r/WireGuard

honestly I’m not even surprised anymore. The other day I clicked on a site and suddenly it wanted me to verify my age with personal info before letting me continue. Bro I’m sorry but there’s no way I’m handing over IDs or sensitive data to random websites that probably get breached every other month so yeah i downloaded a VPN too. Not even for anything shady. I literally just wanted to browse normally without feeling like I’m applying for a passport every time I open the internet lol. What’s funny is these laws were supposed to stop people from bypassing restrictions, but now everybody’s learning how VPNs work because of it. Massive backfire ngl. Lowkey feels like we’re entering that “show ID before entering every website” era and I hate it here. Anyone else suddenly using VPNs way more because of all this age check stuff?

Is there any way to make Wireguard connect over IPv6 to the VPN endpoint if A and AAAA records are available?

At the time, it will always connect to the v4 address, even if a v6 is available. Only way to make it connect to a v6 endpoint is an AAAA-only DNS record.

Any ideas, maybe custom Wireguard builds?

So I just read that Canada’s proposed surveillance bill is getting massive backlash from VPN companies, and apparently Windscribe even said they might straight up leave Canada if they’re forced to log user activity. Ngl this is kinda insane to me. Like bro the main reason I even pay for a VPN is so my activity isn’t being tracked everywhere I work remotely and travel a lot, so I’m constantly connecting to hotel Wi-Fi, coffee shops, airports, all that sketchy public internet stuff. A VPN is basically my safety net. But if governments start forcing VPN companies to keep logs of what users are doing then wtf are we paying for at that point?. Anyone else think this whole thing is getting way outta pocket?

So apparently the EU launched this new age verification system to “protect minors online,” but people quickly figured out you can literally bypass it with a VPN. Now there’s talk about tighter VPN regulations and honestly this feels kinda wild. I travel a lot for work and public Wi-Fi is straight up sus sometimes. VPN is basically the only thing keeping my accounts from getting yoinked at airports and cafés. What’s annoying is that governments keep treating VPNs like they’re only used for bypassing restrictions, when a lot of normal people use them for privacy, security, streaming, remote work, etc. Imagine paying for a legit VPN subscription then suddenly needing ID verification just to use it That kinda defeats the whole privacy point ngl. Anybody else think this is getting outta hand or am I trippin’?

I'm setting up a WireGuard VPN as a relay between my devices and my home network (homelab access, not exit-node browsing). Trying to pick a host and would value real-world experience over marketing.

Why I'm not using a mainstream provider: Hetzner asked for ID + selfie at signup, which I'm not willing to provide for a €4/month VPS. Looking for hosts that don't require that.

Shortlist so far:

- Njalla — most-recommended for privacy, but expensive (~€15/mo) and I've read mixed things about their network reputation

- 1984 Hosting — Iceland, lighter KYC, seems like a balance

- BuyVM — cheap, accepts Monero, US-based

Questions for anyone with direct experience:

1. Network reputation — how often do the IPs get blocklisted by services like Google, Cloudflare, streaming sites? Matters because a relay that gets captcha'd constantly is annoying
2. Abuse handling — if someone else on the IP range does something, do they nuke your VM or work with you?
3. Anyone left one of these for another? Why?

Not looking for "just use Mullvad" answers — I specifically want a server I control to terminate the tunnel at, not a commercial VPN.

Thanks for any input.

Hi,

I set up wireguard on my home PC to allow my android phones to connect to the home network and access my local apps like immich and jellyfin.

The VPN itself works great when I'm outside the wifi network. But, if I have the VPN on while i'm connected to my local wifi, it basically kills internet access for my phone. Not sure exactly why this is, as i would expect requests to still be sent out to the internet and come back around. But every request just times out.

Is there any way to configure Wireguard to permit this? I want to keep my android VPN service on at all times, instead of having to toggle it off when I'm at home. Or perhaps is there a way to configure Android to toggle the VPN correctly when I'm in/out of network?

