Hey all, I have a question regarding running WireGuard in Kubernetes, I have asked this in a few places but to no avail.

I'm using the linuxserver/wireguard image. I have set up a pod that includes an app container and a WireGuard container. The app container uses the WireGuard VPN perfectly fine.

However, now I need this app to connect to other pods. However, I cannot reach my other pods, this does not work:

kubectl exec -it -n <NAMESPACE> <POD> -- nslookup <SERVICE-NAME>.<NAMESPACE>.svc.cluster.local

/etc/resolv.conf in the app container and the WireGuard looks like this:

# Generated by resolvconf
nameserver 10.2.0.1

When the /etc/resolv.conf file in other containers (the correct way) look like this:

search <NAMESPACE>.svc.cluster.local svc.cluster.local cluster.local <MYDOMAIN.COM>
nameserver 10.43.0.10
options ndots:5

I've tried an ugly fix by setting the DNS field in the WireGuard config to the CoreDNS service IP, but that didn't work. And I actually do need my DNS server to be 10.2.0.1, otherwise my DNS would leak.

Does anyone know how I can use both my VPN's DNS IP and CoreDNS for my internal cluster resolving? Thanks!

I’ve set up a WireGuard server on an Ubuntu machine at home, which allows my clients to access both my home network resources and the internet through the WireGuard server. However, since I don’t fully trust my ISP, I’m wondering if it’s possible to integrate Cloudflare Zero Trust to secure the traffic between my home server and the internet. Essentially, the network topology I’m considering would look like this:

WireGuard client → WireGuard server → Cloudflare Zero Trust → Internet

Would this setup work? If so, are there any specific configurations or things I should watch out for?

Hello, i have a fios g3100 router that i have port forwarded my wireguard server out of. I am able to connect on other wifis and hotspots. I have recently tried to connect on another out of the home wifi that is also a fios g3100 router but when i activate the wireguard tunnel it connects but i am unable to reach my server. any advice?

I don't know if this is an IPV6 or an Wireguard question....

If my ISP assigns me an ipv6 address block like: ( just an example... no idea if it's valid or not )
2607:ffff:0:ffff:11:22:33:44/64
and I want to use IPV6 with my wireguard tunnel. Do I want to ( Can I even ) use addresses from my /64 block with my wireguard clients or do I want to use a Private Block ( does that exists? ) for the IPV6 addresses.

Do I ( can I ) use IPV6 NAT through my firewall or do I just use real IPV6 addresses and not do nat?

sorry.. but IPV6 is new to me.

Thanks - jack

Hello,

I have tried to resume my network with this scheme:

https://preview.redd.it/xukbhb03na4e1.png?width=2712&format=png&auto=webp&s=b5ac0943d261a844342e7c8f26c200878f6ff43c

I have on my box connect to www, install the VPN wireguard. My issue is I cannot connect into my PC with ip 172.168.9.151

This is my configuration from Wireguard

[Interface]

PrivateKey = xxxxx

Address = 192.168.27.90/32

DNS = 212.27.38.253

MTU = 1360

[Peer]

PublicKey = yyyyyy

PresharedKey = zzzzzz

AllowedIPs = 0.0.0.0/0, ::/0, 192.168.27.64/27, 192.168.9.1/24, 192.168.1.19/24,

Endpoint = nn.nnn.nnn.nn:62236

I don't see how to solve it, any idea ? proposal ?

Thanks for all your support,

Bala

Hi all,

I have a multi-hop setup which is effectively the "Internet Gateway as a Spoke" example in this great guide

https://www.procustodibus.com/blog/2022/06/multi-hop-wireguard/

https://preview.redd.it/k5e0wak6494e1.png?width=908&format=png&auto=webp&s=0fa8c80bf0a59975cbd8570c44088551a3045ba1

The problem I'm having is that if site B goes down, site A's access to the internet is lost. Is there anyway I can set up a failover where Wireguard on site C chooses itself as exit for internet access of site A if B is unavailable?

Is this even possible?

Thanks.

I have an issue with my android wireguard client. I have setup my ubuntu server at home using wireguard easy. My windows pc is also a wireguard client and can connect perfectly fine. My android client however has an issue. It never completes the handshake. Both rx and tx also remain at 0. If I set any value for the persisten keepalive on the android client, it instantly works.

This is very confusing to me since my pc does not need it. My pc can aso use the phone profile without any issues. Is this a problem with the android app?

