Route all traffic through Wireguard interface

I want to route all my traffic through a Wireguard VPN. So far, following the Wireguard page on the wiki, I鈥檝e set up a wg0 interface successully. Running wg confirms the I have a connection, but how do I route all my traffic (except LAN) through it?


Hi, the wiki already mentions that right ? allowedIPs = [ "" ]; in the client.

With allowedIPs = [ "" ]; I鈥檓 unable to connect to anything.

Oh right, I think you鈥檒l need to fiddle around with ip-route to replace the default route.
See Routing & Network Namespaces - WireGuard.

I鈥檒l have to look into that. But also, using wg-quick with a suitable config in /etc/wireguard yields the same problem. Is wg-quick not supported on NixOS?

You can also use wg-quick from wireguard-tools. Redirecting the gateway is not supported in our nixos module.

OpenVPN has a funny way of rerouting all traffic:

$ ip route via dev tun1 via dev tun1

Using /1 instead of /0 ensure that it takes precedence over the default /0 route.
Be careful to add add a reachable dns in the VPN and that it is the one configured on your machine.

For completeness, here is my full ip route (configured by networkmanager and openvpn) via dev tun1 
default via dev wlp2s0 proto dhcp metric 600 via dev tun1 dev tun1 proto kernel scope link src via dev tun0 dev tun0 proto kernel scope link src via dev tun0 
my.own.vpn.ip via dev wlp2s0 via dev tun1 dev docker0 proto kernel scope link src linkdown dev wlp2s0 proto kernel scope link src metric 600 

Wireguard uses routing policies with ip rule, which is less hacky then the openvpn approach as it does not require a route for the VPN traffic via the local gateway.

I鈥檓 wondering, is it currently possible to implement the namespace solution? with the current networking modules?
It boils down to having the wg0 interface in the default network namespace, the physical ifs like wlan0 in another network namespace and then the utilities that need access to the real network must be executed like ip netns exec physical dhcpcd eth0.
I never tried but I intend to try soon :slight_smile:

That would be awesome. I knew we could do it with containers but I didn鈥檛 realize we could do it without them.

I have exactly the same problem as you, guys, it seems that I cannot properly route all traffic.

Some notes:

  • If I try to route only the related IPs, then I can ping the gateway, e.g.
% cat /etc/wireguard/temp.conf
Address =
PrivateKey = xxx

PublicKey = xxx
AllowedIPs =
Endpoint = xxx
% sudo wg-quick up temp
[#] ip link add temp type wireguard
[#] wg setconf temp /dev/fd/63
[#] ip address add dev temp
[#] ip link set mtu 1420 dev temp
[#] ip link set temp up
% ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=1.06 ms
64 bytes from icmp_seq=2 ttl=64 time=0.635 ms
% ip route
default via dev enp0s25 proto dhcp src metric 512 
default dev enp0s25 proto static scope link metric 2048 dev temp proto kernel scope link src
<omit the rest>
  • If I try to route everything:
% cat /etc/wireguard/temp.conf
Address =
PrivateKey = xxx

PublicKey = xxx
AllowedIPs =
Endpoint = xxx
% wg-quick up temp
[#] ip link add temp type wireguard
[#] wg setconf temp /dev/fd/63
[#] ip address add dev temp
[#] ip link set mtu 1420 dev temp
[#] ip link set temp up
[#] wg set temp fwmark 51820
[#] ip -4 route add dev temp table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
% ping
PING ( 56(84) bytes of data.
--- ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 181ms
% ip route
default via dev enp0s25 proto dhcp src metric 512 
default dev enp0s25 proto static scope link metric 2048 dev temp proto kernel scope link src
<omit the rest>
% ip -4 route list table 51820
default dev temp scope link

Not sure if I type the right command, since manually adding the route, it complains as existing:

% sudo ip -4 route add dev temp table 51820
RTNETLINK answers: File exists

I鈥檓 a bit lost with how I would debug this on my system. A first step would be to have wg-quick to actually work, which isn鈥檛 the case here. Does it work for anyone with AllowedIPs = Is this a NixOS/nixpkgs bug?

