Wireguard Networking Help

My company is setting up a frontend for an HVAC network. We have been given our own VLAN for our equipment, but the client does not want the web server on their network and will not allow any incoming connections. My boss has been working with there IT for a while trying to com up with a solution. I figured I would try to come up with my own solution to help out and if I got something working I would show him. So I started messing with wireguard. I set up a test network that mimics how the network will be set up.

I have wireguard set up on both the windows server and the wireguard server and I can ping both ways. I can also ping anything on network 1 from the windows server, but I can’t ping the windows server from any device on network 1. I need devices 1-3 to be able to talk to the windows server and vice versa. wireguard configs below any help would be appreciated.

Wireguard Server Config:
[Interface]
Address = 192.168.1.5/32
SaveConfig = true
PrivateKey = WG_SERVER_PRIVATE_KEY_GOES_HERE

[Peer]
PublicKey = WINDOWS_SERVER_PUBLIC_KEY_GOES_HERE
AllowedIPs = 192.168.1.4/32
Endpoint = 10.0.1.70:51820
PersistentKeepalive = 25

I also ran the following iptables commands on the wireguard server
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Windows Server Config:
[Interface]
PrivateKey = WINDOWS_SERVER_PRIVATE_KEY_GOES_HERE
ListenPort = 51820
Address = 192.168.1.4/32
DNS = 1.1.1.1

[Peer]
PublicKey = WG_SERVER_PUBLIC_KEY_GOES_HERE
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1

Don’t give the wireguard tunels the same IP as your LAN.

give them separate IPs then set up routing rules on your router so devices knows it exists in your network.

Also interface addresses need the be in /24 (or a different number if you want more or less tunnels)

Wireguard interface:

[Interface]
Address = 10.20.1.1/24
SaveConfig = true
PrivateKey = WG_SERVER_PRIVATE_KEY_GOES_HERE

[Peer]
PublicKey = WINDOWS_SERVER_PUBLIC_KEY_GOES_HERE
AllowedIPs = 10.20.1.2/32
Endpoint = [WINDOWS_SERVER_WAN_IP]:51820
PersistentKeepalive = 25

Windows Server interface:

[Interface]
PrivateKey = WINDOWS_SERVER_PRIVATE_KEY_GOES_HERE
ListenPort = 51820
Address = 10.20.1.2/24

[Peer]
PublicKey = WG_SERVER_PUBLIC_KEY_GOES_HERE
AllowedIPs = 0.0.0.0/0
1 Like

Thankyou for the response. Is there a way to set this up without changing settings in the router? We will not have access to the router nor will they change any settings for us. They are just giving us a list of ip addresses and telling us what ethernet jacks we can use. We have to work around that

Setup a reverse-proxy on the internal wireguard client to forward web traffic so it is accessible without rerouting.

No web traffic will be sent through this connection all of our devices use BACnet/IP witch is why I am trying to make the windows server appear as if it is on the clients network.

At this point, what I say is outside of my area of knowledge and needs testing.

So this might work, I am not sure how it will work with data routing

Wireguard interface:

[Interface]
Address = 192.168.1.4/24
SaveConfig = true
PrivateKey = WG_SERVER_PRIVATE_KEY_GOES_HERE

[Peer]
PublicKey = WINDOWS_SERVER_PUBLIC_KEY_GOES_HERE
AllowedIPs = 192.168.1.5/32
Endpoint = [WINDOWS_SERVER_WAN_IP]:51820
PersistentKeepalive = 25

Windows Server interface:

[Interface]
PrivateKey = WINDOWS_SERVER_PRIVATE_KEY_GOES_HERE
ListenPort = 51820
Address = 192.168.1.5/24

[Peer]
PublicKey = WG_SERVER_PUBLIC_KEY_GOES_HERE
AllowedIPs = 0.0.0.0/0

Thankyou for your help will try it out.

I’m looking around and it seems like you’re going to need to proxy arp as well

edit the /etc/sysctl.conf

net.ipv4.conf.all.proxy_arp = 1

Then apply

sudo sysctl -p

I tried the second config you sent. That made it so I couldn’t ping the devices 1-3 from the windows server anymore. I reverted that and enabled arp proxy. Now I can ping the wg0 192.168.1.5 on the wiregurd server from the internal network but still can’t ping the windows server.

Pinging may be blocked by firewall, I’m not sure, but are devices 1~3 able to communicate with the Windows server at all?

