Need help with wireguard

Jappe · 19 December 2023 08:40

And for what is the wireguard connection?

The problem is that both VPNs has rules to route everything over their own tunnel, you would need to modify your iptables / routing to declare what you wanna route to which destination.

temp · 19 December 2023 08:44

Yes, I understood this …

can zou help me with creating ths tunnels? I am not really familiar wirth ip routing

Jappe · 19 December 2023 08:50

Me neither, but @trendy can maybe help.

Joulinar · 19 December 2023 09:23

Searching the forum should help sometimes. We have quite a lot of similar request where split tunnel is setup.

temp · 19 December 2023 09:45

Hallo Joulinar i searched but ahven’t found anything maybe you can direct me to the post?

Jappe · 19 December 2023 09:53

e.g. Wireguard server + OpenVPN client, again

trendy · 19 December 2023 10:47

Yes, when you fire up a vpn client connection, all outgoing traffic will use that uplink, so you need to exclude the vpn server traffic by using a policy routing rule, with ip rule add ... in the postup scripts of the vpn client. There are some other threads mentioned with the same problem, so if you cannot work it out, let us know to help you here.

temp · 19 December 2023 11:45

I have the problem that I read these guides all but my situation is a little bit different because I using ipv6 and all posts are about ipv4 and the dyndns is than via the router but my client has directly a dyndns address…

I was born and studied in a ipv4 world so I have no clue about the ipv6 stuff…

I know what to do…so I need to reroute the traffic from wireguard via my ipv6 address is my understanding correct?

temp · 19 December 2023 21:30

Hello all.

this is what I tried this solution


In short: The solution
Create a new routing table:

ip route add default via 192.168.178.43 dev eth0 table 7
ip rule add fwmark 0x55 priority 1000 table 7
ip route flush cache
Where v is the IP of your external interface (eth0). Now add this to your wg0.conf:

FwMark = 0x55
Now you will be able to connect to your home-server via WireGuard even when it's OpenVPN tunnel is open.

and also this solution

FwMark = 51820

# forwarding
PostUp  = iptables -A FORWARD -o eth0 ! -d 192.168.178.0/24 -j REJECT
PostUp  = iptables -A FORWARD -i %i -j ACCEPT
PostUp  = iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
PostUp  = iptables -A FORWARD -j REJECT
PreDown = iptables -D FORWARD -o eth0 ! -d 192.168.178.0/24 -j REJECT
PreDown = iptables -D FORWARD -i %i -j ACCEPT
PreDown = iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
PreDown = iptables -D FORWARD -j REJECT

# NAT
PostUp  = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp  = iptables -t nat -A POSTROUTING -o vpn-client -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o vpn-client -j MASQUERADE

but no solution worked so far…

I guess becuase I am using a ds lite and ipv6 connection I need sth. in my ipv6 tables?

is this right? But i have absolutely no clue what because I never worked with ip tables or routings.

Therefore zour help s really appreciated @trendy

I guess I need sth similiar but in ipv6 language

means this in descriping language

ip -6 route add default via [myipv6address] dev eth0 table 7
ip -6 rule add fwmark 0x55 priority 1000 table 7
ip -6 route flush cache

but how write this correctly?

trendy · 20 December 2023 22:38

Let’s take a step back and a deep breath.
Does the wireguard work fine if there is no vpn client enabled?
Does the ddns resolve into an IPv6 or IPv4 (or both)?
Lan hosts use the dietpi or some ISP router as gateway?

temp · 20 December 2023 23:14

Does the wireguard work fine if there is no vpn client enabled? Yes
Does the ddns resolve into an IPv6 or IPv4 (or both)? IPv6
Lan hosts use the dietpi or some ISP router as gateway?
I didn’t understand it completely but the nano r5c is connected with a Fritzbox and the Fritzbox is connected with an ISP DS Lite tunnel .And yes I run pihole on it therefore other devices connect to the nano r5c.

trendy · 21 December 2023 06:16

You can check the gateway on a lan host. route print in windows, look for destination 0.0.0.0 Netmask 0.0.0.0, or ip -4 route show | grep default

temp · 21 December 2023 08:27

default via 192.168.178.1 dev eth1

trendy · 21 December 2023 11:44

Is this .178.1 the dietpi or the ISP router?
Do lan hosts have also IPv6 configured or only IPv4?
Does the VPN tunnel client offer IPv6 as well or only IPv4?

temp · 21 December 2023 12:00

Is this .178.1 the dietpi or the ISP router?

ISP router

Do lan hosts have also IPv6 configured or only IPv4?

Both ipv4 and ipv6

Does the VPN tunnel client offer IPv6 as well or only IPv4?

Only ipv4 it’s private Internet access with there VPN files

trendy · 21 December 2023 14:11

Alright, one last thing, the myddns endpoint is IPv4 or IPv6?

temp · 21 December 2023 18:59

It’s on the dietpi ddclient is running and it’s an a ipv6 address

trendy · 21 December 2023 19:21

Try this and if it works we can make it permanent.

echo '10 isp' >> /etc/iproute2/rt_tables 
ip -6 route add to default via "$(ip -6 route list match ::/0 | cut -f3 -d ' ')" dev eth1 table isp
ip -6 rule add iif lo sport 51820 to default lookup isp prio 15

temp · 21 December 2023 19:54

amazing perfect runs smooth

But I can’t connect to the internal network

even if I have

AllowedIPs = 192.168.178.0/24

in my client conf

Joulinar · 21 December 2023 20:31

why not using 0.0.0.0/0 within your client configuration?