Wireguard VPN without snat

net_nerd · April 7, 2022, 7:32am

I've a wireguard server configured like this

[Interface]
PrivateKey = <server_private_key>
Address = 10.2.3.1/24
ListenPort = 51820
MTU = 1420
PostUp = iptables -A FORWARD -s 10.2.3.0/24 -d 10.2.3.0/24 -j DROP; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -s 10.2.3.0/24 -d 10.2.3.0/24 -j DROP; iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# OpenWRT wg client
[Peer]
PublicKey = <peer_public_key>
AllowedIPs = 10.2.3.4/32

# OpenWRT wg client
[Peer]
PublicKey = <peer_public_key>
AllowedIPs = 10.2.3.5/32

# OpenWRT wg client
[Peer]
PublicKey = <peer_public_key>
AllowedIPs = 10.2.3.6/32

And below is the configration in one of my OpenWRT router as a vpn client

config interface 'wg_1'
    option  disabled  '0'
    option  proto  'wireguard'
    option  private_key  '<peer_private_key>'
    list  addresses  '10.2.3.6/24'
    option  mtu  '1420'
    option  nohostroute  '1'

config wireguard_wg_1 'wgserver_1'
    option  public_key  '<server_public_key>'
    option  endpoint_host  '<somehost>'
    option  endpoint_port  '<some_port>'
    option  route_allowed_ips  '0'
    option  persistent_keepalive  '25'
    list  allowed_ips  '0.0.0.0/0'

For wireguard, masquerading is disabled in firewall.

config zone 'wg_1'          
    option  name  'wg_1'      
    option  network  'wg_1'
    option  input  'ACCEPT'      
    option  output  'ACCEPT'
    option  forward  'ACCEPT'
    option  masq  '0'               
    option  mtu_fix  '1'

and I've a lan(192.168.168.0/24) created in OpenWRT router and a client(192.168.168.208) connected to it.

When I ping 10.2.31 from client(192.168.168.208) it doesnt work, (wg server might be discarding the traffic as the source will be 192.168.168.208 which is not added under allowed IPs)

If I add snat( option masq '1' ) then it works.

I cannot add '0.0.0.0/0' in the server allowed IPs for all the clients.

So, how can I reach wg_server(10.2.3.1) from client(192.168.168.208) without masquerading?

Any help will be greatly appreciated.

pavelgl · April 7, 2022, 7:43am

AllowedIPs = 10.2.3.6/32, 192.168.168.208/32

net_nerd · April 7, 2022, 7:49am

Yes, I can do that. But as it can be seen that wg_server is connected to multiple client_openwrt_router and each_client might have the same network(192.168.168.0/24).
So, multiple wg_clients with the same network(ex: 192.168.168.0/24) wants to reach wg_server without snat, therefore I cannot add 192.168.168.208/32 for all clients.

trendy · April 7, 2022, 8:29am

Then you'll have to use masquerade/SNAT. Or use different subnets on the other clients connected to the server.

net_nerd · April 7, 2022, 12:16pm

Yes, I need to do masquerading, but is there any option other than masquerading?

pavelgl · April 7, 2022, 12:28pm

You can't just add static routes, because the AllowedIPs list behaves like an access control list and it won't work. As @trendy said, the other option is to use different IP subnets.

trendy · April 7, 2022, 12:33pm

You have 2 options. Either the WG server will have a static route to the subnet behind a client, or the client will masquerade the packets of its lan subnet. Unfortunately no other solution. Weigh your options and proceed accordingly.