Thanks!

i have digital ocean server and setup wireguard there to connect to local network on office

server configuration

```

[Interface]

Address = 10.7.0.1/24

ListenPort = 51820

PrivateKey = (hidden)

[Peer]

PublicKey = (hidden)

PresharedKey = (hidden)

AllowedIPs = 10.7.0.3/32, 192.168.70.0/24

Endpoint = client:24054

```

client configuration

```

[Interface]

Address = 10.7.0.3/32

PrivateKey = (hidden)

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlp3s0 -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlp3s0 -j MASQUERADE

[Peer]

PublicKey = (hidden)

PresharedKey = (hidden)

AllowedIPs = 0.0.0.0/0

Endpoint = server:51820

PersistentKeepalive = 25

```

if i change client allowed ips other than 0.0.0.0/0 on server cannot access client local network.

what is the issue here?

client is using zorin OS 18

server is ubuntu 20-04

I built nylon because I wanted one unified VPN that connects across all my cloud servers, mobile devices and workstations, whether they are on the same LAN, or across the internet.

I also had latency-sensitive "work" ahem (game streaming). So if I were on the same physical network as my gaming pc, I want my VPN to route via the lowest latency LAN path, only falling back to other nodes when needed.

Note: I have considered Tailscale and Nebula. These work most of the time, but do not give me control over how data is routed. They generally establish direct links (or at most, 1-hop via a relay), and do not take the state of the underlying network into account.

With nylon, I can choose to add links with more premium networks like CN2 GIA or Akamai's (via two Linodes in diff regions). Nylon would take these links into account, and dynamically pick the best routing using Babel (RFC 8966).

If you're interested in the details, I wrote a blog post diving into the challenges of building this: https://jiaqi.dev/posts/nylon

Docs for getting started: https://nylon.jq.ax

Would love to hear thoughts & feedback! Thanks :)

Hey everyone! I’m currently having an issue setting up a travel router. The travel router should be connected to my home network via Teleport / WireGuard and make a Raspberry Pi (connected to the travel router) available within the home network.
My home network runs a UCG Fiber.
When the travel router connects via Teleport to the UCG, the connection is established, but the Raspberry Pi’s IP is not reachable from within the home network. Setting up a connection via the WireGuard server using a QR code / config file works in terms of configuration, but the travel router stays stuck in “Connecting” status and never actually establishes a connection.
What am I missing? Firewall is all on default settings.
Thanks!​​​​​​​​​​​​​​​​

I'm very new to Wireguard so struggling to understand this, time to ask for help.

I want to access my home network (192.168.10.0/24) and my office network (192.168.100.0/24) from my phone (android) and my laptop (Linux Mint). I have servers at home and work running wireguard and I can connect to both networks separately with my phone and laptop, this is all working fine.

But I need to switch between the wg networks all the time. eg when I go to work I have to switch from the work to home wg profile, then back again when I go home.

Is there a way to configure this so I always have access to both networks? I just want to leave my phone/laptop permanently connected to wireguard and have access to both networks wherever I am. Note I don't want all traffic to go through wireguard, just need to enable the remote access.

Thanks and apologies in advance, I expect this is answered here somewhere, but I've read a half-dozen different threads that sounded promising, and none made me smart enough to solve my issue (I'm starting to think maybe 'it's me'...)

I'm trying to set up access to my home router and LAN from a client laptop outside my home (say in a hotel), to do one of the following 3 actions/options:

1. Relay internet traffic so it looks like "I am at home" (e.g. stream services that I am allowed to at home, but couldn't at the hotel)
2. Relay internet traffic to look like I'm home, *and* access internal LAN devices (NAS, SiliconDust, etc.) at home -- Basically my laptop in the hotel acts as though it's inside my house
3. Access home LAN, but use "hotel" ISP for all other internet traffic (in case I want to stream something that's allowed at the hotel).

Realistically, I don't know if I need #1 if I get #2 working, but I expect it'd help me understand how this is working to know the setup.

So far, all I can manage is #1...

