0

I have Wireguard server on Rocky 8.7, when I connect to the server I route all client traffic through Wireguard

this is quotes from setup script, of course all variables is set (and all works good)

config for Wireguard server:

cat << EOF | sudo tee -a /etc/wireguard/${WG_INTERFACE}.conf
[Interface]
PostUp = wg set %i private-key /etc/wireguard/${WG_INTERFACE}.pk
Address = 10.0.0.1/32
ListenPort = ${WG_PORT}
[Peer]
PublicKey = ${WG_CLIENT_PUBLIC_KEY}
AllowedIPs = 10.0.0.2/32
EOF

config for Wireguard client:

cat << EOF >> ~/wg_client.conf
[Interface]
PrivateKey = ${WG_CLIENT_PRIVATE_KEY}
Address = 10.0.0.2/32
DNS = 8.8.8.8
[Peer]
PublicKey = ${WG_SERVER_PUBLIC_KEY}
Endpoint = ${SERVER_IP}:${WG_PORT}
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
EOF

server settings for traffic redirection and firewall:

echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf 1>/dev/null
sudo firewall-cmd --zone=public --add-port=${WG_PORT}/udp --permanent
sudo firewall-cmd --zone=internal --add-interface=${WG_INTERFACE} --permanent
sudo firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade' --permanent

the question is: how to SSH to Wireguard server from Windows client with active VPN connection?

it_buddha
  • 1
  • 3

1 Answers1

0

currently I have one working solution, which seems not optimal

on client config instead AllowedIPs = 0.0.0.0/0 i put other line, where I subtract from 0.0.0.0/0 IP address of Wireguard server

why solution seems not optimal? because after IP subtraction I get a very long line that is inconvenient to read

for example my server IP address is: 100.100.200.200

for IP subtraction I must use special subnet calculator (for example: https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/) to get result looking like this:

AllowedIPs = 0.0.0.0/2, 64.0.0.0/3, 96.0.0.0/6, 100.0.0.0/10, 100.64.0.0/11, 100.96.0.0/14, 100.100.0.0/17, 100.100.128.0/18, 100.100.192.0/21, 100.100.200.0/25, 100.100.200.128/26, 100.100.200.192/29, 100.100.200.201/32, 100.100.200.202/31, 100.100.200.204/30, 100.100.200.208/28, 100.100.200.224/27, 100.100.201.0/24, 100.100.202.0/23, 100.100.204.0/22, 100.100.208.0/20, 100.100.224.0/19, 100.101.0.0/16, 100.102.0.0/15, 100.104.0.0/13, 100.112.0.0/12, 100.128.0.0/9, 101.0.0.0/8, 102.0.0.0/7, 104.0.0.0/5, 112.0.0.0/4, 128.0.0.0/1

do you know other, more simple solution?

it_buddha
  • 1
  • 3
  • That line may actually be wrong. You're getting that because the calculator can't guess what your real netmask is. Pick from that line the one that corresponds to your actual netmask. – user10489 Feb 12 '23 at 13:28
  • with netmask /32 (100.100.200.200/32) line the same – it_buddha Feb 12 '23 at 14:10
  • for 100.100.200.0/24 line is also long – it_buddha Feb 12 '23 at 14:10
  • You probably only need 100.100.200.0/24 and not the rest of what is on that line, assuming that's your actual netmask. It sounds like you need to study what netmask does to understand how to set this correctly. Feeding random stuff to ipcalc isn't going to help. – user10489 Feb 12 '23 at 14:29
  • I need to access all Internet with VPN, and also, with active VPN connection, access to server via SSH – it_buddha Feb 12 '23 at 14:51