Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Wireguard: skip VPN for private networks?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Wireguard: skip VPN for private networks?

KassemKassem Member
in Help

So I have Wireguard running as a VPN (all traffic going through the remote server), how can I skip it just for private networks like 192.168.0.0 and 10.0.0.0 so only connections to the Internet goes through the VPN?

This is on Windows 10 connecting to remote server using official Wireguard client with Allowed IPs: 0.0.0.0/0.

TIA!

Comments

  • yoursunnyyoursunny Member, IPv6 Advocate

    Write your AllowedIPs such that the private networks are excluded.

  • NeoonNeoon Community Contributor, Veteran

    AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.16.0.0/24, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32

    Thanked by 2Kassem wpyoga
  • KassemKassem Member

    Thanks @Neoon

    So have to add specifically the ranges that are allowed. Wish there was a DisallowedIPs option though.

    Thanked by 1yoursunny
  • rm_rm_ IPv6 Advocate, Veteran
    edited July 2021

    @Kassem said: So have to add specifically the ranges that are allowed. Wish there was a DisallowedIPs option though.

    If you mean wg-quick, it supports a PostUp option, where you can run any route command or script.

    I believe wg-quick sets up an additional non-default routing table, so:

    PostUp = ip rule add to 192.168.0.0/16 lookup main might do it.

    I'm not actually sure, because I never used wg-quick, just the wg command itself. Which is what I'd recommend everyone to do. It doesn't add any weird routes or ip rules by itself, it only sets up the tunnel. From then on you can route exactly what you want through it, and however you want it.

  • Daniel15Daniel15 Veteran

    @Kassem said: Wish there was a DisallowedIPs option though.

    Request it on their mailing list and maybe they'll add it?

  • awoooooolawooooool Member

    AllowedIPs = 0.0.0.0/1, 128.0.0.0/1

  • serveradministratorserveradministrator Member

    This is what I have for my iptables and works perfect

    -A FORWARD -i wg0 -o wg0 -j REJECT
-A FORWARD -i wg0 -d 192.168.0.0/16 -j REJECT

    First line disables client to client communication and second one blocks local access.

Sign In or Register to comment.