GOAL:
I am trying to set up a split-tunnelled point-to-site WireGuard VPN connection so that I can connect from my local Windows PC client to my remote cloud resources as if though I was on the same network with them.
NETWORK TOPOLOGY:
The remote network has 2 servers located in 10.0.0.0/24 subnet. The firewall rule for these 2 servers allows all IPv4 TCP, UDP, and ICMP traffic through if they are coming from 10.0.0.0/24 and 10.0.1.0/24 subnets. Otherwise, it just allows outgoing traffic to the internet and blocks any other incoming traffic. Furthermore, the incoming traffic from the internet to ports 80/tcp and 51820/udp of Server 1 are allowed.
Server 1 is the Wireguard VPN server located at 10.0.0.249/24 and Server 2 is a test server located at 10.0.0.248/24. I can confirm the 2 servers are connected to each other via both ping and netcat. Both servers are using Debian 12.
VPN SERVER SETTINGS:
Server 1 is set up using the following docker-compose :
https://github.com/ngoduykhanh/wireguard-ui/raw/master/examples/docker-compose/linuxserver.yml
I use an nginx reverse proxy to enable access to the dashboard over the internet using the VPN server's public IP.
Running docker exec -it wireguard /bin/bash and then cat /config/wg0.conf yields the following:
https://gist.github.com/sepsol/d26eae5da05e646769fb33bc1a9d0d8f
ISSUE:
I then load the generated config in my WIreGuard client app and after the connection is successfully "activated", I check my PC's routing table and confirm that for all the connections to the 10.0.0.0/24 subnet, it's going to use the WireGuard Tunnel interface. But in the end when I try to ping or netcat either the Server 1 or 2, I get Request Timeout.
QUESTION:
Why can't I confirm my connection to the remote servers after my VPN connection is established and how can I fix that?
I fixed my issue.
For the record, looking at the wireguard docker-compose example, my issue with wireguard-ui was also fixed by changing my including my wg server interface in my allowed IPs. It was this part specifically that I was missing:
https://github.com/linuxserver/docker-wireguard?tab=readme-ov-file#:~:text=AND%20the%20ip%20of%20the%20server%27s%20WG%20ip%2C%20such%20as%2010.13.13.1.