Posted: Tue Jan 25, 2022 10:23 Post subject: How to exclude a single local ipv4 device from a WG tunnel
Hi all, I have a home server I use to host my nextcloud, and searx. I also followed the Idiot's Guide to Configuring Wireguard - Client Tunnel. Unfortunately the tunnel and my server don't get along nice because the server is then routed through Mullvad. In the webadmin GUI i enabled advanced settings, turned on Source Routing (PBR) and put the local ipv4 of the device in the source for PBR box. This slightly fixed the issue by allowing me to access the server, however searx is still broken (won't pull data from google servers), and nextcloud will load a few images on the webpage, and give up. Using a Netgear XR500 on firmware version DD-WRT v3.0-r47874 std (12/18/21) if this helps.
Also unrelated, but apparently I had an account I forgot to activate, username Jinux, and I'm not really sure what to do because it says I can't log in because the account is inactive, and I don't have the activation email anymore.
How to setup is described in the WireGuard Client setup guide links in my signature at the bottom.
Furthermore set KeepAlive to 25.
However unless you also added the killswitch that might not solve your problem.
Problem is I do not use Nextcloud nor searx, are they both running on a LAN client?
I assume at least Nextcloud is running on a LAN client and you have port forwarded to that client.
As traffic comes in via the WAN it also has to go out via the WAN and not via the VPN, so you have to use Policy Based Routing.
You can do it the way you are doing it now so only route one IP address (the Nextcloud server) via the WAN and that should work.
However all other traffic will use the VPN (including your router).
You can also reverse this and let only some clients use the VPN.
So you can try that, choose "Route selected sources via the VPN" and add only those clients which you want to use the VPN.
In reply to egc,
I followed your guide and it was way easier than the guide i followed originally lol. Unfortunately it still appears something is blocking the server from sending all the data it needs to.
Nextcloud and Searx are both running in a Yunohost container (a debian disto) on my Dell Optiplex. It's plugged into the ethernet on the router directly, and all the ports are forwarded. I'm new to home networking so I apologize if I sound ignorant when I'm describing things
Joined: 18 Mar 2014 Posts: 9568 Location: Netherlands
Posted: Wed Jan 26, 2022 7:19 Post subject:
First of all I would not use IPv6 with WireGuard as that can have unwanted effects.
Just disable the WG tunnel (setings are retained) to see if it is actually working , there could be all kinds of left overs from your earlier installation (so even a full reset and rebuild from scratch might be considered.)
As the VM can have its own IP address using only the Dell's IP address might not be enough, also DNS might play a role.
So try reversing the PBR, re-enable the tunnel and choose
"Route selected sources via the VPN"
As source IP address add an IP address which is outside the DHCP range and not used e.g. 192.168.1.13, this is just for testing as anything besides this address is still routed via the WAN.
also Enable Split DNS
If everything is still working add your IP addresses you want to use the the VPN to the PBR box , use CIDR notation as outlined in the WireGuard Client setup guide.
Routing my personal laptop through VPN works, and allows the server to work. Disabling the tunnel also works. However when I only exclude the PC from the VPN it doesn't work. It's not in a virtual machine or anything, it's running on bare metal. At this point I'm not really sure what to do other than suffer by having to manually input every device on the network put the Server.