Wireguard + Networkmanager doesnt route local traffic through vpn

shardonnay · 2025-02-13 22:03:19

Dear archlinux community,

I ran into a really troublesome issue with my wireguard vpn. The vpn works perfectly over my android phone and I can access local services behind the vpn like 192.168.178.1. However, when I try to connect to my wireguard vpn from my archlinux devices (PC or Notebook) local traffic is not routed through the vpn. For example when I try to open 192.168.178.1 it routes me to the device with that IP in my local network of my PC and not to the local network of my wireguard server. This is unexpected as my android phone routes everything fine.

I added the Wireguard config via Gnome settings and I also tried using wg-quick, but no success. This is the config I am using:

[Interface]
PrivateKey = <privkey>
Address = 10.8.0.3/24
DNS = 10.8.1.3

[Peer]
PublicKey = <pubkey>
PresharedKey = <presharedkey>
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 0
Endpoint = <domain>:<port>

Also it seems my routing tables are set up to not route local traffic through the vpn:

default dev Wireguard table 52126 proto static scope link metric 50 
default via 192.168.178.1 dev wlan0 proto dhcp src 192.168.178.20 metric 600 
10.8.0.0/24 dev Wireguard proto kernel scope link src 10.8.0.3 metric 50 
192.168.178.0/24 dev wlan0 proto kernel scope link src 192.168.178.20 metric 600 
local 10.8.0.3 dev Wireguard table local proto kernel scope host src 10.8.0.3 
broadcast 10.8.0.255 dev Wireguard table local proto kernel scope link src 10.8.0.3 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.178.20 dev wlan0 table local proto kernel scope host src 192.168.178.20 
broadcast 192.168.178.255 dev wlan0 table local proto kernel scope link src 192.168.178.20 
local ::1 dev lo table local proto kernel metric 0 pref medium

I am wondering why arent the routing tables set up properly? I started a test VM with fedora and in Fedora it works. It also used to work on my arch machines, so I really cant wrap my head around what the issue might be.

Any help would be very much appreciated and I apologize if my issue is too confusing.

~ Shardonnay

Last edited by shardonnay (2025-02-14 07:53:27)

-thc · 2025-02-14 07:36:19

First: Please use "code" tags to format the code snippets in your post.

If you configure WireGuard as a full tunnel

[Interface]
PrivateKey =
Address =
DNS =

[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint =

it uses "rule based" routing to set up a separate routing table. This routing is not obvious. Compare

ip rule

with or without the active VPN.

That said, it is generally not a good idea to connect two networks with the same IP subnet via VPN in this way. This sentence

shardonnay wrote:

[...]local traffic is not routed through the vpn

highlights this: Local traffic is local and is not supposed to be routed through a VPN. How is your box supposed to reach your local 192.168.178.x router for VPN connectivity if your box routes everything 192.168.178.x-related through the VPN?

From time to time I suffer from circumstances which lead to this scenario too. Mostly WiFi's in rental houses that have one of the very common IP schemes (192.168.0.x, 192.168.1.x, 192.168.2.x) and I need to connect to subnets via VPN with the same numbering.

In those cases reaching specific IPs is a gamble. If the IP exists locally it always wins. If it only exists in the remote network and is unknown locally the remote one wins. If it exists in both networks the local one wins too. And yes: This includes your own IP address.

Last edited by -thc (2025-02-14 07:36:32)

shardonnay · 2025-02-14 07:58:40

Thanks for the quick answer!

What you say makes fully sense, but I am still wondering why it used to work perfectly in the past and why my Android Phone is capable of reaching the router 192.168.178.1 and reaching all IPs behind the vpn 192.168.178.x ?

I am using the vpn to connect to my local services, which are not publicly exposed. In the best case scenario I would like to use my vpn to connect to these services, regardless of which network I am in and which subnet is being used. Of course I could change my local subnet for my homenetwork, but that wouldnt solve the issue for other networks.

-thc · 2025-02-14 08:16:03

If you don't actually need to route all traffic through WireGuard ("split tunnel"), you can formulate this "AllowedIP" statement

AllowedIPs = 192.168.178.0/32, 192.168.178.2/31, 192.168.178.4/30, 192.168.178.8/29, 192.168.178.16/28, 192.168.178.32/27, 192.168.178.64/26, 192.168.178.128/25

instead. It will not route traffic to 192.168.178.1 through the VPN but everything else 192.168.178.x-related.

shardonnay · 2025-02-14 10:15:35

Thanks a lot!

I will try if this works, but I dont think its a permanent solution for me.

shardonnay · 2025-02-14 16:24:57

Hello again, I found the solution and it is a lot simpler than expected.

I just needed to add my subnet explicitly to the AllowedIPs. This is unexpected as I thought 0.0.0.0/24 would already include all IPV4 addresses.

My allowed IPs are now the following:

0.0.0.0/0, ::/0, 192.168.178.0/24

If someone else is encountering the same problem as me, then you need to change the last IP according to your target subnet.

Arch Linux

#1 2025-02-13 22:03:19

Wireguard + Networkmanager doesnt route local traffic through vpn

#2 2025-02-14 07:36:19

Re: Wireguard + Networkmanager doesnt route local traffic through vpn

#3 2025-02-14 07:58:40

Re: Wireguard + Networkmanager doesnt route local traffic through vpn

#4 2025-02-14 08:16:03

Re: Wireguard + Networkmanager doesnt route local traffic through vpn

#5 2025-02-14 10:15:35

Re: Wireguard + Networkmanager doesnt route local traffic through vpn

#6 2025-02-14 16:24:57

Re: Wireguard + Networkmanager doesnt route local traffic through vpn

Board footer