1

I've a below wireguard configuration at the server side

[Interface]
ListenPort = 51820
PrivateKey = oPernzzF+Kl499z2TMwemZLUN6/e630Q=

[Peer]
PublicKey = yyhY5Blx+PxCHu/wK7QgiL/veRrXHQ34RmTi//zynVA=
AllowedIPs = 10.0.8.2/32
PersistentKeepalive = 25

Since I didn't specify the Address in the interface section, the default IP address for the server after establishing the wireguard connection is 10.0.8.1. However, the actual IP address of my server is 192.168.0.230 and it hosts a httpd webpage on port 80. The server is not in a production environment and is running on openBSD 7.3 stable. This wireguard configuration is functioning perfectly.

To access the webpage after establishing the wireguard connection, I need to enter 10.0.8.1:80 instead of 192.168.0.230:80. I have also tested this configuration on a digital ocean ubuntu 23.04 server and obtained the same result. Therefore, since the server's IP address is changing, there may be a domain name conflict and I do not want my clients to directly use the IP address. Is there a solution to this issue so that I can resolve it with the server's domain name only?

Improve this question
3
  • 1
    did you add 192.168.0.230/32 (or 192.168.0.0/24) to allowed IP's in the client config? hmmm, I may have misunderstood the question :p Commented Oct 16, 2023 at 23:23
  • I don't know WireGuard but what you need is to tell your VPN server to push a route, telling your VPN client it must pass through 10.0.8.1 to reach 192.168.0.230 (even if 10.0.8.1 and 192.168.0.230 are the same machine) Commented Oct 16, 2023 at 23:46
  • 1
    Well ... that's how wireguard (or other VPN solutions) work; they establish a virtual interface that can't have the same IP as the actual IP, as you put it. The easiest solution would be to let the webserver listen on both interfaces; failing that set up a pf rule to forward any traffic on the wireguard interface on ports 80&443 to your internal interface. How DNS should play into this I can't fathom; surely don't have external DNS declarations for private networks. Commented Oct 17, 2023 at 0:39

1 Answer 1

Reset to default
2

In all likelihood, your client does not know that it should route requests to 192.168.0.230 via the WireGuard interface. So either you add that route manually or, as @Jaromanda X says in his comment, you need to add that IP (or some subnet that contains it, like 192.168.0.0/24) to the AllowedIPs list on the client.

However, note that 192.168.0/24 is a very widely used IP range for local networks. If, for instance, you client machine is a laptop, and if that laptop is connected to a network that uses that IP range (public access points, corporate networks, your friend's wifi, mobile hotspots, tethering to your phone or using it as a private hotspot, etc), you might end up having two routes to the same subnetwork: one on the egress interface (the actual network you are connected to) and one on the WireGuard (the network in which your server resides). This will obviously not work properly, and is a very good reason to use a less common IP range for your server's network.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.