No internet access while desktop VPN client is running

[tutle]

I have a strange issue with wireguard on yunohost, I have installed server and client, it works fine for local access (I want to use for davinci resolve collaboration) but can't have anymore internet access while using WG VPN tunnel on computer (mac or windows clients)

the etc/wireguard/wg0.conf is like this

[Interface]
Address = 10.10.10.0/24,fd42::/112
ListenPort = 8099
PrivateKey = ******
MTU = 1450
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
Table = auto

# ID:           **********
# Name:         *****
# Email:        *******
# Created at:   2023-12-10 17:34:53.358925652 +0000 UTC
# Update at:    2023-12-11 17:31:34.769019018 +0000 UTC
[Peer]
PublicKey = *******
PresharedKey = ********
AllowedIPs = 10.10.10.1/32,fd42::1/128

My yunohost is also connected through a vpn to a vps

/opt/yunohost/wireguard_client/vps.conf is

[Interface]
PrivateKey = ******
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = 1.1.1.1,1.0.0.1

PostUp = bash /opt/yunohost/wireguard_client/PostUp.sh
PostDown = bash /opt/yunohost/wireguard_client/PostDown.sh 

[Peer]
PublicKey = *****
PresharedKey = ******
Endpoint = ***.**.**.**:51820
AllowedIPs = 0.0.0.0/0,::/0
PersistentKeepalive = 25

the PostUp.sh file is

# PostUp.sh 

#Begin IPV4
iptables -w -N vpnclient_in; 
iptables -w -N vpnclient_out; 
iptables -w -N vpnclient_fwd;

iptables -w -A vpnclient_in -p icmp -j ACCEPT; 
iptables -w -A vpnclient_in -s 10.66.66.2/24 -j ACCEPT; 

#Allowing required TCP ports
for i in 25 53 80 140 443 587 993 1194 1195 1935 5222 5269 5462 5665 51820
do
    iptables -w -A vpnclient_in -p tcp --dport $i -j ACCEPT; 
done
iptables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; 
iptables -w -A vpnclient_in -j DROP; 

iptables -w -A vpnclient_out -j ACCEPT; 

iptables -w -A vpnclient_fwd -j DROP; 

iptables -w -I INPUT 1 -i wg0 -j vpnclient_in; 
iptables -w -I OUTPUT 1 -o wg0 -j vpnclient_out; 
iptables -w -I FORWARD 1 -o  wg0 -j vpnclient_fwd; 
#End IPV4

#Begin IPV6
#ip6tables -w -N vpnclient_in; 
#ip6tables -w -N vpnclient_out; 
#ip6tables -w -N vpnclient_fwd; 

#ip6tables -w -A vpnclient_in -p ipv6-icmp -j ACCEPT; 
#ip6tables -w -A vpnclient_in -s fd42:42:42::2/64 -j ACCEPT; 

#Allowing required TCP ports
#for i in 25 80 140 443 587 993 5222 5269
#do
#   ip6tables -w -A vpnclient_in -p tcp --dport $i -j ACCEPT; 
#done

#ip6tables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; 
#ip6tables -w -A vpnclient_in -j DROP;

#ip6tables -w -A vpnclient_out -j ACCEPT; 

#ip6tables -w -A vpnclient_fwd -j DROP; 

#ip6tables -w -I INPUT 1 -i wg0 -j vpnclient_in; 
#ip6tables -w -I OUTPUT 1 -o wg0 -j vpnclient_out; 
#ip6tables -w -I FORWARD 1 -o  wg0 -j vpnclient_fwd;
#End IPV6

# Save and quit (CTRL+O, CTRL+X)

and PostDown.sh is

# PostDown.sh

#Begin IPV4
iptables -w -F vpnclient_in; 
iptables -w -F vpnclient_out; 
iptables -w -F vpnclient_fwd; 

iptables -D INPUT -i wg0 -j vpnclient_in; 
iptables -D FORWARD -o wg0 -j vpnclient_fwd; 
iptables -D OUTPUT -o wg0 -j vpnclient_out; 

iptables -w -X vpnclient_in; 
iptables -w -X vpnclient_out; 
iptables -w -X vpnclient_fwd;
#End IPV4

#Begin IPV6
#ip6tables -w -F vpnclient_in; 
#ip6tables -w -F vpnclient_out; 
#ip6tables -w -F vpnclient_fwd; 

#ip6tables -D INPUT -i wg0 -j vpnclient_in; 
#ip6tables -D FORWARD -o wg0 -j vpnclient_fwd; 
#ip6tables -D OUTPUT -o wg0 -j vpnclient_out;

#ip6tables -w -X vpnclient_in; 
#ip6tables -w -X vpnclient_out; 
#ip6tables -w -X vpnclient_fwd;
#End IPV6

# Save and quit (CTRL+O, CTRL+X)

Context

• Hardware: 64 bit computer
• YunoHost version: 11.2.8.2
• I have access to my server: Through SSH | through the webadmin | direct access via keyboard / screen | ...

[tituspijean]

Does this custom configuration work outside of YunoHost?

Can you ping your server from a client when the VPN is active?

[tutle]

Finaly succeed by removing 0.0.0.0/0,::/0 in the /etc/wireguard_client/wg0.conf and replaced with 10.10.10.0/32,192.168.1.0/24

[tituspijean]

There's actually something weird with the following line in vps.conf. The addresses are not in the range described in wg0.conf

Address = 10.66.66.2/32,fd42:42:42::2/128

[tutle]

It's because of 2 WGVPN, 1rst (installed on a VPS) is for the public access to yunohost server and second is the wireguard server installed on yunohost.

[tutle]

I stil have strange issue, mys server has a not to bad bandwith but it falls down when I use the yunohost WGVPN server...