Hello, I'm using a WireGuard server on a Linux container and I want to be able to see which devices are connecting to my local home network through WireGuard. To do this, I disabled the masquerading rule in wg0.conf. However, when I now connect to WireGuard, there's no internet access anymore. I suspect it has something to do with the devices not being routed through the WireGuard container's IP address anymore, but their actual WireGuard IP address (10.x.x.x). I believe I have to give this subnet access to internet but I am not sure how to do that. I know for a fact that they can reach the DNS server because it's hosted on the same machine as the WireGuard server and I can see DNS queries on my Pi-hole coming from devices in the WireGuard subnet.
So now all that's left is allowing the WireGuard subnet to access the internet. I've tried creating a new interface with "static IP address" and entering the WG subnet under IPv4, and then allowing that zone access to wan and wgclient, but unfortunately that didn't work. I also tried creating a new traffic rule with incoming IPv4 and IPv6 from any to wan but that also didn't do the trick.
I hope someone can point me into the right direction to solve this.
I have no idea about network configuration of the WireGuard server on a Linux container you mentioned.
Probably the traffic block by the Linux firewall.
If the container network is NAT not bridge, probably have to create the firewall rule (iptables) of the WireGuard server, to allow the WireGuard client IP traffic in, or try to disable the server system firewall temporary to test. Or switch network of the container as bridge network mode, it is easy to configure the firewall.
Some people also installed WireGuard server in the container of the Linux machine, and behind the main router, as bridge, VPN + Internet work well.
The only rule I had was -A POSTROUTING -s WIREGUARD_IP -o eth0 -j MASQUERADE which I now deleted because I don't want the masquerade. I can see the hostnames that are coming in via WireGuard on my Pi-hole but I can't get them to have internet access. So they can access the DNS server, which is on the same subnet as the WG Server, but they can't reach the internet.
I don't think it's the WG server's firewall that's blocking the internet connection (at least I hope), but rather the router because it doesn't know or recognize the subnet.
No, it can’t access anything. Only when I readd the masquerade rule.
Without the masquerade rule, I can’t access or ping local domains like 192.168.x.x or public domains like google.com. I can only ping the subnet gateway (the Linux server that runs WG Server) on 10.x.x.1. The odd thing is, Pi-hole is logging all queries from the WG client even though it can’t access any devices. But this might be because I specified the Pi-hole address in the DNS= field under [Interface].
I saw some posts online that I have to somehow do static routing back to the WG Server if I disable masquerade, and I have tries doing this but I think I’m doing it wrong.
I tried the following rule:
Interface: homelab (linked to the VLAN that the WG Server runs on)
Type: unicast
Target: 10.x.x.0/24
Destination: IP address of the WG Server (192.x.x.x)
I'm not using wgserver from the built-in WireGuard application on the router. I have an extra computer that runs WireGuard server and is on a VLAN connected to the Flint 2. So I don't know how to create this wgserver interface.
I see, this rule is for reference to add it in the Linux WG server, which auto add the 'wgserver' network interface if you enabled the WG server, and probably require to add this firewall rule to accept the traffic from wgserver to your Linux gateway IP.
