WireGuard VPN on Windows

I previously blogged about setting up a WireGuard VPN server using Algo VPN. There was relatively little to configure on the client side in Ubuntu 18.04. However, Windows 10 (and probably other versions) proved to be a different challenge. The default configuration sends ALL traffic via the VPN and adds firewall rules to drop all traffic that doesn’t arrive over the VPN. The default on Ubuntu is to route LAN traffic to bypass the VPN. The end result is that my Ubuntu computer can’t talk to my Windows one. In fact, the default settings won’t let my Windows PC talk to any device on my network.

There are two ways to solve this problem that are, effectively, doing the same thing. Both solutions require editing the VPN settings so that the firewall rules blocking all non-VPN traffic don’t get created. Open the settings for your connection in WireGuard and make sure that the “Block untunneled traffic (kill-switch)” option is not selected. This is the option that adds firewall rules to drop all traffic that doesn’t travel over the VPN.

The all-important option in WireGuard’s settings for a tunnel that controls whether additional firewall rules will be added to drop all traffic that is not travelling over the VPN.

Step two is to route traffic from the Windows PC to the LAN via the network device, not the VPN. There’s two options:

  1. Change the AllowedIPs list in the VPN configuration to exclude the address range used by your LAN, 192.168.0.0/16 in my case. This method is the most challenging, you have to think up a list of over a dozen IP address ranges that excludes everything but the range used on your LAN. On the other hand, it can be done entirely inside WireGuard. Here’s the list of IP address ranges I used: 0.0.0.0/1, 128.0.0.0/2, 192.64.0.0/10, 192.128.0.0/11, 192.167.0.0/13, 192.169.0.0/16, 192.170.0.0/16, 192.171.0.0/16, 192.172.0.0/16, 192.173.0.0/16, 192.174.0.0/16, 192.175.0.0/16, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/8, 195.0.0.0/8, 196.0.0.0/8, 197.0.0.0/8, 198.0.0.0/8, 199.0.0.0/8, 200.0.0.0/8, 201.0.0.0/8, 202.0.0.0/8, 203.0.0.0/8, 204.0.0.0/8, 205.0.0.0/8, 206.0.0.0/8, 207.0.0.0/8, 208.0.0.0/4, 224.0.0.0/3. Replace the range 0.0.0.0\0 in AllowedIPs with the above list of ranges.
  2. Add a route that redirects LAN traffic from the VPN to the physical network connection. This is the easier route, it requires a lot less thinking. Start command prompt as admin and execute the following command: route -p add 192.168.0.0 MASK 255.255.0.0 192.168.x.x. 192.168.x.x is the IP address of your router. This command tells Windows to redirect all traffic going to any address in the range 192.168.0.0/16 to your router. The flag -p tells route to make this a permanent change.

All of this came up in my Reddit post to try and solve my problem accessing my Windows 10 PC.

4 thoughts on “WireGuard VPN on Windows

  1. hi, if I want to remove this script in cmd, How to?
    ”route -p add 192.168.0.0 MASK 255.255.0.0 192.168.x.x”

    Like

  2. A few observations. Just unchecking the kill switch allows Lan traffic. Neither of the other 2 options are necessary. However, I noticed a problem. Once I uncheck the kill switch I can access Lan devices, but noticed DNS is leaking. With the kill switch checked I run DNS leak test and only the the DNS in the tunnel. With unchecked, run DNS leak test and see 2 DNS servers. The first is the VPN DNS server and the second is the one on my LAN. How to fix this so the DNS doesn’t leak?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s