Wireguard VPN – Tunnel Multiple Clients to Server and Internet

iptableslinuxvpnwireguard

I recently set up wireguard and had it working for one client (laptop), then adding my phone to the mix and my laptop stopped connecting. it works if I comment the other one out. I know it is due to allowedips 0.0.0.0/0 in both cases. The thing is I'm not sure what I need to put in instead to make it work. I've tried just the client's wg ip eg 10.0.0.2/24 and also 10.0.0.2/32.

The ideal goal is to be able to access my server and tunnel traffic for both clients. I know I can do this by creating a separate wg interface for each client but I was wondering if I can do it using just one (wg0) on the server. I have an adguard DNS container running on the server and when connecting with a single device (the other commented out in the server config). The device hits the DNS and its working as expected and is rewriting my requests to my server and blocking ads and I can see the client ip as the wg ip. I don't really care about LAN access for both devices, I just want to access my server IP and forward the rest out. Currently I can do that for one client with 0.0.0.0/0

When changing the allowed ips to 10.0.0.2/32 on the client it doesn't work. I can't ping the DNS server 10.0.0.1 works for each device but not at the same time because they overlap 0.0.0.0/0.

My priorities are to forward all traffic for both devices but failing that, I'd be happy if the laptop could access everything and the phone could at least access the server at 10.0.0.1

Any help or thoughts on the allowed ips would be welcomed. Thanks for your time

Server config

[Interface]
PrivateKey = xxxxxxxxxxx
Address = 10.0.0.1/24
ListenPort = 55555
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Laptop 
PublicKey = xxxxxxx
AllowedIPs = 10.0.0.2/32

# Phone
PublicKey = xxxxxxxx
AllowedIPs = 10.0.0.3/32

Laptop config

[Interface]
Address = 10.0.0.2/24
PrivateKey = xxxxxx
DNS= 10.0.0.1

[Peer]
PublicKey = xxxxxxxx
Endpoint =  my.dd.ip:55555
AllowedIPs = 0.0.0.0/0

Phone Config

[Interface]
Address = 10.0.0.3/24
PrivateKey = xxxxxx
DNS= 10.0.0.1

[Peer]
PublicKey = xxxxxxxx
Endpoint =  my.dd.ip:55555
AllowedIPs = 0.0.0.0/0

Also I should add that I already allowed forwarding on the server
net.ipv4.ip_forward = 1

Best Answer

On the server side config, you have to add a [Peer] block for each peer.

[Interface]
PrivateKey = SERVER%XXXXXXX # PUBLIC SERVER%PPPPPPP
Address = 10.0.0.1/24
ListenPort = 55555
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Laptop
[Peer] 
PublicKey = LAPTOP%PPPPPPP
AllowedIPs = 10.0.0.2/32

# Phone
[Peer]
PublicKey = PHONE%PPPPPPP
AllowedIPs = 10.0.0.3/32

Laptop Config

[Interface]
Address = 10.0.0.2/32
PrivateKey = LAPTOP%XXXXXXX 
DNS = 10.0.0.1

[Peer]
PublicKey = SERVER%PPPPPPP
Endpoint =  my.dd.ip:55555
AllowedIPs = 0.0.0.0/0

Phone Config

[Interface]
Address = 10.0.0.3/32
PrivateKey = PHONE%XXXXXXX 
DNS = 10.0.0.1

[Peer]
PublicKey = SERVER%PPPPPPP
Endpoint =  my.dd.ip:55555
AllowedIPs = 0.0.0.0/0
Related Topic