What I have at home:

ASUS XT8 router set to act as a Wireguard Server
WAN = 70.A.B.C (passthrough from AT&T router)
LAN = 192.168.50.1
DHCP serving internal network on 192.168.50.0/24
Wireguard server at 10.6.0.1

When I set up the WG VPN on the ASUS, and I take the defaults, it generates a .conf file that contains:

[Interface]
PrivateKey = <...>
Address = 10.6.0.2/32
DNS = 10.6.0.1

[Peer]
PublicKey = <...>
AllowedIPs = 0.0.0.0/0
Endpoint = 70.A.B.C:51820 [Where 70.A.B.C is my AT&T WAN IP]
PersistentKeepalive = 25

My interpretation here is the Client side "Allowed IPs = 0.0.0.0/0" routes all traffic from the client through the tunnel - including any "internet requests". This seems confirmed by a "whatismyip.com" on the laptop/client returning "70.A.B.C" when connected to the VPN.

I can also "ping 192.168.50.1" - the LAN face of the ASUS - successfully, but I get no response from "ping 192.168.50.25" (my NAS), or any other device in the LAN.

Given the tunnel appears to be set up, I'm wondering if the problem isn't the WG server at all, but some firewall aspect of the ASUS that's not letting "outside" traffic (from 10.6.0.2) get to the LAN. I'm investigating that, but figured I'd ask to see if I have the WG set up correctly.

Additionally, if it is a firewall issue, then to get #3 (above) to work, I think I need to swap out the client Allowed IP = 0.0.0.0/0 to be 192.168.50.0/24 (??) so only requests to the LAN get funneled through the VPN.

Am I on the right track here?

On the extremely off chance anyone reading this has familiarity with the XT8 and its interface - and my problem *is* firewall, I'd gladly take advice there too.

**EDIT-POST**

Quick update after a day of debugging my WireGuard relay setup.

Topology:

Kali VM
|
WireGuard
|
VPS relay (x.x.x.x)
|
Remote UniFi LAN (10.x.x.x/24)

Progress since yesterday:
- wg0 now comes UP correctly on both Kali and VPS
- VPS ↔ UniFi tunnel works with active handshakes
- Rebuilt all private/public keys and PSKs from scratch
- Fixed multiple config mismatches
- Added proper AllowedIPs/routes
- Enabled IP forwarding
- tcpdump confirms UDP packets from Kali ARE reaching the VPS on port 51820
- MASQUERADE/FORWARD rules added successfully

Current issue:
Kali still shows:

transfer: 0 B received

and VPS still never shows a handshake specifically for the Kali peer.

The last troubleshooting steps I tried before getting stuck were:

sudo iptables -t nat -A POSTROUTING -s 10.x.x.x/24 -o eth0 -j MASQUERADE

sudo iptables -A FORWARD -i wg0 -j ACCEPT

sudo iptables -A FORWARD -o wg0 -j ACCEPT

sudo systemctl restart wg-quick@wg0

Those commands applied successfully but the issue remains.

At this point I still feel like I’m missing some deeper understanding of the WireGuard handshake/routing flow itself.

Any ideas what I should inspect next?

Thanks!

*old post*
Hey guys,
I’ve been banging my head against the wall for the past few days trying to troubleshoot a Layer 2 VXLAN tunnel, and I'm officially stuck.
The goal is to bridge my home lab with a remote DigitalOcean VPS so end-devices on both sides can talk on the same L2 broadcast domain (10.100.102.x).

The Setup:
• Home Side: Tossed my ISP router into stupid Bridge Mode, letting a UniFi Cloud Gateway Ultra handle the public IP. Behind it, I am running Kali Linux inside VMware Workstation, completely isolated so it only communicates within my specific lab environment.
• Cloud Side: Ubuntu VPS on DigitalOcean.
• The Underlay: Set up a stable WireGuard tunnel between the Kali VM and the DO VPS over UDP port 51820. The VPN itself is rock solid and I can route traffic between the host and VPS perfectly.
• The Overlay: On top of WireGuard, I built a vxlan30 interface (VNI 30, UDP 4789) and enslaved it to a local bridge on both sides. The interface status is officially UP.

