WireGuardClient: Transport Encryption, API compatible with .Net UdpClient

https://github.com/proxylity/wg-client

WireGuard is two things:

A transport encryption standard based on Noise and ChaCha20
A VPN application

I find the first bullet the most compelling as a software developer. It's so much easier to implement and lighter on the hardware than TLS, and is stateless which opens the door to a wide variety of use cases.

So I created this little library (and it is little, around 800 lines of code so far with only a little work left), that is API compatible with the .Net UdpClient but wraps all traffic in WireGuard transport encryption.

It may be a little difficult to get your head around at first, but this allows writing software that sends *anything* over a secure connection -- not just tunneled IP. So you can use it like you'd use TLS to protect communications, but don't need to actually use a VPN to do so. Weird stuff like (hypothetical) HTTP over WireGuard.

Of course you can send encapsulated packets over it to be compatible with a `wg` app running on the backend, but that's not the limit...

https://redd.it/1rqz6ba
@r_wireguard

After finishing using WireGuard VPN and then coming to the office, a remote user cannot access LAN resources

I have a number of users with WireGuard on Windows 11 Pro 24H2. They do not have administrative rights to their PCs, and we cannot give them those rights. The published work-around is to make these users members of the "Network Configuration Operators" and I've done this, allowing them to create and teardown the VPN connection.

What we are now seeing for some users is that teardown appears to work, except that when they come into the office and connect to the local network they cannot see any local devices or resources (i.e. network shares) other than the default gateway.

It seems that the Network Adapter remains active and claiming a route to the LAN, but of course it's not connected because the VPN is not running.

As a work-around, disabling the Network Adapter manually allows the user to access local resources once more - but this requires administrator privileges that the user does not have.

Any suggestions, please?

Thanks

C

https://redd.it/1rqs41i
@r_wireguard

Subnet conflict: LAN access fails on remote Wi-Fi with same IP range

Hello !

I'm requesting your help with a routing issue using WireGuard. My goal is to access my local network (192.168.1.0/24) from outside (iPhone/laptop) using a WireGuard server hosted in an LXC container (Debian) on Proxmox. I also have the WGDashboard interface.

The VPN works perfectly over 4G/5G. I can access the internet via my home IP address and ping my devices at 192.168.1.x.

The VPN only partially works over a remote Wi-Fi network (at a friend's house): the VPN connection is established, I can access the internet via my home IP address, but I have no access to the local network.

I suspect there's a subnet conflict when the remote Wi-Fi network also uses the 192.168.1.0/24 range (the same as my home network where the WireGuard server is hosted). This prevents traffic from knowing whether to stay on the local Wi-Fi or go through the tunnel.

Is there a way to force the VPN tunnel to prioritize the 192.168.1.0/24 network even if the local Wi-Fi network uses the same range?

I'd like to avoid changing my subnet at home, as that would be a real hassle.

Thx !

https://redd.it/1rqpcp3
@r_wireguard

iPhone: Route only ONE IP address via VPN, rest normally outside VPN?

I'm trying to use the iPhone Wireguard app to route only ONE internal IP address via VPN, rest normally outside VPN.

Default config from my Unifi Express 7 router is:

[Interface\]

PrivateKey = DELETED

Address = 192.168.2.4/32

DNS = 192.168.2.1

[Peer\]

PublicKey = DELETED

AllowedIPs = 0.0.0.0/0

Endpoint = DELETED.mynetgear.com:51820

I change to:

[Interface\]

PrivateKey = DELETED

Address = 192.168.2.4/32

DNS = 192.168.2.1

[Peer\]

PublicKey = DELETED 

AllowedIPs = 192.168.1.25/32

Endpoint = DELETED.mynetgear.com:51820

However, what I see is that 192.168.1.25 is routed via Wireguard VPN, but rest of Internet traffic is blocked. I want rest of Internet to work.

What am I doing wrong and what do I need to change?

Thank you!!!

SOLUTION: remove the DNS = line completely and it works. Thanks, all!!!

https://redd.it/1rq76c6
@r_wireguard

Wireguard Windows Client

Hello r/wireguard,

ist there any option to connect with the wireguard Windows-Client without Adminrights?

https://redd.it/1rq41be
@r_wireguard

WireGuard Windows – Comment déployer automatiquement un tunnel comme via l’interface (DPAPI + visibilité et controle dans le client) ?