It looks like @anderspapitto is working on this :heart_eyes: : Support network-namespace based wireguard vpn setup [feature request] 路 Issue #52411 路 NixOS/nixpkgs 路 GitHub

yeah I have a working setup based on the namespace approach, described here Reflexive Reflection - Wireguard vpn with network namespace on NixOS


I think I am hitting the same problem today, when trying to connect from my NixOS laptop to GitHub - trailofbits/algo: Set up a personal VPN in the cloud VPN on the server.

If I start the wg connection, I can鈥檛 connect to anything (pinging does not work) and I don鈥檛 see peer connection from the server either. When disconnect wg interface (via network manager), I actually see a handshake on the server (presumably, because something in the ip route configuration changes temporary during shutdown), but then the connection goes down.

Is still the best way to fix this? I am not an expert in Linux networking, so that post looks rather intimidating to me :slight_smile:

I have the same question.

Does anyone have a solution of both server and client setup that allows the VPN server to route all the network traffic of the client?

You may want to take a look at this POC Graham built a while ago: 馃悏馃敟馃拃 (draft) (WIP) wireguard: allow whole-internet VPN configuration (do not merge) 馃拃馃敟馃悏 by grahamc 路 Pull Request #66300 路 NixOS/nixpkgs 路 GitHub

Apart from that, I know of two additional approaches (I experimented with):

  • You could explicitly define a route to your VPN-host in a dhcpcd exit-hook (see dhcpcd-run-hooks(8) and NixOS Search). Doesn鈥檛 work with networkd though.
  • As pointed out in @fpletz鈥檚 talk about networkd on NixCon 2018 ( you could put all of your physical interfaces (enp0s*, wlp0s* etc) into a VRF and then you could simply pass through your VPN interface and <VPN-host IP> through the VRF interface. I鈥檓 using this approach for several months now and I鈥檓 fairly happy with it.
I also had issues with allowedIPs = [ "" ], but was able to solve it with an ip route.

The Problem: including as an allowed IP routes all traffic through the Wireguard interface (good!), including the wireguard traffic itself (not good!). As far as I can tell, all network traffic ends up in a loop and never actually leaves the machine.

The Solution: Add a more specific ip route allowing traffic to the VPN via the default gateway.

I controlled the route with the following added to my nix config:

networking.wireguard.interfaces.wg0 = {
  postSetup = "${pkgs.iproute}/bin/ip route add <vpn-public-ip> via <default-gateway>";
  postShutdown = "${pkgs.iproute}/bin/ip route del <vpn-public-ip> via <default-gateway>";

where in my case <default-gateway> happened to be and <vpn-public-ip> is the public IP (i.e. not 10.x.x.x) of the Wireguard server. Adding this to the config now properly routes all traffic through the Wireguard connection.

Currently, the wiki page for Wireguard demonstrates a client config with allowedIPs = [ "" ], but as far as I can tell includes nothing to add a route for the VPN itself, at least in the section for the basic Wireguard client. Perhaps I missed something, or maybe I鈥檓 misunderstanding the ip routes, but if not, should the wiki be updated to include the client ip route rules?


I鈥檓 not smart enough to figure out all of this, can someone help me out?

Here is the configuration for Wireguard on my NixOS server (VPS is Linode if that matters)

  networking.wg-quick.interfaces = {
    # "wg0" is the network interface name. You can name the interface arbitrarily.
    wg0 = {
      # Determines the IP/IPv6 address and subnet of the client's end of the tunnel interface
      address = [ "" "fdc9:281f:04d7:9ee9::1/64" ];
      # The port that Wireguard listens to - recommended that this be changed from default
      listenPort = 51820;
      # Path to the server's private key
      privateKeyFile = "...";

      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
      postUp = ''
        ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
        ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
        ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE

      # Undo the above
      preDown = ''
        ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s -o eth0 -j MASQUERADE
        ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
        ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE

      peers = [

鈥hich is basically the one for wg-quick on the wiki, after installing Wireguard on my phone with allowed IPs for peers, I started the tunnel, executing # wg show, I can see that my phone is connected, however, after doing that I cannot ping anything, neither the server, nor the gateway of my home router.

I don鈥檛 understand what I鈥檓 doing wrong, is it possible to make this work like a regular VPN?