Wireguard won't tunnel all traffic to server

Matthew Leeson

6/23/23, 8:21 PM

I'm having a heck of a time getting WG to tunnel all my traffic back to the server. I thought it would be a simple one line process, but it isn't. I've installed the latest version, removed, reinstalled, done just about everything. iptables changes are made in the server, too, but it isn't even getting that far. It's just not routing to wg0. If I try to manually add the route, it says it's already there. What am I missing?

wg0.conf
[Interface]
Address = 172.20.3.9/32
PrivateKey = 

[Peer]
PublicKey = 
Endpoint = 18.x.x.x:51820
AllowedIPs = 0.0.0.0/0,::/0
PersistentKeepalive = 25

Route tables on the client:
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eno1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eno1

ip route show table main
default via 192.168.1.1 dev eno1 proto static 
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.62

wg show on the client:
interface: wg0
  public key: 
  private key: (hidden)
  listening port: 39804
  fwmark: 0xca6c

peer: 
  endpoint: 18.x.x.x:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 38 seconds ago
  transfer: 20.05 KiB received, 33.70 KiB sent
  persistent keepalive: every 25 seconds

Console output when it starts:
wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.20.3.9/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

443

0 + 0

tunnel

wireguard

Score:0

Server

Justin Ludwig

7/1/23, 7:44 PM

When you set AllowedIPs to a /0, wg-quick uses policy routing to avoid overriding routes from your main table other than the default route. Run ip rule to see the policy rules wg-quick sets up, and ip route show table 51820 to see the route you're looking for. The effect of wg-quick's policy rules in your case is to keep routing 192.168.1.0/24 (and WireGuard's own traffic to 18.x.x.x) through eno1, while routing everything else through wg0.

If you really want to route everything through wg0, first add a route for your remote endpoint in a custom routing table:

ip route add 18.x.x.x via 192.168.1.1 dev eno1 table 123

Then add a policy rule to prefer that table over your other tables:

ip rule add table 123 priority 456

Then configure wg-quick to add its routes to that table (like the default route in your case) when it starts up the interface:

[Interface]
...
Table = 123

[Peer]
...

See https://www.wireguard.com/netns/#routing-all-your-traffic for further discussion and alternate approaches.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Wireguard won't tunnel all traffic to server

TH: Wireguard จะไม่รับส่งข้อมูลทั้งหมดไปยังเซิร์ฟเวอร์

RO: Wireguard nu va tunel tot traficul către server

RU: Wireguard не будет туннелировать весь трафик на сервер

VI: Wireguard sẽ không tạo đường hầm tất cả lưu lượng truy cập đến máy chủ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.