IncusOS WireGuard LAN Access

m1g0r3ng · April 15, 2026, 12:33am

Hi, I’ve set up IncusOS on baremetal, and I’m wanting to test the WireGuard interface to see if I can manage the server remotely, but I was also curious if I could access the LAN there IncusOS machine is on, my incus admin os system network config looks like this:

config:
  interfaces:
  - addresses:
    - dhcp4
    - slaac
    hwaddr: ...
    name: eno1
    required_for_online: "no"
  time:
    timezone: UTC
  wireguard:
  - addresses:
    - 10.20.30.1/24
    name: wg0
    peers:
    - allowed_ips:
      - 10.20.30.40/32
      public_key: ...
    port: 51820

I can remote access from the peer to IncusOS successfully, but I cannot ping anything on the LAN. Is it possible to route to default gateway or is there a best practice to achieve this using IncusOS? (I apologize if I am confusing networking terms as I’m a bit new to this). Thank you

stgraber · April 15, 2026, 5:14pm

There are two things that may get in your way here:

It’s possible that IncusOS may not allow routing between your wireguard interface and your LAN interface (somewhat unlikely as we enable routing for the normal Incus traffic)
IncusOS doesn’t set up NAT rules for you so your LAN systems may see a connection coming from 10.20.30.40 and have no idea how to respond to that

I’d recommend running tcpdump -ni any host 10.20.30.40 on a LAN system, then try to reach it over wireguard. If you see the traffic coming in, then the routing side of things is fine and the issue is the return path.

For the return path, one thing you can do is go on your LAN gateway (typically your router) and setup a static route on that device for the 10.20.30.0/24 subnet, routing it through the IP address of your IncusOS system.

That way when your LAN system wants to respond to 10.20.30.40, it will send the traffic to the router which will know that 10.20.30.40 needs to go through 192.168.100.10 (or whatever your IncusOS IP is) and will send it that way, then the IncusOS box will know to route it to the wireguard interface.

m1g0r3ng · April 16, 2026, 3:14am

Thank you Stéphane,

I ran that tcpdump command on a LAN machine and pinged its IP-address from a remote WireGuard client connected to IncusOS and could see the pings coming in, so the issue was on return!

I set up a static route as you suggested on the router with dest-addr=10.20.30.0/24 (IncusOS wireguard subnet) and gateway=192.168.100.10 (IncusOS LAN IP).

It works! Thank you a lot.

When I was testing WireGuard on a different OS I think I was running a nftables.conf with masquerading, but I like this static routing setup and I’ll stick to it, I appreciate

stgraber · April 16, 2026, 5:20am

Yeah, when possible, proper routing will always be better than NAT.
No need to maintain the translation tables and more importantly, you actually see who’s talking to what rather than just see the IP address of your VPN server.