Join Log in
Score:0
it_buddha avatar Server

how to SSH to Wireguard server from Windows client with active VPN connection?

ba flag
it_buddha

I have Wireguard server on Rocky 8.7, when I connect to the server I route all client traffic through Wireguard

this is quotes from setup script, of course all variables is set (and all works good)

config for Wireguard server:

cat << EOF | sudo tee -a /etc/wireguard/${WG_INTERFACE}.conf
[Interface]
PostUp = wg set %i private-key /etc/wireguard/${WG_INTERFACE}.pk
Address = 10.0.0.1/32
ListenPort = ${WG_PORT}
[Peer]
PublicKey = ${WG_CLIENT_PUBLIC_KEY}
AllowedIPs = 10.0.0.2/32
EOF

config for Wireguard client:

cat << EOF >> ~/wg_client.conf
[Interface]
PrivateKey = ${WG_CLIENT_PRIVATE_KEY}
Address = 10.0.0.2/32
DNS = 8.8.8.8
[Peer]
PublicKey = ${WG_SERVER_PUBLIC_KEY}
Endpoint = ${SERVER_IP}:${WG_PORT}
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
EOF

server settings for traffic redirection and firewall:

echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf 1>/dev/null
sudo firewall-cmd --zone=public --add-port=${WG_PORT}/udp --permanent
sudo firewall-cmd --zone=internal --add-interface=${WG_INTERFACE} --permanent
sudo firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade' --permanent

the question is: how to SSH to Wireguard server from Windows client with active VPN connection?

349
1 + 0
vpn
Score:0
it_buddha avatar Server
ba flag
it_buddha

currently I have one working solution, which seems not optimal

on client config instead AllowedIPs = 0.0.0.0/0 i put other line, where I subtract from 0.0.0.0/0 IP address of Wireguard server

why solution seems not optimal? because after IP subtraction I get a very long line that is inconvenient to read

for example my server IP address is: 100.100.200.200

for IP subtraction I must use special subnet calculator (for example: https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/) to get result looking like this:

AllowedIPs = 0.0.0.0/2, 64.0.0.0/3, 96.0.0.0/6, 100.0.0.0/10, 100.64.0.0/11, 100.96.0.0/14, 100.100.0.0/17, 100.100.128.0/18, 100.100.192.0/21, 100.100.200.0/25, 100.100.200.128/26, 100.100.200.192/29, 100.100.200.201/32, 100.100.200.202/31, 100.100.200.204/30, 100.100.200.208/28, 100.100.200.224/27, 100.100.201.0/24, 100.100.202.0/23, 100.100.204.0/22, 100.100.208.0/20, 100.100.224.0/19, 100.101.0.0/16, 100.102.0.0/15, 100.104.0.0/13, 100.112.0.0/12, 100.128.0.0/9, 101.0.0.0/8, 102.0.0.0/7, 104.0.0.0/5, 112.0.0.0/4, 128.0.0.0/1

do you know other, more simple solution?

+ 5
user10489 avatar
nc flag
user10489
That line may actually be wrong. You're getting that because the calculator can't guess what your real netmask is. Pick from that line the one that corresponds to your actual netmask.
0
Reply
it_buddha avatar
ba flag
it_buddha
with netmask /32 (100.100.200.200/32) line the same
0
Reply
it_buddha avatar
ba flag
it_buddha
for 100.100.200.0/24 line is also long
0
Reply
user10489 avatar
nc flag
user10489
You probably only need 100.100.200.0/24 and not the rest of what is on that line, assuming that's your actual netmask. It sounds like you need to study what netmask does to understand how to set this correctly. Feeding random stuff to ipcalc isn't going to help.
0
Reply
it_buddha avatar
ba flag
it_buddha
I need to access all Internet with VPN, and also, with active VPN connection, access to server via SSH
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.