I have an Ubuntu server with 2 nics that are LACP aggregated into a bond. The server is connected and given port-access to VLAN 2, 10.2.0.0/16. I have 6 vlans on my network, 10.1/16-10.6/16. My goal is to have LAN traffic NOT use the VPN but to have all WAN traffic use the vpn.
I used this utility to generate an "AllowedIPs" rule to support this:
The VPN connects, and it gives me an IP on a random subnet, usually 10._.#.#. The endpoint given is some WAN IP.
I can ping LAN resources, but not WAN resources. When I do "ip a" I see the pia wireguard interface is 10._.#.#, which is sometimes on one of my LAN subnets, sometimes not. I cannot ping the peer endpoint address or anything. If I check my routes, I see traffic is supposed to go over pia for everything except the LAN traffic:
root@sr66-server1:~# ip route
0.0.0.0/5 dev pia scope link
default via 10.2.1.254 dev bond0 onlink
8.0.0.0/7 dev pia scope link
10.0.0.0/16 dev pia scope link
10.2.0.0/16 dev bond0 proto kernel scope link src 10.2.<<LAN IP>>
10.7.0.0/16 dev pia scope link
10.8.0.0/13 dev pia scope link
10.16.0.0/12 dev pia scope link
10.32.0.0/11 dev pia scope link
10.64.0.0/10 dev pia scope link
10.128.0.0/9 dev pia scope link
11.0.0.0/8 dev pia scope link
12.0.0.0/6 dev pia scope link
16.0.0.0/4 dev pia scope link
32.0.0.0/3 dev pia scope link
64.0.0.0/2 dev pia scope link
128.0.0.0/1 dev pia scope link
I'm not sure how to troubleshoot this, is the fact that it's a VLAN over a port-access link an issue? Is there a way to make my local IP static (not a static incoming IP, but the IP from the interface on my site)?
Edit: I should say, this was working, but I recently modified my network to a managed switch with vlans, which is likely the issue. That being said, nothing in the config contraindicates that you can run PIA on a system on a VLAN?
I have an Ubuntu server with 2 nics that are LACP aggregated into a bond. The server is connected and given port-access to VLAN 2, 10.2.0.0/16. I have 6 vlans on my network, 10.1/16-10.6/16. My goal is to have LAN traffic NOT use the VPN but to have all WAN traffic use the vpn.
I used this utility to generate an "AllowedIPs" rule to support this:
https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/
That generated the following rule, which is what I implemented:
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 10.0.0.0/16, 10.7.0.0/16, 10.8.0.0/13, 10.16.0.0/12, 10.32.0.0/11, 10.64.0.0/10, 10.128.0.0/9, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1
The VPN connects, and it gives me an IP on a random subnet, usually 10._.#.#. The endpoint given is some WAN IP. I can ping LAN resources, but not WAN resources. When I do "ip a" I see the pia wireguard interface is 10._.#.#, which is sometimes on one of my LAN subnets, sometimes not. I cannot ping the peer endpoint address or anything. If I check my routes, I see traffic is supposed to go over pia for everything except the LAN traffic:
I'm not sure how to troubleshoot this, is the fact that it's a VLAN over a port-access link an issue? Is there a way to make my local IP static (not a static incoming IP, but the IP from the interface on my site)?
Edit: I should say, this was working, but I recently modified my network to a managed switch with vlans, which is likely the issue. That being said, nothing in the config contraindicates that you can run PIA on a system on a VLAN?