Bonjour,



Je tente de déployer des configurations client sur les postes, mais je rencontre un problème :

La commande wireguard /installtunnelservice crée bien un service, mais celui-ci utilise directement le fichier de configuration en clair à son emplacement d’origine, au lieu de générer une version chiffrée DPAPI dans le dossier Data/Configurations. De plus, la configuration n’apparaît pas dans l’interface du client WireGuard, ce qui empêche l’utilisateur de gérer son activation ou sa désactivation.

Comment procéder pour déployer automatiquement la configuration de la même manière que si l’utilisateur l’avait installée via l’interface WireGuard ?

En vous remerciant



https://redd.it/1rq3u4z
@r_wireguard

can ping all but one device on the remote lan

On both WG server and client side, Allowed IPs is set to allow all traffic.

I have a windows PC and camera NVR on the remote site. From that windows PC i can ping the IP of the NVR and access its web interface(port 80).

However from a remote WG client(my laptop), while i can ping ALL remote device lan IPs, the only device i cannot ping/reach is the NVR IP address... It doesnt make sense to me...im sure its something simple im over looking, but the wireguard setup is very straight forward. Allow all traffic .

The NVR has no firewall or anything otherwise i wouldnt be able ot ping it from the remote windows PC as well.. Evertying remote is hard wired to the router

The connection path is: My laptop at home(wg client) > Remote router(glinet flint 2 running WG server) > Windows pc + NVR + all other devices e.g IP cameras etc..

EDIT: one thing i notice that if i run a IP scanner on the remote windows PC, it picks up the NVR's IP address. However if i run the ip scanner on my laptop and let it scan over the WG network, It picks up other lan devices but the NVR ip does not show up..i guess this is related to ARP/Broadcast. But the ping issue is baffling me


EDIT2: Well theres a second NVR on the remote network issue. i have the same issue with that. I guess the NVRs may have some setting that prevent a reply to a ping packet from a non lan subnet?

https://redd.it/1rrqsk6
@r_wireguard

Help with site-to-site setup. WG seems to work, traffic is not flowing.

OK, I will try to keep the config deets as simple as possible below. The short version is I have two sites, one running OPNsense and the other running PFSense, both with WG. I need to access services (https of the router) on Site B from Site A, but not the other way around.

Currently the WG portion of things appears to be working - I have handshakes and traffic flow showing up in the status screens of both routers. I cannot communicate across the link though - no pings, no browsing to remote services (which is the main use-case). Everything just times out, and 100% packet loss. I think it's a firewall issue, or an AllowedIPs is, or both, but I am damned if I can figure it out.

Any and all help appreciated.

Config as follows:

Network Summary

Site A LAN: 192.168.1.0/24
Site B LAN: 192.168.10.0/24
WG Transit network: 192.168.40.0/24

Site A - PFSense

LAN: 192.168.1.0/24
WG Interface (end point on the transit network): 192.168.40.1
Peer setup Allowed IPs: 192.168.40.2/32, 192.168.10.0/24
Firewall rule in the WG group that allows any/any (wide open for initial setup testing)

Site B - OPNSense

LAN: 192.168.10.0/24
WG Interface (end point on the transit network): 192.168.40.2
Peer setup Allowed IPs: 192.168.40.1/32, 192.168.1.0/24
Firewall rule in the WG group that allows any/any (wide open for initial setup testing)

I think this should work, especially given the handshaking appears to be successful.

https://redd.it/1rruyqw
@r_wireguard

how can p2p be done ovee wireguard?



https://redd.it/1rxevtx
@r_wireguard

Linux: Per-app split-tunneling done right. An introduction to Flypaper.

Hello all. I'm looking for users to test my invention: Flypaper

I've been personally using it for months without issue, but people have a wide array of varying use cases, so I need more testers.

It's currently command-line only, but I'd work on a GUI if one is really wanted. But despite that, I think it's quite easy to use.

Unlike others, it doesn't require complex netns setup nor uses cgroups-v1 (deprecated, and patched out on some distros)

If you find the documentation to be confusing, do tell me about it. This is my first time publicly documenting a project, and I'm not sure if it's entirely concise to "mere mortals".

