Routing site-to-site VPN from 10.0.0.1 network to 192.168.1.1/24 network does not work

Hello IT colleagues,

The situation

I have two locations:

  • At home
  • At a colocation

At home on my ESXi host I’ve created a Ubuntu Server VM with WireGuard that connects to the colocation, also a ESXi host with an Ubuntu Server and WireGuard that acts as a VPN server.

VPN server colocation, also acts as a DHCP server for the colocation:

ens34 has a public IP
ens35 has an internal IP, 10.0.0.1
wg0 is the WireGuard NIC

Settings wg0.conf file

[Interface]
PrivateKey = HIDED
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = HIDED
AllowedIPs = 10.0.0.2/24
PersistentKeepalive = 25

IP routes

default via PUBLIC IP HIDED dev ens34 proto static 
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1 
PUBLIC IP HIDED/29 dev ens34 proto kernel scope link src PUBLIC IP HIDED 
192.168.1.0/24 dev ens35 proto kernel scope link src 192.168.1.1 

VPN client at home:

ens34 has an internal IP, 10.0.0.2
wg0 is the WireGuard NIC

Settings wg0.conf file

[Interface]
PrivateKey = HIDED
Address = 10.0.0.2/24
[Peer]
PublicKey = HIDED
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = PUBLIC IP HIDED:51820
PersistentKeepalive = 25

The connection between the 2 works. Also when I change the gateway of another VPN at the ESXi host at home it still could connect to the internet, when I change the IP of the gateway to a non existing one as expected it doesn’t work anymore to I am quite convinced that routing really works.

Now I want to connect to a Windows server at the colocation’s ESXi host with the IP 192.168.1.100 but pinging back and forth does not work, not from the VPN client and also not from the VPN server. For this moment this seems to be the last piece of the puzzle that is missing. The wanted situation is that I can use my ESXi host at the colocation like its a server at home and so simulate different kind of networks (for lab purposes). For example setting up a Windows domain and use it on home computers that are also part of the lab env.

I need to admit that this is the first time for me dealing with VPN so it’s also a lack of knowledge from my side. A lot of information was from YouTube and other sources on the internet.

Could someone help me out and advise me in how I can route the network so that 192.168.1.0/24 also is reachable? I’ve tried to add the range also to AllowedIPs = 10.0.0.2/24 but when I start WireGuard I get the error RTNETLINK answers: File exists. I am stuck at this moment. Any help would be highly appreciated!

if you’re starting to link stuff together, never use the common ranges such as 192.168.0.x 192.168.1.x 10.0.0.x etc as they often clash with other networks.

renumber your networks to use something less common - then try again.

Did you enable IP forwarding on the vpn host?

sysctl net.ipv4.ip_forward=1

Supposing you already enabled ip fowrward on sysctl and have no iptables/nftables/ufw rules that prevent the fowarding you also must add a route on your Windows server so it knows how to reach for your 10.0.0.2 network:

route add 10.0.0.0 MASK 255.255.255.0 192.168.1.x

Where X is the IP of your Wireguard server. If you don’t do this the Windows machine will try to look for the 10.0.0.0/24 network on the default gateway, that obviously will not route this address anywhere.

For an example, I’ve the reverse of your situation, at home I’ve a computer that is not a Wireguard client, but my home server is the Wireguard client of my VPS. So I added this route to the Windows machine:

Tabela de rotas IPv4
===========================================================================
Rotas ativas:
Endereço de rede          Máscara   Ender. gateway       Interface   Custo
          0.0.0.0          0.0.0.0    192.168.100.1   192.168.100.38     25
       10.11.12.0    255.255.255.0    192.168.100.2   192.168.100.38     26
        127.0.0.0        255.0.0.0      No vínculo         127.0.0.1    331
        127.0.0.1  255.255.255.255      No vínculo         127.0.0.1    331

Also to this work I had, in the server, change the AllowedIPs part of my wg0.conf to include the network 192.168.100.0/24. You should not need this because your client already is configured to 0.0.0.0/0

Hope this is the solution for your problem

Hi u/boli99 this seems to be an important part of the solution. I now created a subnet of 192.168.10.x and now it works! Many thanks.