Hi there,
I have my travel router (GL-AR300M16) with wireguard client connecting to my home wireguard server.
The problem is that both the local LAN where I am currently and my home LAN both have the 192.168.0.1/24 IP space.
I am unable to reach any devices on my home network because the internal ips of this local network don’t get routed out.
Is there anything I can do to force all traffic (even local traffic) through the WG tunnel?
Are you able to use the Internet without VPN/WG being online? The remote network’s LAN (subnet) shouldn’t have any impact on your LAN (subnet). The WG-based VPN sets up a virtual private network which runs atop the ‘real’ networks/IPs to bridge across them.
Eg: your LAN is 192.168.8.0/24 but the IP for the WG Client’s interface is 10.0.0.2/32 (a VPN subnet of max. one IP). The corresponding remote interface on the WG Server would be something like 10.0.0.1/24 (a VPN subnet of max. 255 minus self = possible 254 IPs for Clients).
Can you post a screenshot of your WG Client configuration? Redact your Public Key & Private Key beforehand.
Is there anything I can do to force all traffic (even local traffic) through the WG tunnel?
You can specify any connected device’s MAC (eg: a laptop) to always use the VPN Client (WG, in this case) via a VPN Policy.
GL GUI → VPN → VPN Policies
I managed to figure it out.
I was always able to reach the internet through the tunnel and out the server end, but when trying to access machines in the 192.168.1.0/24 network where the wg server is (my home) it was not able to.
This was because where I am currently (not my home), has the same 192.168.1.0/24 common subnet so traffic was staying within this network and not going through the tunnel.
I ssh’d to the GL-AR300M16 and saw that there was a route that was keeping this traffic in the local network:
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
I deleted this route from the table, and now I’m to access machines 192.168.1.X on my network as the requests get routed through the tunnel and into my home.
You could have just changed your local subnet of 192.168.1.0/24 to 192.168.10.0/24 & have kept that stock firewall rule. Oh well, as long as it works as you expect.
(GL GUI → More Settings → Lan IP for firmware 3.x.)
Using 192.168.0.xx, 192.168.1.xx or 192.168.100.xx in any subnet should be at all costs avoided, because you don’t know what subnets you will traverse along the way. I haven’t experienced difficulty with 8.0, 9.0, 10.0, 20.0 and 50.0, but I think that is just luck. And the subnets on either side of a tunnel should be unique. Any other architecture will result at best in unpredictable behavior.
Fooling with the route this way means, I guess, that you can’t reach anything else on your side of the tunnel, and you can’t do site to site. I don’t understand how any traffic from the server side comes back to you, frankly, or even how you get to the default gateway. Change the subnet as @bring.fringe18 suggests.