What's the "proper" way to share a single Wireguard connection for all devices on the local network? (lemmy.ml)

submitted 1 day ago* (last edited 1 day ago) by HiddenLayer555@lemmy.ml to c/linux@lemmy.ml

19 comments fedilink hide all child comments

My VPN provider has a limit to how many concurrent connections I can have, and a workaround I've been using is to run the Wireguard client as a daemon (wg-quick@my-wg-config) and a Squid proxy on my home server, and point my local devices to the HTTP proxy port, which will route the traffic through the Wireguard connection. However, this has broken randomly multiple times in the past few months, where it will randomly decide to just not allow the server to connect to ANY internet address while the Wireguard connection is active, and no amount of network or routing table configuration changes fixes it. The Squid proxy works fine as far as I can tell, it's just the Wireguard connection that's failing, which doesn't even allow a ping to an internet address from the server's terminal (which doesn't go through the proxy). The only way I've been able to fix it is to completely reinstall the OS on the server and reconfigure everything from scratch, which is annoying and also only works until it randomly decides to break again. This makes me think I'm doing something wrong.

Is there a more "proper" or widely supported way of routing internet traffic on local devices through a single Wireguard connection? Everything I could read online says running Wireguard with an HTTP proxy server is the way to do it, but it clearly isn't very reliable or my computer is just defective in some weird intermittent way? The server is running Fedora Server 43. I've also checked for SELinux denials but there are none.

I'm aware of wireproxy but it uses a SOCKS5 proxy which is not as widely supported as an HTTP proxy and a lot of my devices (mainly phones) won't be able to access it. Also I'd like the server itself to also use the VPN, not just the devices on the proxy.

Does anyone have more experience with this and can give some advice?

you are viewing a single comment's thread
view the rest of the comments

[-] just_another_person@lemmy.world 2 points 1 day ago

The default gateway for the new device needs to be your existing router in order to get to the internet. Then when you create a new WG connection, you ensure all traffic that gets passed to this new device forwards through the Wire guard tunnel.

PC > WG-router > existing-router > internet

[-] HiddenLayer555@lemmy.ml 1 points 1 day ago* (last edited 1 day ago)

Ok, so if my main router is on 192.168.1.1 and my new OpenWrt router I plan on connecting to VPN is 192.168.1.2, I should set the OpenWrt router's gateway to 192.168.1.1, set any devices I want on the VPN to use gateway 192.168.1.2, and any devices I don't want on the VPN should stay on 192.168.1.1, right?

Would devices on the VPN still be able to access the local network and devices that have 192.168.1.1 as their gateway? I assume it would only route internet bound traffic and the OpenWRT router would be able to just pass through local network traffic the same way as the main router?

Also, would the OpenWrt router be able to deal with the main router handling DHCP if I configure it to give it a static IP? Will it just know what devices it's talking to when the main router assigns them their dynamic IPs?

Sorry for all the noob questions, networking is not one of my strengths.

[-] just_another_person@lemmy.world 2 points 1 day ago

Pretty much got it. Any other static routes you setup will be static to the new router only, but otherwise that's pretty much it. Devices with static IPs don't participate in DHCP, so it won't cause a conflict. Just make sure DHCP is disabled on the new device.

[-] HiddenLayer555@lemmy.ml 2 points 1 day ago

Thank you!

[-] harmbugler@piefed.social 1 points 1 day ago* (last edited 1 day ago)

I have two routers set up like this. The untrusted ISP router is plugged into the wall with untrusted devices (e.g., work laptops, guest devices) connected to it. Its IP is 192.168.20.1 and untrusted devices use that IP as gateway.

Then there's a trusted router that trusted devices connect to with IP 192.168.1.1. I have it connected to the untrusted router's wifi as WAN but you could also just connect its physical WAN port to an untrusted router LAN port. Trusted devices uses 192.168.1.1 as their gateway and the trusted router tunnels all connections over the untrusted router to the VPN provider.

Only the trusted router needs Wireguard. The trusted devices think they are just on a regular LAN, which keeps their configuration simpler.

this post was submitted on 17 Dec 2025

14 points (100.0% liked)

Linux

57274 readers

237 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz