Stupid WireGuard Mistakes: 1 of N

A New WireGuard Server

I’ve been using WireGuard for a few years now to access my home network. My first WireGuard server was an Ubuntu 18.04 VM that I ran for about 2 years. It worked well and didn’t really need to be updated but I was interested in running the WireGuard server on dedicated hardware instead of a VM.

About 7 months ago (~Jan 2021), I bought a PCEngines apu2e4 and set that up as my dedicated WireGuard server. About that time, OpenBSD 6.8 had been released which included a kernel driver for WireGuard. I decided I’d migrate to that instead of using Ubuntu again. I’ve always liked the relative stability of OpenBSD and the low maintenance overhead. I got it setup; it seemed to work as expected and I didn’t think too hard about it.

The Trouble

I mentioned I setup the WireGuard server in January of 2021. This is still in the middle of the COVID-19 pandemic and I’m not traveling anywhere. I have no need to actually use the WireGuard server regularly, so I haven’t verified it has all the features setup correctly.

Fast-forward today when I was going to be spending some time with family. I’ve been playing with a Kubernetes server on my home network and wanted to continue that while away from home. I went to connect to my VPN and encountered an issue - I couldn’t access the LAN. It was routing to the internet correctly but I couldn’t access any LAN resources.

The Solution

I started digging around and it seemed like everything was setup correctly. After some digging, I started wondering about the AllowedIPs line in my client config:

[Interface]
PrivateKey = <REDACTED>
Address = 192.168.3.2/24
DNS = 192.168.1.1

[Peer]
PublicKey = <REDACTED>
PresharedKey = <REDACTED>
AllowedIPs = 0.0.0.0/0
Endpoint = home.zacbrown.org:43210
PersistentKeepalive = 25

Note that AllowedIPs is set to 0.0.0.0/0. I had thought that this meant to enable accessing all possible IP addresses. In practice, it actually means to send all connections through the WireGuard connection. However, that doesn’t include RFC 1918 addresses unless they’re explicitly specified. So I updated the client config to:

[Interface]
PrivateKey = <REDACTED>
Address = 192.168.3.2/24
DNS = 192.168.1.1

[Peer]
PublicKey = <REDACTED>
PresharedKey = <REDACTED>
AllowedIPs = 0.0.0.0/0, 192.168.1.0/24
Endpoint = home.zacbrown.org:43210
PersistentKeepalive = 25

With this change, everything started magically working as expected. I must have had this in my old configs and noticed when I migrated to OpenBSD which doesn’t use wg-quick by default.



Posted on 2021-07-24