[GH-ISSUE #433] Invalid target IP with a wireguard config #1448

New Issue

GiteaMirror · 2026-04-16T08:05:06-05:00

GiteaMirror commented

2026-04-16 08:05:06 -05:00

Originally created by @SeiyaGame on GitHub (Mar 30, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/433

The goal I have here is to set up a WireGuard configuration on my OPNsense in order to securely provide access to all my VLANs.

So I added a site and used the basic WireGuard tunnel configuration
At that point, it generated the following WireGuard configuration:

[Interface]
Address = 100.89.128.8/30
ListenPort = 51820
PrivateKey = iEJSNHnMS7CEGg0XIKR/6Uzk4jKCxX+6hUgvDWE7Q2U=

[Peer]
PublicKey = qUV+OIICNzGUgqHBSreZzlG9aOgTPnwtWZFej7/GllY=
AllowedIPs = 100.89.128.1/32
Endpoint = mydomain.here:51820
PersistentKeepalive = 5

Already at this point, I can see that it's not possible to configure the AllowedIPs.
On my OPNsense, I added the configuration, and for the peer, I included all the subnets that I want Gerbil to have access to under AllowedIPs.
The WireGuard tunnel is successfully established on both sides at this point.

Next, I added a resource and then a connectivity.
In the Target Configuration, I entered the IP of the service I want to make accessible, which is 192.168.1.5/24 but could be other local IP

I get the following error message:

From what I understand, I can only enter an IP from this range: 100.89.128.0
I don’t understand why :/

config/config.yml

...
gerbil:
    start_port: 51820
    base_endpoint: "mydomain.here"
    use_subdomain: false
    block_size: 24
    site_block_size: 30
    subnet_group: 100.89.128.1/24
...

Originally created by @SeiyaGame on GitHub (Mar 30, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/433 The goal I have here is to set up a WireGuard configuration on my OPNsense in order to securely provide access to all my VLANs. So I added a site and used the basic WireGuard tunnel configuration At that point, it generated the following WireGuard configuration: ```ini [Interface] Address = 100.89.128.8/30 ListenPort = 51820 PrivateKey = iEJSNHnMS7CEGg0XIKR/6Uzk4jKCxX+6hUgvDWE7Q2U= [Peer] PublicKey = qUV+OIICNzGUgqHBSreZzlG9aOgTPnwtWZFej7/GllY= AllowedIPs = 100.89.128.1/32 Endpoint = mydomain.here:51820 PersistentKeepalive = 5 ``` Already at this point, I can see that it's not possible to configure the AllowedIPs. On my OPNsense, I added the configuration, and for the peer, I included all the subnets that I want Gerbil to have access to under AllowedIPs. The WireGuard tunnel is successfully established on both sides at this point. Next, I added a resource and then a connectivity. In the Target Configuration, I entered the IP of the service I want to make accessible, which is 192.168.1.5/24 but could be other local IP I get the following error message: ![Image](https://github.com/user-attachments/assets/f5898de6-67e6-4374-9ff2-47e4fcd01119) From what I understand, I can only enter an IP from this range: 100.89.128.0 I don’t understand why :/ --- `config/config.yml` ```yml ... gerbil: start_port: 51820 base_endpoint: "mydomain.here" use_subdomain: false block_size: 24 site_block_size: 30 subnet_group: 100.89.128.1/24 ... ```

GiteaMirror closed this issue

2026-04-16 08:05:06 -05:00

GiteaMirror commented

2026-04-16 08:05:07 -05:00

@miloschwartz commented on GitHub (Mar 30, 2025):

You’re using a basic WireGuard tunnel instead of Newt, so you’ll need to manually handle destination NAT on the remote site. Since you’re trying to access a local LAN IP (like 192.168.1.5) which is outside the WireGuard subnet (100.89.128.0/24), basic WireGuard doesn’t know how to route traffic to it directly. With Newt, this works out of the box because it includes a proxy that handles the effect of NAT for you. But with a raw WireGuard setup, you’ll need to manually configure NAT/firewall rules to forward traffic from the WireGuard interface to your internal network.

@miloschwartz commented on GitHub (Mar 30, 2025): You’re using a basic WireGuard tunnel instead of Newt, so you’ll need to manually handle destination NAT on the remote site. Since you’re trying to access a local LAN IP (like 192.168.1.5) which is outside the WireGuard subnet (100.89.128.0/24), basic WireGuard doesn’t know how to route traffic to it directly. With Newt, this works out of the box because it includes a proxy that handles the effect of NAT for you. But with a raw WireGuard setup, you’ll need to manually configure NAT/firewall rules to forward traffic from the WireGuard interface to your internal network.

GiteaMirror commented

2026-04-16 08:05:08 -05:00

@SeiyaGame commented on GitHub (Mar 30, 2025):

ohh ok I get it! So the basic wireguard configuration can only handle one client in quotes, otherwise you have to do like Newt and assign a port to an ip and a port on the local network

I'll use the Newt and place it in my DMZ to filter what comes out

Sorry for this useless issue

@SeiyaGame commented on GitHub (Mar 30, 2025): ohh ok I get it! So the basic wireguard configuration can only handle one client in quotes, otherwise you have to do like Newt and assign a port to an ip and a port on the local network I'll use the Newt and place it in my DMZ to filter what comes out Sorry for this useless issue

GiteaMirror referenced this issue

2026-04-16 09:28:39 -05:00

[PR #1448] [CLOSED] Bump the prod-minor-updates group across 1 directory with 9 updates #2557

GiteaMirror referenced this issue

2026-04-16 09:28:53 -05:00

[PR #1454] [MERGED] Fix errors for dep updates #2561

GiteaMirror referenced this issue

2026-04-20 08:54:28 -05:00

[PR #1448] [CLOSED] Bump the prod-minor-updates group across 1 directory with 9 updates #4500

GiteaMirror referenced this issue

2026-04-20 08:54:35 -05:00

[PR #1454] [MERGED] Fix errors for dep updates #4504