0

I have setup wireguard server and client.

Server - Ubuntu 18.04

Client - Windows 11(x64)

Wireguard Interface Subnet - 10.200.1.0/24 Wireguard Server IP - 10.200.1.27/24

server.conf

Address = 10.200.1.27/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
ListenPort = 51820
PrivateKey = WHnFUoljugAbX3XkmHg2TmZH4k2ptbX0N1xB7cruN2g=

[Peer]
PublicKey = *********
AllowedIPs = 10.200.1.72/32, 192.168.1.0/24
Endpoint = ********:63587

[Peer]
PublicKey = ********
AllowedIPs = 10.200.1.71/32
Endpoint = ********:10295

Wireguard Client is in home network 192.168.1.0/24 and windows 11 has the IP address 192.168.1.25

windows11-Wireguard-Client-Config

[Interface]
Address = 10.200.1.72/24
ListenPort = 63587
PrivateKey = *******

[Peer]
PublicKey = ********
AllowedIPs = 10.200.1.0/24
Endpoint = *******:51820
PersistentKeepalive = 30

Problem

From another peer, I am able to ping 192.168.1.25 but I have a macOS running on IP 192.168.1.6, so I am unable to ping the macbook.

I even tried adding route on windows

route add -p 192.168.1.0 mask 255.255.255.0 10.200.1.72

From the other peer if I ping after adding the above route the ICMP response will be,

FROM 10.200.1.72: icmp_seq=1 Redirect Network(New nexthop: 192.168.1.6)

Can someone please guide me in what to do, as I have ran out of thoughts.

Matrix
  • 1
  • 1
  • Is macbook allowing ICMP to it's interface? Can you scan ports open on the macbook IP from the Windows client when connected to the VPN? Can they ping each other when disconnected from the VPN on same subnet? – Pimp Juice IT Sep 04 '22 at 03:31
  • Yes, they can ping each other when disconnected from VPN and also, I tried doing tcpdump on macbook. I am receiving ICMP on macbook as show below. ``` 00:57:56.886714 IP 10.200.1.71 > 192.168.1.6: ICMP echo request, id 22137, seq 1, length 64 00:57:56.886773 IP 192.168.1.6 > 10.200.1.71: ICMP echo reply, id 22137, seq 1, length 64 ``` – Matrix Sep 05 '22 at 07:10
  • I believe the MacBook is trying to send back the packet to 10.200.1.71 which means for MacBook this IP address is unknown because the WG Gateway is running on the windows machine. I feel when the packet is sent from 192.168.1.25 (windows machine) it needs to be natted, I am not sure how to do this. – Matrix Sep 05 '22 at 07:13

0 Answers0