TLH_AIR 2 Posted ... Hi there, i´m a really new to this one, and not even sure if here´s the right place to ask. Hope that someone can give me helping hand on this one. So here´s the situation: - Windows 11, Wireguard 0.5.3 (working fine, no problems) - My local net = 192.168.0.* - Net from office = 192.168.1.* (connecting via ipsec with an extra router) Problem: As soon as i connect to AirVPN via Wireguard = My connection to local devices (NAS, TV...) dies and also my box at work is not reachable anymore. Is there any way to fix that? Every help would be greatly appreciated. Share this post Link to post
Staff 9755 Posted ... @TLH_AIR Hello! The AllowedIPs directive in the conf file lists the set of IP addresses that the local host should route to the remote peer through the WireGuard tunnel. In your case, you can see that you have included the whole IPv4 address space (0.0.0.0/0). Therefore WireGuard tunnels all the traffic, including the local network traffic, which will be lost of course as the remote peer doesn't know what to do with your private addresses. You need to exclude IP addresses of the local network from the VPN routing. Here's an example taken from Eddie Android edition when you tell it that the local network must be reachable during a connection with WireGuard: the listed IP addresses include all the IPv4 and IPv6 address space EXCEPT those reserved for private subnets. It is necessary to adapt the list with CIDR prefixes to make it understandable by WireGuard, that's why it's so long. The space address which must be tunneled is built "around" any possible private IPv4 and v6 space, i.e. it is the complementary set of the union of all the private sets in the "universe set" made of all addresses. If your system doesn't support IPv6, do not include the various IPv6 ranges. The addresses in the configuration file must be separated by a comma as usual. Kind regards AllowedIPs = 0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/3,160.0.0.0/5,168.0.0.0/6,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3,::/1,8000::/2,c000::/3,e000::/4,f000::/5,f800::/6,fc00::/8,fe00::/7 0.0.0.0/5 8.0.0.0/7 11.0.0.0/8 12.0.0.0/6 16.0.0.0/4 32.0.0.0/3 64.0.0.0/2 128.0.0.0/3 160.0.0.0/5 168.0.0.0/6 172.0.0.0/12 172.32.0.0/11 172.64.0.0/10 172.128.0.0/9 173.0.0.0/8 174.0.0.0/7 176.0.0.0/4 192.0.0.0/9 192.128.0.0/11 192.160.0.0/13 192.169.0.0/16 192.170.0.0/15 192.172.0.0/14 192.176.0.0/12 192.192.0.0/10 193.0.0.0/8 194.0.0.0/7 196.0.0.0/6 200.0.0.0/5 208.0.0.0/4 224.0.0.0/3 ::/1 8000::/2 c000::/3 e000::/4 f000::/5 f800::/6 fc00::/8 fe00::/7 Share this post Link to post
TLH_AIR 2 Posted ... A big thank you for the detailed explaination. Understood it 🙂 That´s exactly what i needed/was looking for! Share this post Link to post
chris0101 0 Posted ... I'm struggling with this... i understand the concept of whats going on, but when i input those IPs into allowed address the tunnel seems to connect but then die within a min or two?? Anything im missing? I'm managed to get this working by creating a seperate route within linux , but i still dont understand why this didnt work for me On 1/22/2023 at 5:31 PM, Staff said: 0.0.0.0/5,8.0.0.0/7 Share this post Link to post
vpn3 0 Posted ... (edited) On 1/22/2023 at 10:31 AM, Staff said: @TLH_AIR Hello! The AllowedIPs directive in the conf file lists the set of IP addresses that the local host should route to the remote peer through the WireGuard tunnel. In your case, you can see that you have included the whole IPv4 address space (0.0.0.0/0). Therefore WireGuard tunnels all the traffic, including the local network traffic, which will be lost of course as the remote peer doesn't know what to do with your private addresses. You need to exclude IP addresses of the local network from the VPN routing. Here's an example taken from Eddie Android edition when you tell it that the local network must be reachable during a connection with WireGuard: the listed IP addresses include all the IPv4 and IPv6 address space EXCEPT those reserved for private subnets. It is necessary to adapt the list with CIDR prefixes to make it understandable by WireGuard, that's why it's so long. The space address which must be tunneled is built "around" any possible private IPv4 and v6 space, i.e. it is the complementary set of the union of all the private sets in the "universe set" made of all addresses. If your system doesn't support IPv6, do not include the various IPv6 ranges. The addresses in the configuration file must be separated by a comma as usual. Kind regards AllowedIPs = 0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/3,160.0.0.0/5,168.0.0.0/6,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3,::/1,8000::/2,c000::/3,e000::/4,f000::/5,f800::/6,fc00::/8,fe00::/7 0.0.0.0/5 8.0.0.0/7 11.0.0.0/8 12.0.0.0/6 16.0.0.0/4 32.0.0.0/3 64.0.0.0/2 128.0.0.0/3 160.0.0.0/5 168.0.0.0/6 172.0.0.0/12 172.32.0.0/11 172.64.0.0/10 172.128.0.0/9 173.0.0.0/8 174.0.0.0/7 176.0.0.0/4 192.0.0.0/9 192.128.0.0/11 192.160.0.0/13 192.169.0.0/16 192.170.0.0/15 192.172.0.0/14 192.176.0.0/12 192.192.0.0/10 193.0.0.0/8 194.0.0.0/7 196.0.0.0/6 200.0.0.0/5 208.0.0.0/4 224.0.0.0/3 ::/1 8000::/2 c000::/3 e000::/4 f000::/5 f800::/6 fc00::/8 fe00::/7 I'm running into the same issue, I'm attemping to use wireguard and tunnel all traffic except my local subnet so i can access my printer and shared drives. I tried to use a IP calculator to remove my subnet but It doesn't seem to work. My localnet work is 192.168.50.*** Would you mind assisting me? Thank you in advance. Edited ... by vpn3 Share this post Link to post
