Internet access through a WireGuard VPN tunnel (2024)

Table of Contents
Important Note Note Note FAQs

Internet access through a WireGuard VPN tunnel

What should the settings be so that clients connected via the WireGuard VPN have access to the Internet?

Important

This configuration increases the load on the VPN channel and the Internet channel, to which Keenetic is connected as a VPN server.

  1. Allowed IPs 0.0.0.0/0 must be specified in the client peer settings. If the client is a Keenetic router, the 'Use for accessing the Internet' option should be enabled in the interface parameters.

  2. Also, the client side configuration must have a DNS server specified (e.g. Google's public DNS server address 8.8.8.8).

    Note

    The client of WireGuard VPN-server can be aKeenetic router, mobile devices based onAndroidandiOS, or computers based onWindows, Linux,macOS.

  3. On the server side, which should be used to access the Internet, the following settings are required.

    Note

    In the case of WireGuard, it does not matter who the server is in this scheme, i.e. who accepts the connection and initiates it. But usually, it's the server that's waiting for the connection.

    You must assign the private security level to the WireGuard interface. To do this, you need to enter the following command in thecommand-line interface(CLI) of the router (in our example, for the Wireguard0 interface):

    interface Wireguard0 security-level private

    Also, the network address translation (NAT) option must be enabled for the interface. To do this, you will need to enter the command:

    ip nat Wireguard0

    These are necessary and sufficient conditions. The settings on the server should be saved with the command:

    system configuration save

  4. Keep in mind that changing the tunnel interface's security level from public to private causes a change in the rules for traffic transfer to this interface from other local networks of the router and back. You can find the settings needed to resolve this situation in the note to theNetwork segmentsarticle.

    For traffic from hosts connected to the tunnel to be sent to the local segment, you must add a permit rule on the tunnel interface in the incoming direction. In this rule, the range of addresses on the local network segment must be specified as the destination.

    As this setting, the rule that allows all incoming traffic, which we set up on the tunnel interface in theConfiguring a WireGuard VPN between two Keenetic routersarticle, will be suitable. After changing the interface security level configured by this instruction, the firewall rule will remain and continue to perform another function.

    In addition to configuring static routing, you will also need to add permit firewall rules on each local segment. In these rules, the destination addresses must include host IP ranges on remote networks behind the tunnel that require access from this local segment.

Example

Consider an example where clients connected to a Keenetic router that acts as a VPN client will access the Internet through this VPN tunnel. In other words, from the VPN client, all traffic will be routed to the WireGuard tunnel, both to access the remote network and the Internet.

Take the scheme shown in the manualConfiguring a WireGuard VPN between two Keenetic routersas a basis.

  1. On the VPN server, change the security level of the Wireguard0 interface and enable the automatic address translation rule for it.

    interface Wireguard0 security-level privateip nat Wireguard0system configuration save

  2. In theweb interface, add permit rules on the local network interfaces to allow traffic to pass through the network behind the remote router. Permission to send traffic to the VPN client's local network:

    Internet access through a WireGuard VPN tunnel (1)

    And on the VPN client side, add a permit rule for the Home network to allow traffic to the VPN server's LAN.

  3. For a VPN client, it is necessary to correct the configuration of the WireGuard interface. It is required to add the address space 0.0.0.0/0 to the allowed networks. In the configuration of the interface itself, enable the 'Use for accessing the Internet' option and specify the DNS server(s). In our example, we specified a public Google DNS server (8.8.8.8), but you can also use local addresses available in the tunnel, such as the VPN server's address (172.16.82.1).

    Internet access through a WireGuard VPN tunnel (2)

    Save the setting.

  4. The WireGuard interface will appear on the VPN client in the 'Internet' menu on the 'Connection priorities' page. Drag and drop it to the top of the list to make it the primary connection.

    Internet access through a WireGuard VPN tunnel (3)

    After that, all clients connected directly to the Keenetic router will access the Internet through the VPN tunnel. If you need to configure access only for some devices, in this case, we recommend you to create an individual profile and bind specific devices to it. How to do this is shown in the 'Connection priorities' instruction.

    The setup is complete.

Note

To disable the configured feature, all you have to do is enter the commands on the VPN serverinterface Wireguard0 security-level publicandno ip nat Wireguard0, then save the settings with the commandsystem configuration save. On the VPN client, for the WireGuard interface, you need to disable the 'Use for accessing the Internet' option and remove the 0.0.0.0/0 network from allowed.

Firewall rules and the specified DNS servers will not interfere with the configuration from the article 'Configuring a WireGuard VPN between two Keenetic routers' too.

In this section:

Internet access through a WireGuard VPN tunnel (2024)

FAQs

How do I use WireGuard to access the Internet? ›

Obtain the VPN configuration file from your provider or set up your own WireGuard server. Import the configuration file into the WireGuard app. Connect to the VPN by tapping the "Connect" button. You can now access the internet securely and privately through the WireGuard VPN on your phone.

Tell Me More
Does WireGuard tunnel all traffic? ›

Like most other VPN systems, Wireguard doesn't make any such decisions on its own – it will route exactly those prefixes that you've configured to be routed through the connection, which may be anywhere from "all traffic" (/0 route) to "a single IP address" (/32 route).

Get More Info Here
Can WireGuard VPN be detected? ›

Yes, WireGuard can be detected. It doesn't do VPN obfuscation, mostly because of the insistence on UDP transmission mode. Surfshark turned to a customized implementation of OpenVPN in TCP mode for an undetectable VPN.

