Set up Wireguard Tunnel in Windows 10 With IP Forwarding

Question

I'd like to set up WireGuard in Windows 10 using IP forwarding.

I've got a Windows 10 node ("server") which is connected to two LANs (by two interfaces).

• LAN 1: 10.0.0.0/24 (public, routable, but stated here as RFC1918 for privacy reasons)
• LAN 2: 172.16.0.0/23

I'd like to allow other nodes from LAN 1 to access LAN 2. To these ends, I've set up WireGuard like so:

# Server config    
[Interface]
PrivateKey = ...
ListenPort = 55357
Address = 192.168.35.1/24

[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 192.168.35.7/32

My (Windows 10) testing client's config file is:

# Testing client config
[Interface]
PrivateKey = ...
ListenPort = 55357
Address = 192.168.35.7/24

[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 192.168.35.1/32, 172.16.0.0/23
Endpoint = server.example.com:55357

When I start both tunnel ends, they connect successfully. I can ping the tunnel-internal IP addresses from both ends.

On the client, AFAICS, route print yields the needed route:

[...]
Network Destination     Netmask      Gateway         Interface Metric
[...]
172.16.0.0        255.255.254.0      On-link      192.168.35.7      5
172.16.1.255    255.255.255.255      On-link      192.168.35.7    261
192.168.35.0      255.255.255.0      On-link      192.168.35.7    261
192.168.35.1    255.255.255.255      On-link      192.168.35.7      5
192.168.35.7    255.255.255.255      On-link      192.168.35.7    261
192.168.35.255  255.255.255.255      On-link      192.168.35.7    261
[...]

On the server, I enabled forwarding as per this ServerFault question so that my interface list looks like this:

Get-NetIPInterface|select ifIndex,InterfaceAlias,AddressFamily,ConnectionState,Forwarding | Sort-Object -Property IfIndex | Format-Table

    ifIndex InterfaceAlias              AddressFamily ConnectionState Forwarding
------- --------------              ------------- --------------- ----------
      1 Loopback Pseudo-Interface 1          IPv6       Connected   Disabled
      1 Loopback Pseudo-Interface 1          IPv4       Connected   Disabled
      4 LAN 2                                IPv4       Connected    Enabled
     15 LAN 1                                IPv4       Connected   Disabled
     21 VPN_Adapter                          IPv6       Connected    Enabled
     21 VPN_Adapter                          IPv4       Connected    Enabled

With forwarding set up, I can also ping the server's own address in LAN 2 from the client successfully, but I cannot reach any of the other nodes in LAN 2.

On the server, Windows Firewall is enabled on LAN 2 but disabled on LAN 1 (administrative decision outside of my competence).

What else do I need to configure so that nodes in LAN 1 can reach LAN 2 through the tunnel?

Answer 1

As it turns out, enabling the forwarding on both interfaces involved using

Set-NetIPInterface -ifindex <interface index> -Forwarding Enabled

from the above-mentioned article suffices, as I could find out using the excellent Wireshark. I had a messed up the AllowedIPs setting which leaded to packets in one direction being discarded by WireGuard. (Subnet 172.16.0.0/20 instead of /23)