| 30 Apr 2026 |
 Cadair | hey, I'm slowly going insane trying to configure my router to send certain traffic over a wireguard tunnel. As far as I can tell I have the wireguard connection up (I see handshakes and sent / recieved bytes in wg status). I set a route over the tunnel though and no traffic actually makes it across. I'd really appreciate some pointers in how to debug, I've exhausted my realatively limited networking knowledge.
I'm using systemd-networkd, I have a brigde interface (for my lan switch) a wan interface, and a whole bunch of wireguard interfaces and routing across most of the wireguard interfaces work fine, but they are in private subnets. What I'm trying to do with this one is send some traffic to a public IP on the internet over a wireguard interface rather than my default route. | 13:53:52 |
 K900 | Is the machine on the other end configured to actually forward packets? | 13:56:05 |
| Cadair | yeah it's mullvad | 14:00:03 |
| K900 | And what is allowedIPs set to on the interface? | 14:00:32 |
| Cadair | 0.0.0.0/0 | 14:00:57 |
| K900 | That looks normal then | 14:01:21 |
| K900 | Are you doing NAT on the router? | 14:01:23 |
| K900 | It's possible that Mullvad won't NAT random packets | 14:01:33 |
| K900 | So you have to double NAT | 14:01:35 |
| Cadair | I have a very very similar config running on another host but where I've made it my default route | 14:02:17 |
| Cadair | and that works | 14:02:19 |
| K900 | That would imply no NAT | 14:02:35 |
| Cadair | I've also tried making it the default route on this host and that didn't work either | 14:03:31 |
| K900 | Are you sending traffic directly from the router | 14:03:51 |
| K900 | Or from one of the hosts on the LAN | 14:03:56 |
| Cadair | I'm at the point where I'm assuming something is messed up because of the extra networking complexity on this host | 14:03:56 |
| Cadair | yes | 14:03:58 |
| K900 | Because you probably need to NAT | 14:03:59 |
| Cadair | I can't ping out from the router across the tunnel | 14:04:11 |
| Cadair | I have this route:
185.254.79.30 dev mullvad proto static scope link metric 512
and I can't ping 185.254.79.30 from the router | 14:05:00 |
| K900 | Uhh is 185.254.79.30 the internal address of the peer on the tunnel | 14:05:28 |
| K900 | Or is it the external endpoint | 14:05:32 |
| K900 | Cause it feels like the latter | 14:05:35 |
| Cadair | yeah the latter | 14:05:39 |
| K900 | Then it should absolutely not have a route on the Mullvad interface | 14:06:01 |
| K900 | Because what you're saying is "to get to the endpoint of the tunnel, go through the tunnel" | 14:06:13 |
| K900 | Which makes no sense | 14:06:16 |
| Cadair | oh it's neither sorry | 14:06:38 |
| Cadair | it's the random IP on the wider internet I want to get to over the tunnel | 14:06:47 |
| Cadair | * it's the "random" IP on the wider internet I want to get to over the tunnel | 14:07:09 |