Any way to connect to cloudfare warp on phone using wgcf by tweaking the details and stuff for wgcf wireguard profile. the cloudfare mobile app doesnot work and gives the following errors so am using the wireguard app on phone

https://preview.redd.it/yvo5b0ftf64e1.png?width=1435&format=png&auto=webp&s=afc6cf36289115273720bb7bd636e2c2e71c3f2f

I'm still learning so bear with me if I have something wrong here.

I would like to use Wireguard as my VPN to hide my internet traffic from my ISP and as far as I understand it I need a place to host my Wireguard server.

If I self host a wireguard server, the server itself still requires a public IP, which exposes me to identification of said internet traffic to my ISP. I don't own some remote location in the Netherlands where I can place a server. It would be quite literally at my house. So...

If I host on a cloud server, an account is often needed and that account and/or payment details could be easily linked back to me, once again exposing me. Even free tiers often require authenticated payment info to prevent abuse.

What then is the point of Wireguard?

Update: Thanks for the replies. I am already using NordVPN/Nordlynx but was looking for a self hosted solution that could save me the subscription fee. I now understand Wireguard isn't meant for my use case. Thanks!

Fore-warning, this may be a bit of ignorant question but I am trying understand something that I just am not getting from reading.

I understand from a high level what a VPN is and what WireGuard is/does. What I don't really have a warm and fuzzy on use case(s) for it.

So, I am going to use my current "I am playing around with making my own server and this is what I have done" setup and ask the title question.

Right now, I have an Ubuntu 24.04 Server setup - I have a DDNS from NoIp and have my server configure in my Router (by way of the mac address) to have a consistent IP assigned to it. (i.e 192.168.0.123). Then I am forwarding a few ports such as a few for Plex and Deluge and, of course, SSH.

This means that I can ssh into myserverhostname.ddns.net:22 and use my user credentials and generated SSH keys to remotely manage my server. I have also exposed other ports and run other services (such as plex web and Deluge web, etc).

I also have nordvpn installed and use it as a proxy for Deluge - this seems like a very different use case than what people seem to be talking about how they are using WireGuard (though I assume it can do the same thing?).

So where does WireGuard it in? Is it just essentially an encrypted/more secure solution that routes traffic through the WireGuard tunnel?

I have a Mac and a Linux laptop box at home that I use to access a client site with a WG server. Up till now I have used WG on the Linux w/o any issues. Now that I want to use the Mac too, I need to configure a client on MacOS. As a quickie, I took the client config from the Linux box and imported that as an config on the Mac. The server seems not to mind at all, but I cant have both WG clients active at the same time (for obvious reasons). One at a time works fine.

So what do I need to change in the client config in order to have both active?

The client config looks like this (sanitized) on both systems right now

[Interface]

Address = 10.0.3.6/24

ListenPort = 58979

PrivateKey = QDwxxxxxxxRdt0j4LMxxxxxxxxxxxoeKknVWxxxgJB/Xg=

DNS = 10.0.2.64, fqdn-remote.se

[Peer]

PublicKey = KAPAXxxxxxxxxW+ZyUDC3QAhxxxxxxiL7+QwAFVGgY=

AllowedIPs = 10.0.3.0/24, 10.0.2.0/24

Endpoint = 199.11.44.166:5678

What I *think* is the relevant parts of the server config

[Peer]

PublicKey = Yo+ZlcXTlxxxxxxoA5Hp6bobBHRxxxxxxzU3ZYTEkc=

AllowedIPs = 10.0.3.6/32

Status on the WG server right now (MacOS connected) is

root@hp-srv04:/etc/wireguard# wg show

interface: wg0

public key: KAPAXxxxxxxx+ZyUDC3QAhxxxxxxx+QwAFVGgY=

private key: (hidden)

listening port: 58978

peer: Yo+ZlcXTlfxxxxxxx5Hp6bobBHRxxxxxxxzU3ZYTEkc=

endpoint: 85.207.11.159:33167

allowed ips: 10.0.3.6/32

latest handshake: 43 seconds ago

transfer: 202.71 KiB received, 107.70 KiB sent

Hi everyone,

I’m setting up a WireGuard server specifically for TikTok Live streaming. I want to know how many concurrent connections my server can handle and if there are any performance optimization tips for this use case.
Here are my server specs:

• CPU: Xeon 3x2.90 GHz
• RAM: 4 GB
• Drive: 40 GB NVMe
• Port: 1 Gbps (Unmetered traffic)

Questions:

1. Is there a specific maximum connection limit for WireGuard?
2. How many concurrent connections would you recommend for stable performance, considering this is for TikTok Live?
3. Are there any specific tuning tips for optimizing performance for live streaming traffic?