I really hope someone finds this to be immensely useful, as I have.

(btw, this works for any VPN or interface, not just WireGuard)

https://redd.it/1ryp6xi
@r_wireguard

AmneziaWG Obfuscation Parameters Support

It would be nice if you support AmneziaWG Obfuscation Parameters.

https://redd.it/1rwy147
@r_wireguard

Wireguard Connectivity Issue

I have WireGuard working and configured for three devices (Phone 1, Phone 2, and a laptop). The WireGuard VPN works well with both phones when they are connected from an outside network.

Though for the laptop, the WireGuard tunnel only works within my local network. It establishes a handshake and shows that data is being transferred, but whenever I try connecting using mobile data or another external network, the connection shuts off completely. I’m not sure what is causing this issue on the laptop while the phones work without any problems.

https://redd.it/1rwuq4t
@r_wireguard

[Release] Defguard 2.0 Alpha 2: Static IPs, High Availability, and New Setup Wizard

We've just released Defguard 2.0 Alpha 2. While version 2.0 is still in alpha (not recommended for production yet), this release is now nearly feature-complete and ready for testing and PoCs.

If you are currently evaluating Defguard or running the 1.6.x series in a test environment, we recommend moving to 2.0 Alpha 2 to test the new architecture.


\*\*Y ou can find the full release notes and **video previews** on our [official blog post](https://defguard.net/blog/defguard-2-0-release-alpha-2/) \*\*

# What's New in Alpha 2

* **Static IP Assignment** — A long-awaited community request. You can now manually assign specific internal IP addresses to both networks and individual user devices directly from the UI.
* **High Availability (HA)** — Support for multiple Gateways and Edge components. Deploy and manage multiple gateways for VPN redundancy, including a testing Docker Compose setup with Envoy for load balancing.
* **New Quick Setup Wizard & VM Images** — Streamlined onboarding path. If you deploy via the new OVA or the updated Docker Compose, the Core, Edge, and Gateway components are provisioned automatically.
* **Expanded Firewall Management** — Redesigned for the 2.0 architecture, allowing for more granular access control and easier rule management.
* **Improved Deployment Guidance** — Clearer step-by-step instructions within the UI when adding new Edge or Gateway nodes to your infrastructure.

# What This Means for WireGuard Users

If you are currently using "vanilla" WireGuard or other management tools, here is how this release changes the experience:

1. **Simplified Infrastructure Management** — You no longer need to manually manage peer configurations for high-availability setups. The Gateways and Edge components allow you to scale your VPN across multiple nodes with built-in redundancy, making it easier to maintain uptime for larger teams.
2. **Granular Network Control** — With the addition of Static IP Assignment, you have the precision of manual `AllowedIPs` configuration but managed through a central UI.
3. **Enterprise-Grade Security by Default** — For those struggling to implement 2FA/MFA on top of WireGuard, Defguard 2.0 streamlines the integration. The New Setup Wizard ensures that even complex security architectures (like MFA-gated tunnels) are provisioned correctly from the start.
4. **Automated Deployment** — If you've spent hours configuring individual `wg0.conf` files, the new VM images and Docker automation mean you can go from a clean slate to a functional, managed WireGuard network blazing fast.

# Getting Started & Feedback

You can find the full release notes and **video previews** on our [official blog post](https://defguard.net/blog/defguard-2-0-release-alpha-2/) or dive straight into the [GitHub repo](https://github.com/DefGuard/defguard).

We're looking for feedback specifically on the **HA setup** and the **new firewall management**. If you run into bugs, please [open an issue on GitHub](https://github.com/defguard/defguard/issues) or join our [community discussions](https://github.com/defguard/defguard/discussions).

>**Note:** If you want to receive release updates, consider [signing up for our newsletter](https://defguard.net).

https://redd.it/1rw5b2o
@r_wireguard

Wireguard setup on Asus routers

I use an Asus Zen BQ16 Pro mesh at home and have just bought an Asus Zen BT10 for use in my cottage. I'd like to use WireGuard to have access to my home network and devices.
As the cottage is a couple of hundred miles away I'd like to set up the BT10/BQ16 as a client/server before heading there.

