Wireguard Allowed IPs problem
Wireguard server setup, with client profiles created and installed on Windows laptops. Office with Firewalla/Wireguard server is location A with IP range of 192.168.101.x, and home test environment is location B with IP range of 192.168.111.x.
When client profile is installed, the Peer Allowed IPs defaults to 0.0.0.0/0 and the laptop cannot access any local or remote resources (network drives, printers, etc.) when Wireguard connection is active. I have a very basic understanding of this from googling around, and I then put in Allowed IPs of:
192.168.101.0/24, 192.168.111.0/24
This allows the laptop to connect to both local/remote resources with the Wireguard profile enabled. The problem is when the laptop is taken to another outside location, maybe somewhere with an IP range of 192.168.0.x or 192.168.100.x, etc. Employees need to be able to use their laptops in the main office and at home/in the field, and have no admin access to turn the Wireguard profile on/off.
Is there a way to allow for this with Allowed IPs or another method? Like some sort of "catch-all" allowed IP range?
-
So you have WireGuard server at two locations with unique subnets at both? Each server will be a separate profile for each device.
The 0.0.0.0. Should put all traffic through the VPN. If you want to limit only the traffic for the subnet to the VPN, put the the IP range. No need to combine subnets for both networks in the profile as the profile will only work for one site or the other.
The subnet must be unique and as far as I know, there’s no way to avoid a conflict when a client is connecting from a network with the same IP range.
-
Michael,
Only have a Wireguard server running on Firewalla Gold Plus at location A. The only thing I've been able to do to get it working so far is the:
Allowed IPs: 192.168.111.0/24, 192.168.101.0/24
The 192.168.111.0/24 covers my home network when I'm there, but I'm trying to allow local resources if I'm somewhere else. I've tried things like:
0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
But then I lose internet access for some reason when within the Firewalla network when Wireguard is enabled.
-
Basically, the problem I'm having is Wireguard is always on, so when employees are in the local office, the same office that the Firewalla/Wireguard server are on, they cannot access either local resources or the internet. I've tried different combinations in Allowed IPs:, and things work fine outside of the Firewalla LAN, but within there are issues. Most of this comes down to the Windows laptops having domain users without admin access, so they cannot get to/turn off the Wireguard connection.
-
I couldn't find a working solution to this. I followed some guides to allow the OG Wireguard client to work with non-admin accounts, but it's not working in my instance. I ended up downloading WireSock and WireSockUI and am using that. It allows non-admin users to start/stop the Wireguard VPN service, so employees in the office can shut it off and still access resources. If somebody else has a better solution, let me know, thanks.
-
When client profile is installed, the Peer Allowed IPs defaults to 0.0.0.0/0 and the laptop cannot access any local or remote resources (network drives, printers, etc.) when Wireguard connection is active.
So on your device, you should have two WireGuard Profiles.
Office: 192.168.101.x
Home: 192.168.111.x.
Inside each Profile will be an Endpoint which is your firewalla DDNS address by default.I have a very basic understanding of this from googling around, and I then put in Allowed IPs of:
192.168.101.0/24, 192.168.111.0/24
In Allowed IPs, it will default to tis:
AllowedIPs=0.0.0.0/0
Meaning all traffic should go through the VPN Server.
If you use
AllowedIPs=192.168.111.0/24
Only traffic to that network will go through the VPN. All other traffic will use your network connection directly.
AllowedIPs=192.168.111.0/24,192.168.101.x
Would not make sense unless both of those networks were on one firewalla.
Employees need to be able to use their laptops in the main office and at home/in the field, and have no admin access to turn the Wireguard profile on/off.
I would not advise this. If they are on a network that happens to use the same IP range it will cause all kinds of problems. Typically they can't control that, so the should be able to disable VPN.
The 192.168.111.0/24 covers my home network when I'm there, but I'm trying to allow local resources if I'm somewhere else. I've tried things like:
0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
AllowedIPs=0.0.0.0/0
Covers all (IPv4) internet traffic. If you need IPv6 there's an additional piece.
But then I lose internet access for some reason when within the Firewalla network when Wireguard is enabled.
It is really inefficient to run a VPN back to the network you are currently connected to. This is another reason you typically don't want to force VPN always.
Given the scenario you describe, you may want to try a different approach instead of VPN. There are a few vendors out there that do similar things, but I noticed this post recently https://help.firewalla.com/hc/en-us/community/posts/29259716598035-SSH-No-Ports?page=1#community_comment_29279101867795
In short, this allows a device to connect from anywhere securely back to a network without VPN and it works without opening any ports (and doesn't require a public or static IP). https://help.firewalla.com/hc/en-us/community/posts/29259716598035-SSH-No-Ports?page=1#community_comment_29279101867795 -
Hi Aaron Garcia,
We have a setup guide for the WireGuard VPN Server that might help: https://help.firewalla.com/hc/en-us/articles/1500004087521-WireGuard-VPN-Server-Configuration
Are you running into any specific issues with the setup? We'd be happy to help.
Please sign in to leave a comment.
Comments
7 comments