Thanks for your help!

I have a ubuntu server with docker installed. I have wireguard installed on the host and connect to vpn via host, therefore all my containers goes through vpn. I want to specifically exclude one container from the vpn. I have bridge network setup for the containers (172.17) except for the one that i want to exclude, there i have a seperate network (172.18.0.2)
Is this possible somehow?

In easy words ,I want to know what's exactly wireguard for , and how to use it easy on Android?

Thx friends

I am using the wireguard directly available on my tplink router.

Everything works on my android(s22 and tab s8) and Windows devices. However does not work on ios/mac devices. I tried using iPhone 13, iPhone 16, macbook and ipad.

Anyway to fix this?

[Interface] PrivateKey = <REDACTED> Address = 10.5.5.2/32

[Peer] PublicKey = <REDACTED> AllowedIPs = 0.0.0.0/1,128.0.0.0/1 Endpoint = xx.xx.xx.xx:51820 PersistentKeepalive = 25

Hey, I'm looking at a new apartment buildings and trying to make sure I can still setup a VPN. I encountered a building using a fiber provider but no in-unit ONT - the Ethernet ports are on the wall to connect WiFi routers, your computer, anything you want according to ISP once internet is activated.

All units also get their own IP address, you can also pay for a static IP address. I tried reading, CGNAT/no dedicated IP would be an issue?

I'm still not fully sure though. But basically, doesn't this mean I don't need to port forward through a router/ISP provided device first? I can just plug my Brume 2 directly into the wall and setup the VPN?

Or maybe switch it to a Gli.net router with WiFi capabilities and turn the WiFi off when I'm away/don't need home internet, or plug in a repeater when I'm home, etc.

But I'm still like, where does the public IP originate with setups like this? It certainly can't be a public IP when you plug in to the Ethernet, because that would mean every device could get the public IP, from my VPN server, work computer, router? It would have to be some gateway I can't see creating my apartment NAT, but I should be entitled to it if I have my own public IP?

On mobile data everything works dandy, but as soon as I connect to my home WiFi with wireguard connected, I cannot access (even nslookup or dig) any site.

[Interface]
PrivateKey = <REDACTED>
Address = 10.8.0.3/24
DNS = 192.168.1.237 # AdGuard Home
[Peer]
PublicKey = <REDACTED>
PresharedKey = <REDACTED>
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 0
Endpoint = <REDACTED>.duckdns.org:51820

Hi,

I've thrown together a client side "AllowedIPs" calculator. This can also be used as a generic tool to exclude a subset of CIDR's from a larger scoped CIDR.

It is completely client sided and the state is stored in the URL so you can bookmark and share specific results with others. It's also open sourced on github.

Example allow 0.0.0.0./0, disallow 1.1.1.1 & 8.8.8.8

Example allow 0.0.0.0./0, disallow 1.1.1.1 & 8.8.8.8 here

I also has ilght and dark mode which is auto determined on first visit.

I want to connect my openwrt to vps with wireguard. Then I want to connect from mobile network to vps and gain access to my home network and route all traffic into it. Also I want to expose self hosted services. Probably better explained on picture below

https://preview.redd.it/5evswzox4q3e1.png?width=1445&format=png&auto=webp&s=d2fa8279f2d50083f87a523b2d53d885895234e6

I used to use my data plan to work from a coffee shop because they limit their WiFi connections through a captive portal and restrict speeds to 3Mb/s. After reading that Wireguard can sometimes bypass captive portals, I tried it. Here's what worked for me on Mac/iPhone:

1. Use the IP address for the Wireguard server instead of a domain name
2. Use my own DNS (Adguard Home) self-hosted on my router, again accessing via IP address, using it in my client config
3. Use the standard UDP port

The process: Connect to the captive portal WiFi, close the captive portal browser window without log in, and then activate Wireguard. Now I get about 70Mb/s.

I suspect it works because it doesn't need to make any DNS resolutions for my Wireguard server, and they are not blocking UDP connections. Is my assumption correct?

Hello, I've been trying to make ufw work with wireguard, but so far, no success. My endgoal is to allow peer2 (10.13.13.3) access only port 5055 on my local network. I've been testing with peer2 config from my other pc and I can access any port with it, which is not what I want.

