Crosspost from my question on Ask Different - thought I might get more relevant experience here.
I'm trying to set up Wireguard as a VPN to access my home LAN devices while on the road, and also to tunnel all traffic through when connecting to possibly hostile wireless networks.
I have the tunnel working from device to device at the moment, but cannot see anything on the home LAN except for the server. I can SSH to it at 192.168.2.1 from the MacBook Pro on external network etc.
Home Network
Router: Netgear D7000 (not using OpenVPN on this is insecure implementation) 192.168.1.1 - port forward UDP 51820 to 192.168.1.150
Wireguard Server: Mac mini - Ethernet to D7000 192.168.1.150 - WG Server running as 192.168.2.1
Using Wireguard from App Store
Wireguard Config
[Interface]
PrivateKey = *redacted*
ListenPort = 51820
Address = 192.168.2.1/32
[Peer]
PublicKey = *redacted*
AllowedIPs = 192.168.2.2/24
External Network
Wireguard Config
[Interface]
PrivateKey = *redacted*
ListenPort = 21841
Address = 192.168.2.2/32
[Peer]
PublicKey = *redacted*
AllowedIPs = 192.168.2.1/24, 192.168.1.1/24
Endpoint = *home WAN IP*:51820
PersistentKeepalive = 25
I've been following this guide:
So I see I should be able to make two separate Wireguard configs, the one above for just accessing Server/home LAN, and another for tunnelling all traffic through the home network:
replace
AllowedIPs = 192.168.2.1/24, 192.168.1.1/24
with
AllowedIPs = 0.0.0.0/0, ::/0
To access the home LAN, the guide says to include the following IPTables config:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
But obviously, this is for Linux, not for macOS. The relevant ifconfig on the Mac mini (Wireguard server) are:
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
ether 38:c9:86:0b:ef:20
inet6 fe80::1c37:e5a3:ce0e:d42b%en0 prefixlen 64 secured scopeid 0x5
inet 192.168.1.150 netmask 0xffffff00 broadcast 192.168.1.255
inet6 2403:5800:7101:a900:44eb:2d72:71f7:c94f prefixlen 128 dynamic
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (1000baseT <full-duplex,energy-efficient-ethernet>)
status: active
and
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420
inet 192.168.2.1 --> 192.168.2.1 netmask 0xffffffff
And routing Tables:
Tunnel Down
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGSc 78 0 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 3 136 lo0
169.254 link#5 UCS 0 0 en0 !
192.168.1 link#5 UCS 12 0 en0 !
192.168.1.1/32 link#5 UCS 1 0 en0 !
192.168.1.1 40:5d:82:d8:24:c8 UHLWIir 18 74 en0 1198
192.168.1.2 d0:73:d5:33:2f:52 UHLWIi 1 10 en0 1187
192.168.1.3 d0:73:d5:33:2f:ee UHLWIi 1 8 en0 1187
192.168.1.4 d0:73:d5:33:30:53 UHLWIi 1 8 en0 1187
192.168.1.6 8c:85:90:7a:72:f6 UHLWIi 1 8 en0 1190
192.168.1.7 ec:35:86:44:da:9a UHLWIi 4 320 en0 1180
192.168.1.8 ac:18:26:4a:93:19 UHLWI 0 0 en0 1193
192.168.1.9 0:5:cd:9d:f2:de UHLWIi 2 18 en0 1189
192.168.1.10 44:2c:5:9d:12:36 UHLWIi 1 11 en0 1192
192.168.1.11 10:1c:c:24:b7:6f UHLWI 0 2 en0 1191
192.168.1.50 0:8:9b:8d:40:c3 UHLWIi 1 36 en0 1186
192.168.1.120 d0:d2:b0:9c:5d:6b UHLWIi 2 14 en0 1184
192.168.1.150/32 link#5 UCS 0 0 en0 !
192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 4 en0 !
224.0.0/4 link#5 UmCS 1 0 en0 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
255.255.255.255/32 link#5 UCS 0 0 en0 !
Tunnel Up
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGSc 61 0 en0
default link#13 UCSI 0 0 utun1
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 1 144 lo0
169.254 link#5 UCS 0 0 en0 !
192.168.1 link#5 UCS 14 0 en0 !
192.168.1.1/32 link#5 UCS 1 0 en0 !
192.168.1.1 40:5d:82:d8:24:c8 UHLWIir 24 121 en0 1189
192.168.1.2 d0:73:d5:33:2f:52 UHLWIi 1 33 en0 1121
192.168.1.3 d0:73:d5:33:2f:ee UHLWIi 1 8 en0 1121
192.168.1.4 d0:73:d5:33:30:53 UHLWIi 1 8 en0 1121
192.168.1.5 54:33:cb:b0:fd:ca UHLWIi 1 16 en0 1120
192.168.1.6 8c:85:90:7a:72:f6 UHLWIi 1 10 en0 1089
192.168.1.7 ec:35:86:44:da:9a UHLWIi 4 1729 en0 1079
192.168.1.8 ac:18:26:4a:93:19 UHLWI 0 0 en0 1192
192.168.1.9 0:5:cd:9d:f2:de UHLWI 0 60 en0 1171
192.168.1.10 44:2c:5:9d:12:36 UHLWIi 1 47 en0 1091
192.168.1.11 10:1c:c:24:b7:6f UHLWIi 1 25 en0 1090
192.168.1.18 8c:a9:82:f5:8:39 UHLWIi 1 3 en0 1172
192.168.1.50 0:8:9b:8d:40:c3 UHLWIi 5 1490 en0 1085
192.168.1.120 d0:d2:b0:9c:5d:6b UHLWIi 3 65 en0 1164
192.168.1.150/32 link#5 UCS 1 0 en0 !
192.168.1.150 38:c9:86:b:ef:20 UHLWIi 3 516 lo0
192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 6 en0 !
192.168.2 link#13 UCS 1 0 utun1
192.168.2.1 192.168.2.1 UH 1 7 utun1
192.168.2.2 link#13 UHWIi 1 11 utun1
224.0.0/4 link#5 UmCS 2 0 en0 !
224.0.0/4 link#13 UmCSI 0 0 utun1
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI 0 54 en0
255.255.255.255/32 link#5 UCS 0 0 en0 !
255.255.255.255/32 link#13 UCSI 0 0 utun1
So, what do I need to do on the Mac mini Wireguard Server
To be able to access my home LAN devices?
Tunnel all traffic through the home network?
Can I achieve solely with Wireguard config? If not, how do I achieve it with static routes/config in macOS?
User contributions licensed under CC BY-SA 3.0