Add hint that IP forwarding already needs to be enabled for routing the entire Internet traffic

Signed-off-by: DL6ER <dl6er@dl6er.de>
2026-02-15 07:26:03 +00:00 · 2020-09-23 23:42:01 +02:00
parent 8e08b657b7
commit 2c5b7b2d5c
4 changed files with 25 additions and 15 deletions
--- a/docs/guides/wireguard/client.md
+++ b/docs/guides/wireguard/client.md
@@ -94,7 +94,7 @@ with the content
 ``` toml
 [Interface]
 Address = 10.100.0.2/32, fd08:4711::2/128 # Replace this IP address for subsequent clients
-DNS = 10.100.0.1                     # IP address of your server (Pi-hole)
+DNS = 10.100.0.1                          # IP address of your server (Pi-hole)
 ```

 and add the private key of this client
--- a/docs/guides/wireguard/internal.md
+++ b/docs/guides/wireguard/internal.md
@@ -1,4 +1,4 @@
-# Access devices in the internal network through the WireGuard tunnel
+# Access internal devices through the WireGuard tunnel

 ## Enable IP forwarding on the server

@@ -33,7 +33,7 @@ A properly configured firewall is ***highly*** recommended for any Internet-faci
 !!! info "Optional for NAT"
    If the server is behind a router and receives traffic via NAT, these iptables rules are not needed.

-On your server, add the following to the `[INTERFACE]` section:
+On your server, add the following to the `[INTERFACE]` section of your `/etc/wireguard/wg0.conf`:

 ``` toml
 PostUp = iptables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADE
@@ -53,19 +53,21 @@ In our standard configuration, we have configured the clients in such a way that

 ### Server side

-``` toml
-[Peer]
-AllowedIPs = 10.100.0.1/32
-```
-
-Change this to
+Change the allowed addresses in your `/etc/wireguard/wg0.conf` from

 ``` toml
 [Peer]
-AllowedIPs = 10.100.0.1/32, 192.168.2.1/24
+AllowedIPs = 10.100.0.1/32, fd08:4711::1/64
 ```

-if your internal network is in the IP range `192.168.2.1` - `192.168.2.254`.
+to
+
+``` toml
+[Peer]
+AllowedIPs = 10.100.0.1/32, fd08:4711::1/64, 192.168.2.1/24
+```
+
+assuming your internal network is in the IP range `192.168.2.1` - `192.168.2.254`.

 ### Client side

--- a/docs/guides/wireguard/route-everything.md
+++ b/docs/guides/wireguard/route-everything.md
@@ -1,14 +1,22 @@
+# Route the entire Internet traffic through the WireGuard tunnel
+
 Routing your entire Internet traffic is **optional**, however, it can be advantageous in cases where you are expecting eavesdropping on the network. This may not only happen in unsecure open Wi-Fi networks (airports, hotels, trains, etc.) but also in encrypted Wi-Fi networks where the creator of the network can monitor client activity.

 Rerouting the Internet traffic through your Pi-hole will furthermore cause all of your Internet traffic to reach the Internet from the place where your WireGuard server is located. This can be used to obfuscate your real location as well as to be allowed to access geo-blocked content, e.g., when your Pi-hole is located in Germany but you are traveling in the United States. If you want to access a page only accessible from within Germany (like the live-broadcast of Tagesschau, etc.), this will typically not work. However, if you route your entire Internet through your Pi-hole, your network traffic will originate from Germany, allowing you to watch the content.

+!!! info "Ensure you're already forwarding traffic"
+    The following assumes you have already prepared your Pi-hole for [IP forwarding](internal.md). If this is not the case, follow the steps over there before continuing here.
+
 To route all traffic through the tunnel to a specific peer, add the default route (`0.0.0.0/0` for IPv4 and `::/0`for IPv6) to `AllowedIPs` in your clients's WireGuard config files:

 ```toml
 AllowedIPs = 0.0.0.0/0, ::/0
 ```

-Do **not** set this on the server in the `[Interface]` section. WireGuard will automatically take care of setting up [correct routing](https://www.wireguard.com/netns/#routing-all-your-traffic) so that networking still functions on all your clients.
+<!-- markdownlint-disable code-block-style -->
+!!! warning "Change this setting only on your clients"
+    Do **not** set this on the server in the `[Interface]` section. WireGuard will automatically take care of setting up [correct routing](https://www.wireguard.com/netns/#routing-all-your-traffic) so that networking still functions on all your clients.
+<!-- markdownlint-enable code-block-style -->

 That's all you need to do. You should use an online check (e.g. www.wieistmeineip.de) to check if your IP changed to the public IP address of your WireGuard server after this change up. It is possible to add this change only for a few clients, leaving the others without a full tunnel for all traffic (e.g., where this is not necessary or not desired).

--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -95,14 +95,14 @@ nav:
    - 'How to sign-off commits': guides/github/how-to-signoff.md
  - 'Guides':
    - 'Pi-hole as All-Around DNS Solution': guides/unbound.md
-    - 'Remote access using WireGuard':
+    - 'WireGuard VPN':
      - 'Overview': guides/wireguard/overview.md
      - 'Concept': guides/wireguard/concept.md
      - 'Install server': guides/wireguard/server.md
      - 'Add client(s)': guides/wireguard/client.md
      - 'Optional extra features':
-        - 'Make all local devices accessible': guides/wireguard/internal.md
-        - 'Reroute all Internet traffic': guides/wireguard/route-everything.md
+        - 'Make local devices accessible': guides/wireguard/internal.md
+        - 'Tunnel all Internet traffic': guides/wireguard/route-everything.md
      - 'Troubleshooting': guides/wireguard/faq.md
    - 'Configuring DNS-Over-HTTPS on Pi-hole': guides/dns-over-https.md
    - 'Upstream DNS Providers': guides/upstream-dns-providers.md