Question Connecting to a commercial wireguard VPN while hosting a personal wireguard VPN on the same machine

[TornBlueGuy]

Hello all! I've got a rather complicated networking related issue. Our story starts when I inherit a old Dell machine from a family member. Aiming to save the machine from rotting in a landfill, i bought a 4tb drive off ebay and threw a new image of ubuntu server22.04 on it. It now lives happily plugged into my router.

To get some use out of it, I setup a samba share, and started hosting my school files on there. It also acts as a seedbox for my legally and ethically sourced torrents. As it's a seedbox, I'm connecting to PIA using their wireguard configuration. Specifically, I'm using their piactl interface.

Alas, trouble is afoot! I would like to access my network share while I'm on campus, say in the library in my downtime between classes. To this end, I configured the machine as a wireguard host. Unfortunately, it doesn't seem like I can have both interfaces active at once. PIA will always take priority over my personal setup. That is to say, when PIA is active, I cannot ping any of the personal client machines from the host, or vice versa, but other traffic (ping google.com) works perfectly fine. When PIA is not active, everything functions exactly as expected: the client and host can communicate, and I can access my network share (note: I am not sending any other traffic through the personal VPN. Just the traffic between the host and client).

Is there a solution? The rest of this post is the routing tables. Please let me know any additional information I can provide that might help me get to the bottom of this mystery. Thanks a bunch for reading this wall of text!

With neither vpn on:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp4s0
8.8.8.8         192.168.0.1     255.255.255.255 UGH   100    0        0 enp4s0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp4s0
192.168.0.1     0.0.0.0         255.255.255.255 UH    100    0        0 enp4s0
192.168.0.10    0.0.0.0         255.255.255.255 UH    100    0        0 enp4s0

With PIA on:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp4s0
8.8.8.8         192.168.0.1     255.255.255.255 UGH   100    0        0 enp4s0
10.0.0.243      0.0.0.0         255.255.255.255 UH    0      0        0 wgpia0
10.33.128.1     0.0.0.0         255.255.255.255 UH    0      0        0 wgpia0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp4s0
192.168.0.1     0.0.0.0         255.255.255.255 UH    100    0        0 enp4s0
192.168.0.10    0.0.0.0         255.255.255.255 UH    100    0        0 enp4s0

With my personal wireguard on:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp4s0
8.8.8.8         192.168.0.1     255.255.255.255 UGH   100    0        0 enp4s0
11.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp4s0
192.168.0.1     0.0.0.0         255.255.255.255 UH    100    0        0 enp4s0
192.168.0.10    0.0.0.0         255.255.255.255 UH    100    0        0 enp4s0

With both:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp4s0
8.8.8.8         192.168.0.1     255.255.255.255 UGH   100    0        0 enp4s0
10.0.0.243      0.0.0.0         255.255.255.255 UH    0      0        0 wgpia0
10.34.128.1     0.0.0.0         255.255.255.255 UH    0      0        0 wgpia0
11.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp4s0
192.168.0.1     0.0.0.0         255.255.255.255 UH    100    0        0 enp4s0
192.168.0.10    0.0.0.0         255.255.255.255 UH    100    0        0 enp4s0

 

[Deleted member 2966688]

Just make a torrent with all the files you want to share and only keep it to yourself. If i understand correctly you want to use the seeding machine and file storage server to grab some files from campus.

 

[TornBlueGuy]

Just make a torrent with all the files you want to share and only keep it to yourself. If i understand correctly you want to use the seeding machine and file storage server to grab some files from campus.

This is a good idea- failing all else, that might be my backup- but ideally, I'd like to be able to use my server as a working directory for my git codebase or just tex files.

 

[Deleted member 2966688]

This is a good idea- failing all else, that might be my backup- but ideally, I'd like to be able to use my server as a working directory for my git codebase or just tex files.

Playing with iptables is very easy to break your system and then spend your whole evening fixing stuff. I found 3 apps which you can make use of: kde connect, vnc viewer or radarr on github. then configure them to auto-launch on startup.

 

[bill001g]

That is not what I expected from the routing table. Generally you see the default route send into some tunnel.

So I can't give you details but in general you problem is both vpn think they own all the traffic. If PIA is up then it sends all the traffic via that tunnel. If you private vpn is up then the traffic does in that tunnel. If you try to run both and if by some strange chance it works you would run one vpn inside the other. You can actually do that if you are really ambitious.
I assume you are using some standard wireguard client rather than some program you loaded from PIA ?. You should be able to setup what is called split tunnel. This allows some traffic to bypass the PIA tunnel. A example would be if you wanted your traffic to netflix to run directly and all other traffic to go via the vpn. It gets a bit more complex when you are looking at incoming session. You would have to have some idea what those IP are going to be so you could set it up so they go directly.

Also I have never tried to run 2 wireguard on the same machine. I know it tends to be a big problem with IPSEC. Maybe you could run opnvpn and wireguard. You still need to fix the split tunnel stuff.

 

[TornBlueGuy]

That is not what I expected from the routing table. Generally you see the default route send into some tunnel.

So I can't give you details but in general you problem is both vpn think they own all the traffic. If PIA is up then it sends all the traffic via that tunnel. If you private vpn is up then the traffic does in that tunnel. If you try to run both and if by some strange chance it works you would run one vpn inside the other. You can actually do that if you are really ambitious.
I assume you are using some standard wireguard client rather than some program you loaded from PIA ?. You should be able to setup what is called split tunnel. This allows some traffic to bypass the PIA tunnel. A example would be if you wanted your traffic to netflix to run directly and all other traffic to go via the vpn. It gets a bit more complex when you are looking at incoming session. You would have to have some idea what those IP are going to be so you could set it up so they go directly.

Also I have never tried to run 2 wireguard on the same machine. I know it tends to be a big problem with IPSEC. Maybe you could run opnvpn and wireguard. You still need to fix the split tunnel stuff.

I am using the standard piactl interface for pia, but I don't see a reason I can't migrate over to the standard client, especially if it offers split tunnel, and I'm currently using it as the host anyway. That would be exactly what I want: just samba going through the private vpn, and everything else over pia. Thanks a bunch! Will post updates tonight when I get off my lazy ass and get back into a terminal

 

[TornBlueGuy]

That is not what I expected from the routing table. Generally you see the default route send into some tunnel.

So I can't give you details but in general you problem is both vpn think they own all the traffic. If PIA is up then it sends all the traffic via that tunnel. If you private vpn is up then the traffic does in that tunnel. If you try to run both and if by some strange chance it works you would run one vpn inside the other. You can actually do that if you are really ambitious.
I assume you are using some standard wireguard client rather than some program you loaded from PIA ?. You should be able to setup what is called split tunnel. This allows some traffic to bypass the PIA tunnel. A example would be if you wanted your traffic to netflix to run directly and all other traffic to go via the vpn. It gets a bit more complex when you are looking at incoming session. You would have to have some idea what those IP are going to be so you could set it up so they go directly.

Also I have never tried to run 2 wireguard on the same machine. I know it tends to be a big problem with IPSEC. Maybe you could run opnvpn and wireguard. You still need to fix the split tunnel stuff.

This did it! I split tunneled PIA so only qbt was being routed through it. Then I was able to use communicate over the vpn connection.