Wireguard VPN without snat

I've a wireguard server configured like this

[Interface]
PrivateKey = <server_private_key>
Address = 10.2.3.1/24
ListenPort = 51820
MTU = 1420
PostUp = iptables -A FORWARD -s 10.2.3.0/24 -d 10.2.3.0/24 -j DROP; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -s 10.2.3.0/24 -d 10.2.3.0/24 -j DROP; iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# OpenWRT wg client
[Peer]
PublicKey = <peer_public_key>
AllowedIPs = 10.2.3.4/32

# OpenWRT wg client
[Peer]
PublicKey = <peer_public_key>
AllowedIPs = 10.2.3.5/32

# OpenWRT wg client
[Peer]
PublicKey = <peer_public_key>
AllowedIPs = 10.2.3.6/32

And below is the configration in one of my OpenWRT router as a vpn client

config interface 'wg_1'
    option  disabled  '0'
    option  proto  'wireguard'
    option  private_key  '<peer_private_key>'
    list  addresses  '10.2.3.6/24'
    option  mtu  '1420'
    option  nohostroute  '1'

config wireguard_wg_1 'wgserver_1'
    option  public_key  '<server_public_key>'
    option  endpoint_host  '<somehost>'
    option  endpoint_port  '<some_port>'
    option  route_allowed_ips  '0'
    option  persistent_keepalive  '25'
    list  allowed_ips  '0.0.0.0/0'

For wireguard, masquerading is disabled in firewall.

config zone 'wg_1'          
    option  name  'wg_1'      
    option  network  'wg_1'
    option  input  'ACCEPT'      
    option  output  'ACCEPT'
    option  forward  'ACCEPT'
    option  masq  '0'               
    option  mtu_fix  '1'  

and I've a lan(192.168.168.0/24) created in OpenWRT router and a client(192.168.168.208) connected to it.

When I ping 10.2.31 from client(192.168.168.208) it doesnt work, (wg server might be discarding the traffic as the source will be 192.168.168.208 which is not added under allowed IPs)

If I add snat( option masq '1' ) then it works.

I cannot add '0.0.0.0/0' in the server allowed IPs for all the clients.

So, how can I reach wg_server(10.2.3.1) from client(192.168.168.208) without masquerading?

Any help will be greatly appreciated.

AllowedIPs = 10.2.3.6/32, 192.168.168.208/32

Yes, I can do that. But as it can be seen that wg_server is connected to multiple client_openwrt_router and each_client might have the same network(192.168.168.0/24).
So, multiple wg_clients with the same network(ex: 192.168.168.0/24) wants to reach wg_server without snat, therefore I cannot add 192.168.168.208/32 for all clients.

Then you'll have to use masquerade/SNAT. Or use different subnets on the other clients connected to the server.

1 Like

Yes, I need to do masquerading, but is there any option other than masquerading?

You can't just add static routes, because the AllowedIPs list behaves like an access control list and it won't work. As @trendy said, the other option is to use different IP subnets.

1 Like

You have 2 options. Either the WG server will have a static route to the subnet behind a client, or the client will masquerade the packets of its lan subnet. Unfortunately no other solution. Weigh your options and proceed accordingly.

1 Like