OpenSourcerer 1359 Posted ... To everyone wanting to "exclude" networks, use DisallowedIPs calculators like the one I linked and paste the result into the AllowedIPs directive. This one excludes all private v4 networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16): AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3 . Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
vpn3 0 Posted ... (edited) Thanks. I tried copying and pasting what you provided and while it lets me access my network and printer while connected. It's leaking my real IP when I do a DNS leak test Edited ... by vpn3 Share this post Link to post
OpenSourcerer 1359 Posted ... 15 hours ago, vpn3 said: Thanks. I tried copying and pasting what you provided and while it lets me access my network and printer while connected. It's leaking my real IP when I do a DNS leak test Please use the calculator yourself, for your particular network. Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
vpn3 0 Posted ... Thanks for your time - As per my previous comment, I have attempted to use the Calculator. Allowed Ips = 0.0.0.0/0, ::/0 Disallowed IPS = 192.168.50.0/24 I receive this, AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.168.0.0/19, 192.168.32.0/20, 192.168.48.0/23, 192.168.51.0/24, 192.168.52.0/22, 192.168.56.0/21, 192.168.64.0/18, 192.168.128.0/17, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3, ::/0 But I'm still unable to connect to my printer and local shares. Is there's an IP in allowed or disallowed I'm missing? I also have "Block untunelled traffic selected in Wireguard" selected when i attempt this. Thank you for your assistance. Share this post Link to post
OpenSourcerer 1359 Posted ... On 10/20/2023 at 4:42 PM, vpn3 said: But I'm still unable to connect to my printer and local shares. Is there's an IP in allowed or disallowed I'm missing? I also have "Block untunelled traffic selected in Wireguard" selected when i attempt this. Just noticed that the calculator also supports IPv6 (::/0). In addition to the IPv4 private address space, some v6 spaces must be disallowed as well. The whole list should be: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7, fe80::/10, fec0::/10, ff00::/8. Try this. AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3, ::/1, 8000::/2, c000::/3, e000::/4, f000::/5, f800::/6, fe00::/9 . Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
vpn3 0 Posted ... Thank you for the reply! That range of allowed IPS works! I can access my network shares as well as printer - But it leaks my DNS IP address though instead of using the AIRVPN DNS for some reason. Share this post Link to post
OpenSourcerer 1359 Posted ... 12 hours ago, vpn3 said: But it leaks my DNS IP address though instead of using the AIRVPN DNS for some reason. Depends on your OS how to fix that. Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
OpenSourcerer 1359 Posted ... Probably a Windows feature called Smart Multi-homed name resolution (aka Smart DNS) working its magic. Since you excluded your private network, Windows is free to use the DNS server on the physical interface, introducing a leak where DNS requests don't go through the VPN. Disable it and try again. Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
vpn3 0 Posted ... Thanks again for your help and time, I tried that and no luck. DNS leak is still leaking my ISP as the dns server. When i use Eddie, No problems, It's split and i can access my network, and it uses the VPN dns, Wireguard does the same when i have block all untunneled traffic, but when i change the Allowed IP's it doesn't use the VPN's dns and keeps using my ISP's. It's odd because in wireguard it has an DNS entry with the DNS server for wireguard to use. Are some guides or resources I can maybe further education myself on this topic so I'm not taking up more of your time. Thanks again for your help thus far. Share this post Link to post
telemus 16 Posted ... Hello there. I suspect I might be in the right place to have this query answered, but am a bit flummoxed by the explanations above. I am running Ubuntu, 22.04, fully patched and Eddie 2.21.8. I am not able to see, and so cannot connect to, devices on my local area network. This includes my file server. Previously, I could see all the devices on my LAN and connect to them. All I see now is a globe icon with the name: Windows Network. When I click on it I get an empty folder. When I check the eddie settings, the attached images catch the configuration. I would be grateful for any advice on what I can do to make my local area devices visible. Thank you. Share this post Link to post
Aegisprotection 4 Posted ... Thanks for the explanations here above. I had the same problem and now it works perfectly! Share this post Link to post
Not connected, Your IP: 3.147.104.120 Not connected, Your IP: 3.147.104.120
Online: 23872 users - 272290 Mbit/s total BW