The Problem:
Even though the tunnel says it's active, I have zero data plane connectivity:
• The weird part: I can successfully ping the remote WireGuard IP address and the VPS itself from the host. The underlay network is 100% alive.
• However, pings between the actual end-devices (like trying to hit .1 over the VXLAN subnet) completely time out.
• Running arp -a or ip neigh just gives me Incomplete or Failed. It looks like ARP broadcasts are disappearing into the void and not traversing the tunnel.
• The Bridge FDB isn't learning any remote MAC addresses.

I am currently running Meta ads on USA personal account and home Wifi.

I will be in Europe for 8 weeks, traveling many countries and changing cities very often. So now, I am looking into remote setup so that Meta sees a consistent behavior from the same IP, trust signals, etc. Money is not a concern as this would be a business expense for me.

Options:
Option #1: PiKvm + Tailscale for home Mac. Then use a travel device to remote into the home Mac.

The risk with this option is I will have a single point of failure i.e. the session on home Mac. If that session ends and FB asks me to verify on my iPhone during new login, I won't be able to because iPhone will have Europe IP address.

Option #2: Remote desktop with Anydesk / Chrome Remote Desktop

The risk with this option is if my home mac shuts down. These softwares (unlike PiKVM) do not work when the Mac is locked with password during reboot.

Option #3: Replacement router at home with VPN server function

The risk is VPN leak / location mismatch / timezone mismatch / maybe other things that I am not aware of because I have not fully researched this so would appreciate insights.

Option #4: Any suggestions?

I have a question that if bit locker recovery screen comes up on a company computer and you set up wire guard and your travel outer and you have your home router does that mean that they know where your location is due to the software and that company computer?

Hi everyone,

I’m considering buying the TP-Link Archer AX55 Pro and I have a question about using it as a WireGuard client.

Current setup:

• I already have a WireGuard server running at my father’s house.
• At my own house, I would install the AX55 Pro.
• I want the AX55 Pro to connect as a WireGuard client to that remote server and keep the tunnel always connected.

My goal:
When I’m away from home (for example at my father’s house or on mobile data), I want to access my home LAN remotely through the WireGuard tunnel and send Wake-on-LAN (WoL) packets to wake up PCs inside my network.

Questions:

1. Does the AX55 Pro work reliably as a WireGuard client in this scenario?
2. Can devices from the remote side access the home LAN correctly through the tunnel?
3. Has anyone successfully used Wake-on-LAN through this setup?
4. Does the router properly forward WoL/broadcast packets to the LAN?

Thanks!

Hello!

On the server: "wg show"

interface: wg0

- public key: <key here>

- private key: <hidden>

- listening port: 51820

peer: <key>

- preshared key: (hidden)

- allowed ips: 10.66.66.2/32, fd42:42:42::2/128

Client config imported into Wireguard client:

[Interface]

PrivateKey = <key here>

Address = 10.66.66.2/32,fd42:42:42::2/128

DNS = myISP_IP1, myISP_IP2

[Peer]

PublicKey = <key here>

PresharedKey = <key here>

Endpoint = mydomainname:51820

AllowedIPs = 0.0.0.0/0,::/0

----Domain name resolves to a correct public IP and port 51820 is forwarded (UDP).

I can connect, but on the client there is 0 bytes received and a few KB transmited. There's no internet while im connected: I cant ping, nor can I resolve domain names.

Client: CachyOS (via 5G network to simulate external attempt at connecting)

Server: Debian 13

I've been at it for weeks now, and I'm at my wits end. I've been through countless youtube tutorials, portainer docker images and compose files. I ended up trying to setup a dedicated Debian VM with only Wireguard on it and thats where I am now. The issue is always the same: I can "connect", there is no data traffic and I lack the tools to troubleshoot it.

I appreciate all the help and patience.