I'd be grateful if anyone with Asus experience could guide me through the setup or point me to a YT video.

https://redd.it/1rwd5qv
@r_wireguard

WG Client and Wifi Switcher

https://preview.redd.it/i4zpbyedonpg1.png?width=1635&format=png&auto=webp&s=0fd6af679bf3a86049354fec4a8316ce56a23935

I wasn’t happy with the official Windows WireGuard client because it was missing a feature I really needed, so I built my own WireGuard client. It still relies on the official client and its profiles, but the official client itself does not need to be running.

The main feature I wanted was automatic tunnel activation and deactivation based on the WiFi network I’m connected to. For example, when I’m at home the tunnel is disabled because I’m on my trusted network. When I’m elsewhere, the tunnel is enabled so I can use things like my own AdGuard DNS for ad blocking.

If anyone is interested in this, the project and files can be found here:
https://github.com/masselink/WGClientWifiSwitcher

https://redd.it/1rwgnku
@r_wireguard

[WG-Easy] How does one SSH over A WireGuard connection?

Hello, I just want to know if I can use SSH over a WireGuard connection or/and how?
I've seen people talk about it both on the subreddit and from search surfing but I just can't seem to understand what is happening or if it applies to my situation. Do I follow normal WireGuard guides but inside the wg-easy container or is there a separate guide?
Sorry if the question is a bit dumb. I'm pretty new to WireGuard or just computer networking in general.


wg-easy `docker-compose.yml`:
```yml
volumes:
etc_wireguard:

services:
wg-easy:
#environment:
# Optional:
# - PORT=51821
# - HOST=0.0.0.0
# - INSECURE=false

image: ghcr.io/wg-easy/wg-easy:15
container_name: wg-easy
networks:
wg:
ipv4_address: 10.42.42.42
ipv6_address: fdcc:ad94:bacf:61a3::2a
volumes:
- etc_wireguard:/etc/wireguard
- /lib/modules:/lib/modules:ro
ports:
- "51820:51820/udp"
- "51821:51821/tcp"
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
# - NET_RAW # ⚠ Uncomment if using Podman
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.default.forwarding=1

networks:
wg:
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
- subnet: 10.42.42.0/24
- subnet: fdcc:ad94:bacf:61a3::/64
```
(It's basically the default configuration from the manual)

`sshd_config`:
```txt
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to "no" here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to "yes" to enable keyboard-interactive authentication. Depending on
# the system's configuration, this may involve passwords, challenge-response,
# one-time passwords or some combination of these and other methods.
# Beware issues with some PAM modules and threads.
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and

session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 180
ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale and color environment variables
AcceptEnv LANG LC_* COLORTERM NO_COLOR

# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
```

https://redd.it/1rvvjmw
@r_wireguard

Failover

How are you using WireGuard when the server has two redundant WAN links?

Is there a way to configure WireGuard so that it connects to the primary link and automatically switches to the backup link if the primary fails?

For example:

WAN1 → primary link

WAN2 → backup link

If WAN1 goes down, can the WireGuard tunnel automatically reconnect through WAN2?

I'm interested in best practices for this scenario when using pfSense.

https://redd.it/1rvvf8t
@r_wireguard

Looking for an architecture review: Should I scale my SOHO ZTNA project, or pivot to a new topic for employability?
https://github.com/alvin-alvo/safenet-soho-security-framework

https://redd.it/1rzoi6p
@r_wireguard

Can't connect on my new surface laptop

Apologies if this has been asked before - did some research and couldn't find anything of this sort, but maybe it's been asked in a different way.

Just purchased a new surface laptop 7 - and every time I try to run wireguard, specifically 'import new tunnel from file', the program crashes. I originally though this was due to my machine running on an ARM architecture, but the problem still exists even when I downloaded the ARM version of wireguard.

Any thoughts?

UPDATE: Managed to get it working, but keeping the post up to hopefully help those who are in my predicament. My solution was as follows:

\- Install wireguard as usual from their website (https://www.wireguard.com/install/#installation) - pressed 'download windows installer'.

\- Opened an empty tunnel (the only option that didn't crash)

\- Jumped over to chat gpt, gave it the .conf file, and told it to reformat it into a format I can paste into a wireguard empty tunnel.

\- Pasted chat gpt's output into the empty tunnel/

\- activated my VPN and everything worked!

https://redd.it/1rzspap
@r_wireguard