I'd like to set up WireGuard in Windows 10 using IP forwarding.
I've got a Windows 10 node ("server") which is connected to two LANs (by two interfaces).
- LAN 1: 10.0.0.0/24 (public, routable, but stated here as RFC1918 for privacy reasons)
- LAN 2: 172.16.0.0/23
I'd like to allow other nodes from LAN 1 to access LAN 2. To these ends, I've set up WireGuard like so:
# Server config
[Interface]
PrivateKey = ...
ListenPort = 55357
Address = 192.168.35.1/24
[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 192.168.35.7/32
My (Windows 10) testing client's config file is:
# Testing client config
[Interface]
PrivateKey = ...
ListenPort = 55357
Address = 192.168.35.7/24
[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 192.168.35.1/32, 172.16.0.0/23
Endpoint = server.example.com:55357
When I start both tunnel ends, they connect successfully. I can ping the tunnel-internal IP addresses from both ends.
On the client, AFAICS, route print yields the needed route:
[...]
Network Destination Netmask Gateway Interface Metric
[...]
172.16.0.0 255.255.254.0 On-link 192.168.35.7 5
172.16.1.255 255.255.255.255 On-link 192.168.35.7 261
192.168.35.0 255.255.255.0 On-link 192.168.35.7 261
192.168.35.1 255.255.255.255 On-link 192.168.35.7 5
192.168.35.7 255.255.255.255 On-link 192.168.35.7 261
192.168.35.255 255.255.255.255 On-link 192.168.35.7 261
[...]
On the server, I enabled forwarding as per this ServerFault question so that my interface list looks like this:
Get-NetIPInterface|select ifIndex,InterfaceAlias,AddressFamily,ConnectionState,Forwarding | Sort-Object -Property IfIndex | Format-Table
ifIndex InterfaceAlias AddressFamily ConnectionState Forwarding
------- -------------- ------------- --------------- ----------
1 Loopback Pseudo-Interface 1 IPv6 Connected Disabled
1 Loopback Pseudo-Interface 1 IPv4 Connected Disabled
4 LAN 2 IPv4 Connected Enabled
15 LAN 1 IPv4 Connected Disabled
21 VPN_Adapter IPv6 Connected Enabled
21 VPN_Adapter IPv4 Connected Enabled
With forwarding set up, I can also ping the server's own address in LAN 2 from the client successfully, but I cannot reach any of the other nodes in LAN 2.
On the server, Windows Firewall is enabled on LAN 2 but disabled on LAN 1 (administrative decision outside of my competence).
What else do I need to configure so that nodes in LAN 1 can reach LAN 2 through the tunnel?