Wake On Lan

Amplificator · May 30, 2025, 12:58pm

Hi.

What changes do I have to make to be able to use Wake On Lan to send a magic packet from a device that is connected to the VPN and target a device that is on the regular internal network?

I have my internal network set up as 10.0.0.0/24 and Pritunl OpenVPN as 172.16.1.0/24 and Pritunl WireGuard as 172.16.2.0/24

I have the following routes set in Pritunl:
0.0.0.0/0
172.16.1.0/24
172.16.2.0/24

As far as Ican figure out, the magic packet never gets out of one of the VPN networks, even if I specify the broadcast of 10.0.0.255 og the actual IP of the device I want to wake.

So my question is, what changes do I need to make to be able to wake a device on my internal LAN, from a device that is connected to the Pritunl VPN?
When I’m connected to the VPN I can access other machines using their IP on 10.0.0.0/24 just fine though. I just can’t send a magic packet to one of those machines?

zach · May 31, 2025, 12:02am

The WoL packet is going to be a broadcast packet with the system MAC address. That won’t be able to be routed over the VPN to a different network. With an enterprise subscription there is a bridged mode. With bridged mode the VPN would bridge to the local network and the clients would get IP addresses on that network. This would put the client on the same network and allow broadcasts. But there are a lot of downsides with bridged mode and it wouldn’t be good to enable it just for this use case. It also won’t work with WireGuard.

I did test a port 9 broadcast packet with bridged mode and it does work. Although I noticed a typo in pritunl-client-electron/service/parser/ovpn.go that will result in the client always using a tun type interface. This will be fixed in the next client release.

Amplificator · May 31, 2025, 12:18am

I did find a solution from this post: https://superuser.com/questions/1862467/wol-across-subnets/1862500#1862500

So to make it stick, I just created the file /etc/sysctl.d/99-broadcast-forwarding.conf with the following contents:

net.ipv4.conf.all.bc_forwarding = 1
net.ipv4.conf.docker0.bc_forwarding = 1

The docker0 interface is just an example; you’d need to do it to your systems appropriate interfaces. After that, just simply reload sysctl and Wake On LAN just works as usual. I have tested it from my laptop and phone connected to the VPN and it can turn on a regular machine on the private LAN just fine

The description of “bc_forwarding” can be found in the kernel docs here: IP Sysctl — The Linux Kernel documentation which says:

bc_forwarding - INTEGER

    bc_forwarding enables the feature described in rfc1812#section-5.3.5.2 and rfc2644. It allows the router to forward directed broadcast. To enable this feature, the ‘all’ entry and the input interface entry should be set to 1. Default: 0