Setting that I changed so far:

/etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

/etc/ufw/sysctl.conf

net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

Current ufw rules:

Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
192.168.64.126             ALLOW IN    172.18.0.0/16
32400/tcp                  ALLOW IN    Anywhere
192.168.64.126 5055/tcp    ALLOW IN    10.13.13.3
192.168.64.126             ALLOW IN    10.13.13.2
192.168.64.126             ALLOW IN    192.168.64.0/24
51820/udp                  ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
32400/tcp (v6)             ALLOW IN    Anywhere (v6)
51820/udp (v6)             ALLOW IN    Anywhere (v6)

Curreny wireguard configs:

wg0.conf

[Interface]
Address = 10.13.13.1/24
PrivateKey = ****
ListenPort = 51820

# peer1
[Peer]
PublicKey = *****
AllowedIPs = 10.13.13.2/32

# peer2
[Peer]
PublicKey = *****
AllowedIPs = 10.13.13.3/32

peer2.conf

[Interface]
PrivateKey = ****
Address = 10.13.13.3/32

[Peer]
PublicKey = ****
AllowedIPs = 192.168.64.126/32
Endpoint = ********:51820
PersistentKeepalive = 25

Hello, I would like to know if its possible to setup a VPN tunnel trough my router (Fritxbox 7590) with wireguard to access my home-assistant (HASS) server/mini-PC, running on a different Mini-pc.

I am currently using Duck-DNS, with port-forwarding but would like something more secure to access it.

I am going to run Wireguard on a separate miniPC, within a proxmox container.

the way I assume it should work:
Mobile phone/approved device >Home-assistant app > wireguard access URL: XXX,XXX,XXX,XXX > ??port forwarding router?? > Wireguard tunnel > local IP of HA-server

Example of internal URL's:

HASS runs on 192,168,1,4
Proxmox would run on 192,168,1,5
Wireguard would get a virtual IP of 192,168,1,7

I hope my explanation is clear enough.

NOTE: I just got started with setting up proxmox and wireguard. so I am quite new to it.

I rather not run HASS in a LXC container and would like to keep it as its own separate system, as proxmox and HASS have slight issues with ZIGBEE modules, and a dedicated USB-port getting removed from the HASS container.

If there is a easier way to do this. I would be fine with it as well.

Hi, people.

My NorrVPN project evolving little by little. Now client-server version is available. With it one will run command line client without a sudo

https://github.com/s-r-engineer/norrvpn/releases/tag/0.2.0

So I had a friend set me up with WG on a Raspberry Pi a long time ago, but I forgot the credentials so I can't change any settings.. But I also have an old Intel NUC that I am not using. So, since I need to start over, which hardware should I use?

RPi3 (maybe it's a 4?) vs Intel NUC5 w/ Celeron N3050

Thanks!

Hey all,

I was wondering if there was a way for a computer at home to where my wg-easy docker server is would be able to do a site-to-site with my gl-mt3000 at my parents.

I'm able to access local machines on my home network from my gl-mt3000 so that works, was hoping to go the other way as well.

Hey All -

Trying to wrap my head around why this guide shows a /24 configured as the tunnel IP in the instance and a /32 in the peer. I would have thought they would have matched in terms of subnet...but maybe it doesn't matter?

Specifics from the article:

|| || |Tunnel Address|10.2.2.1/24|

yet for the peer:

|| || |Allowed IPs|10.2.2.1/32 |

Source:
WireGuard Site-to-Site Setup — OPNsense documentation

Thanks

Would it be possible to have an iphone connected to vpn server and at the same time have a laptop connected to the iPhone and have all the data run through the vpn?. I tried thar and all the data from my iphone goes through the tunnel but my laptop’s traffic goes through the regular cellular channel. Would it be possible through an android?

I have a WireGuard server running and working on my Proxmox server, and I am running the client on an Android phone My goal is to enable a tunnel on the Android device and connect to my local network via my self hosted WireGuard server, and have all other traffic pass through my paid VPN service. I currently have (2) separate tunnels setup in the Android client, (1) to remotely connect to my local network, and another to connect to my paid VPN service. Each of these work fine independently, but when I try to combine them into a single tunnel, I can access the local network but not the internet (can't even ping 1.1.1.1). Below is my config, any ideas whats wrong here?

[Interface]

PrivateKey = <my private key>

Address = 10.0.0.2/32

MTU = 1420

DNS = 192.168.1.11, 1.1.1.1, 8.8.8.8

[Peer]

PublicKey = <my public key>

AllowedIPs = 192.168.60.0/24

Endpoint = <my home domain address>:58120

PersistentKeepalive = 21

[Peer]

PublicKey = <my public key>

AllowedIPs = 0.0.0.0/0

Endpoint = 91.148.238.11:51820