Keep Reading
Why is there no Internet access when connected to VPN? ›

The likely causes for these issues include: Poor connectivity at the chosen VPN server location. Interference by internet service providers for certain VPN protocols. Interference from your antivirus or online security application's outgoing packet transmission.

View More
How do I access the internet through VPN? ›

  1. If you haven't already, add a VPN.
  2. Open your device's Settings app.
  3. Tap Network & internet. VPN. ...
  4. Next to the VPN you want to change, tap Settings .
  5. Turn Always-on VPN on or off. If you've set up a VPN through an app, you won't have the always-on option.
  6. If needed, tap Save.

Read On
How do I allow internet access through VPN? ›

Main Steps
  1. Configure VPN Settings in the Firewall Properties.
  2. Create a Policy-Based VPN Element.
  3. Enable the Any Network Site in the Firewall Properties.
  4. Add Access Rules and NAT Rules for the VPN Client Traffic.

Learn More Now
Does WireGuard send all traffic through VPN? ›

WireGuard can be set up to route all traffic through the VPN, and not just specific remote networks. There could be many reasons to do this, but mostly they are related to privacy.

See Details
Does all my Internet traffic go through VPN? ›

With a VPN, all the user's traffic is routed through a single IP address of the VPN server they're connected to. Without a VPN, the traffic will show that it's being routed through many different IP addresses, based on the different websites the user visits.

Show Me More
How do I know if my WireGuard tunnel is working? ›

To view the status of one or more WireGuard tunnels, use the show wireguard [<instance>] command. This command prints the status of all WireGuard tunnels and can optionally limit the output to a specific instance.

Show Me More
What are the limitations of WireGuard? ›

WireGuard explicitly does not support tunneling over TCP, due to the classically terrible network performance of tunneling TCP-over-TCP. Rather, transforming WireGuard's UDP packets into TCP is the job of an upper layer of obfuscation (see previous point), and can be accomplished by projects like udptunnel and udp2raw.

Explore More

Does private internet access use WireGuard? ›

PIA is the best all-around VPN. We use powerful encryption to fortify your internet traffic against intrusion. Our no-logs policy is supported by RAM-only servers and entirely open-source apps, as well as protocol options like WireGuard® and OpenVPN.

See More
Can someone tell if you're using a VPN? ›

Companies can often detect the presence of a VPN by using VPN detection tests that look at connection attributes like network volume, known IP addresses, and packet headers (namely pieces of data transmitted with the connection being made, not unlike an addressed envelope with a sending and return address).

Learn More
How do I stop a VPN from blocking my internet? ›

Is there an undetectable VPN?
  1. Switch VPN servers.
  2. Change your VPN protocol.
  3. Use obfuscated servers or a stealth VPN.
  4. Get a dedicated IP address.
  5. Change ports.
  6. Change your DNS settings.
  7. Send your VPN traffic through a proxy.
  8. Swap to mobile data.

Show Me More
Can VPN cause internet problems? ›

Yes, a free VPN can indeed slow down your internet speed. Free VPNs might have a limited number of servers loaded with high traffic and require additional time to encrypt your data, which slows down your online experience.

Find Out More
Can connect to VPN but cannot access network? ›

If you are connected to the VPN but cannot access resources, a common cause is due to subnet overlap between the local client network and the network the resource is in. If the local network you are on has the same IP address as the network you are trying to get to, your request will never make it through the tunnel.

Know More
How do I use WireGuard VPN on my router? ›

Configure WireGuard VPN on the router.

Go to VPN -->Wireguard--> Wireguard, click Add and fill in the following parameters: Name: test. MTU: 1420 (Default is 1420, no need to modify) Listen Port: 51820 (The default port is 51820, which can be modified)

Get More Info
Does WireGuard have a web interface? ›

A web user interface to manage your WireGuard setup.

See More
Does private Internet access use WireGuard? ›

PIA is the best all-around VPN. We use powerful encryption to fortify your internet traffic against intrusion. Our no-logs policy is supported by RAM-only servers and entirely open-source apps, as well as protocol options like WireGuard® and OpenVPN.

Continue Reading
How do I use WireGuard in Chrome? ›

Some Chromebooks have basic built-in support for the WireGuard protocol.
  1. At the bottom right, select the time.
  2. Select Settings .
  3. In the “Network” section, select Add connection.
  4. Next to "OpenVPN / L2TP," select Add .
  5. In the box that opens, fill in the info. ...
  6. Select Connect.

Learn More
Top Articles
The 4 Best Selfie Sticks
Selfie Stick Universeel - Tripod - 3in1 SelfieStick - Bluetooth - Selfie Stick Tripod... | bol
Patient Portal Via Christi Wichita
Identify Which Of The Following Would Classify As Internet Plagiarism
Latest Posts
Die besten VPN-Deals: Anonym surfen ab 90 Cent
How To Reset Or Reinstall Sticky Notes In Windows 10/11
Article information

Author: Greg O'Connell

Last Updated:

Views: 5763

Rating: 4.1 / 5 (62 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Greg O'Connell

Birthday: 1992-01-10

Address: Suite 517 2436 Jefferey Pass, Shanitaside, UT 27519

Phone: +2614651609714

Job: Education Developer

Hobby: Cooking, Gambling, Pottery, Shooting, Baseball, Singing, Snowboarding

Introduction: My name is Greg O'Connell, I am a delightful, colorful, talented, kind, lively, modern, tender person who loves writing and wants to share my knowledge and understanding with you.