address show eth0 to find the public IP for the system.

Then in your configuration add these two line below the address:
PostUp = ip rule add table 200 from {public ip}; ip route add table 200 default via {gateway}
PreDown = ip rule delete table 200 from {public ip}; ip route delete table 200 default via {gateway}