Devices 1~3 don’t seem to be able to initiate communication, but I can ping them from the windows server

I can access device 1’s web configuration interface from the windows server to

ip forwarding is already set on the wireguard client right?

Yes. When I disable that I can’t ping any devices on the internal network from the windows server.

at this point, I don’t have any more ideas on how to help this.

Thankyou for your help. I may try setting up open wrt on the wireguard server instead of ubuntu and set that as the default gateway on all the devices.

Just making sure, but I hope the Windows Server and Network 1 have different subnets for their physical NICs. as in, 192.168.1.0/24 for the Network 1 and 192.168.2.0/24 for the Windows Server’s subnet. Following that, you need a different IP in the configuration of the Wireguard Tunnel. After that, you have to finish by setting all devices’ default gateway from Network 1 to the WireGuard Server. That way, Wireguard will redirect the traffic needed to the Windows Server and everything else to the main router (192.168.1.1). Your configs should look like:

Windows Server interface:

[Interface]
PrivateKey = WINDOWS_SERVER_PRIVATE_KEY_GOES_HERE
ListenPort = 51820
Address = 10.20.1.2/24

[Peer]
PublicKey = WG_SERVER_PUBLIC_KEY_GOES_HERE
AllowedIPs = 10.20.1.0/24, 192.168.1.0/24
## and any other subnet that you want to access the Windnows Server the other side, but I don't think that's needed ##

In this case, you most likely don’t need to set neither NAT, nor DNS for wireguard, leave it as-is.

Oh, you can’t set the default gateway of the devices to be wireguard? Ouch, that’s gonna be rough. I never used it myself, but you may want to look into L2TP (Layer 2 Tunneling Protocol) and instead of IPSec, encapsulate the L2TP packet inside Wireguard (L2TP over Wireguard, instead of L2TP over IPSec).

Oh, so you can set the gateway on the devices. Well, that should probably solve the issue I think. The way I have a setup for home use, is that I got a DVR and a RPi 4 running Wireguard. I want the DVR to do off-site backup to a NFS server on the other end of the Wireguard tunnel, so I have set the default gateway of the DVR to RPi’s IP and set the DVR to connect to the IP Address of the Wireguard Interface (wg0) of the NFS Server, not the IP addresses of the physical NIC on the NFS server. That means, if you do set the default gateway on the devices in Network 1 to be the Wireguard server, instead of accessing Windows Server using 192.168.2.5 (as an example I gave above), you should instead access the WS from Device X using 10.20.1.2.

I suggest you just install isc-dhcp-server or any other dhcpd / dhcp-server and start from there. Just my $0.02.

Edit: You could get away with having the same subnet on both the Windows Server and the Network 1 if you enable NAT on Wireguard actually. Windows Server will just see traffic coming from 10.20.1.1 instead of 192.168.1.0/24, which is the same subnet as the one in your drawing. I hate NAT and I advise against it whenever possible, but given that you got the same subnet (192.168.1.0/24) on both ends, you need NAT in order to make Windows Server communicate with the devices from Network 1. And again, devices in network 1 need to access 10.20.1.2, not 192.168.1.5 (the IP of the Windows Server in your drawing).

NAT doesn’t forward arp broadcast which also doesn’t solve the problem. OP Double-NATing as is assumed in the most recent post is the best likely solution as much as it sucks.

I’m really somewhat embarrassed. I’ve had a wireguard server up and running for about two years now. Recently I wanted to add two more machines. I thought it’d be an hour or so exercise. The machines in question are running Raspbian 10 and ubuntu 20.04 respectively.
I installed wireguard. I produced the public and private keys. I did the interface/peer config using another connecting machine as a format guide. I swapped the public keys between the two machines (checked it multiple times). brought the service up on the new machine (no errors) And it won’t handshake,
Since I initially did this a couple of years ago when Wireguard wasn’t part of any kernel I’m figuring I’m now missing something. I even checked dkms status and nothing overlapping
Little help here would be greatly appreciated.

Possibly firewall. Depending on what UDP port firewall is running, maybe you’d like to see if there’s anything flowing over tcpdump.

Another common issue is what Wireguard let’s you specify allowed peer IPs, and if there are incoming packets outside of the allowed ranges, even if they decrypt correctly they’ll be dropped… but in your case I’m betting on firewall above.