Pivpn allowed IPs wireguard

jonyskids · November 16, 2024, 1:14am

Does dietpi allow for split tunnel with wireguard. Can one change allowed ips to the host’s local network and only pass that traffic?

Joulinar · November 16, 2024, 6:27am

This has basically nothing to do with DietPi. You can configure Wireguard as you wish. I guess you are looking for the client configuration?

jonyskids · November 16, 2024, 6:37am

Apologize, not trying to be disrespectful of anyone’s time. I have been trying to set up a split tunnel with little success and just trying to eliminate possibilities. The few tutorials I have found make it seem pretty simple. Change the allowed IPs to include the host local network and the vpn’s network and should be good to go…Not the case for me. Thanks for eliminating an dietpi from the mix of possibilities.

Joulinar · November 16, 2024, 7:00am

Can you share your configuration for allowedIPs?

I’m running a lot of split tunnels on my clients

Jappe · November 16, 2024, 12:12pm

I run a split tunnel with wireguard on DietPi, to filter my DNS requests with PiHole.
What have you tried so far and what are you experiencing?

jonyskids · November 16, 2024, 12:46pm

What I have tried is to go into /etc/wireguard/wg0:

[Interface]
PrivateKey = My Private Key
Address = 10.219.14.1/24
MTU = 1420
ListenPort = My Listen Port

### begin SkidsMac ###
[Peer]
PublicKey = My Public Key
PresharedKey = My Preshared Key
AllowedIPs = 10.219.14.4/32, 192.168.3.0/24
### end SkidsMac ###

And on the client I edit my tunnel:

[Interface]
PrivateKey = My Private Key
Address = 10.219.14.4/32

[Peer]
PublicKey = My Public Key
PresharedKey = My Preshared Key
AllowedIPs = 192.168.3.0/24
Endpoint =My domain:51829

Is this the incorrect approach?

Joulinar · November 16, 2024, 4:21pm

On server side

should be set to AllowedIPs = 10.219.14.4/32 only. No need to add 192.168.3.0/24 there

On client side.

There is no DNS server set? Is this correct? Usually I would expect it within [Interface] section

Should be 10.219.14.4/24

Jappe · November 16, 2024, 4:22pm

No, you need to specify the AllowedIPs on the node which is making the requests, not the node which receives the requets. So you send only the IP ranges you want through the VPN tunnel and every other IP range through your default interface.

So for example I have 3 nodes: 10.6.0.1 to 10.6.0.3.
Node 0.1 is the device which runs my pihole instance. So I want nodes 0.2 and 0.3 only send the DNS requests to it (make a split tunnel).
So on the nodes 0.2 and 0.3 I set DNS to 10.6.0.1 and in their configs I set AllowedIPs to 10.6.0.0/24 (and also to my LAN IP range so I can access my LAN from the outside if I want).

Joulinar · November 16, 2024, 4:25pm

Theoretically you can use local network IP address as well. Doesn’t need to be the VPN server IP address.

jonyskids · November 16, 2024, 5:04pm

Why is often so obvious when you the solution is revealed. Thanks for the insight! (To both of you.)

system · February 14, 2025, 5:04pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.