I previously blogged about setting up a WireGuard VPN server using Algo VPN. There was relatively little to configure on the client side in Ubuntu 18.04. However, Windows 10 (and probably other versions) proved to be a different challenge. The default configuration sends ALL traffic via the VPN and adds firewall rules to drop all traffic that doesn’t arrive over the VPN. The default on Ubuntu is to route LAN traffic to bypass the VPN. The end result is that my Ubuntu computer can’t talk to my Windows one. In fact, the default settings won’t let my Windows PC talk to any device on my network.
There are two ways to solve this problem that are, effectively, doing the same thing. Both solutions require editing the VPN settings so that the firewall rules blocking all non-VPN traffic don’t get created. Open the settings for your connection in WireGuard and make sure that the “Block untunneled traffic (kill-switch)” option is not selected. This is the option that adds firewall rules to drop all traffic that doesn’t travel over the VPN.
Step two is to route traffic from the Windows PC to the LAN via the network device, not the VPN. There’s two options:
- Change the AllowedIPs list in the VPN configuration to exclude the address range used by your LAN, 192.168.0.0/16 in my case. This method is the most challenging, you have to think up a list of over a dozen IP address ranges that excludes everything but the range used on your LAN. On the other hand, it can be done entirely inside WireGuard. Here’s the list of IP address ranges I used:
0.0.0.0/1, 126.96.36.199/2, 188.8.131.52/10, 184.108.40.206/11, 220.127.116.11/13, 18.104.22.168/16, 22.214.171.124/16, 126.96.36.199/16, 188.8.131.52/16, 184.108.40.206/16, 220.127.116.11/16, 18.104.22.168/16, 22.214.171.124/12, 126.96.36.199/10, 188.8.131.52/8, 184.108.40.206/8, 220.127.116.11/8, 18.104.22.168/8, 22.214.171.124/8, 126.96.36.199/8, 188.8.131.52/8, 184.108.40.206/8, 220.127.116.11/8, 18.104.22.168/8, 22.214.171.124/8, 126.96.36.199/8, 188.8.131.52/8, 184.108.40.206/8, 220.127.116.11/8, 18.104.22.168/4, 22.214.171.124/3. Replace the range
0.0.0.0\0in AllowedIPs with the above list of ranges.
- Add a route that redirects LAN traffic from the VPN to the physical network connection. This is the easier route, it requires a lot less thinking. Start command prompt as admin and execute the following command:
route -p add 192.168.0.0 MASK 255.255.0.0 192.168.x.x. 192.168.x.x is the IP address of your router. This command tells Windows to redirect all traffic going to any address in the range 192.168.0.0/16 to your router. The flag
routeto make this a permanent change.
All of this came up in my Reddit post to try and solve my problem accessing my Windows 10 PC.