From: Andy Dorman <adorman@ironicdesign.com>
To: wireguard@lists.zx2c4.com
Cc: Ironic Design Development <devel@lists.ironicdesign.com>
Subject: wg0 packets not being routed?
Date: Thu, 3 May 2018 16:53:33 -0500 [thread overview]
Message-ID: <8599540b-b761-57a1-a585-b4395f9bed96@ironicdesign.com> (raw)
We are just getting started with Wireguard, so I apologize in advance
for any stupid mistakes I have made to cause this.
I am trying to set up VPN traffic between a local debian server cluster
(allowed 192.168.99.x/24) and a Linode VM cluster (also debian, allowed
192.168.100.x/24).
I have set up wg0 on two servers in the local cluster to confirm I am
doing it correctly and I had no problem installing WG on the Linode
slice once I switched the kernel to grub2 and rebooted into the latest
AMD64 kernel with appropriate headers installed.
The problem is the Qwest edge router my local NOC connects through
complains with "Destination Net Unreachable" as shown here.
# ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
From 65.152.242.37 icmp_seq=1 Destination Net Unreachable
FYI, 65.152.242.37 is the IP of atl-edge-24.inet.qwest.net
...
The local and Linode servers have the wg0 interface configured as shown:
local NOC servers
========================
Server at 192.168.99.7
.............................
interface: wg0
public key: 3piZKS+b1GFMwkAED3ZqIL02VLRfKCSRrfGKeyu1MXU=
private key: (hidden)
listening port: 53339
peer: /RjZ+4Zx+4TIfp8a4tGj4mZQ+ZtQGxThHiXOID4aplQ=
endpoint: 206.166.195.227:53339
allowed ips: 192.168.99.2/32
latest handshake: 1 day, 23 minutes, 5 seconds ago
transfer: 4.03 KiB received, 4.05 KiB sent
peer: eW8d4b4HBxY6szYsgI9V8kzkZqhWY4BaehSxkHaqBx0=
endpoint: 173.230.137.236:53339
allowed ips: 192.168.100.2/32
Server at 192.168.99.2
.............................
interface: wg0
public key: /RjZ+4Zx+4TIfp8a4tGj4mZQ+ZtQGxThHiXOID4aplQ=
private key: (hidden)
listening port: 53339
peer: 3piZKS+b1GFMwkAED3ZqIL02VLRfKCSRrfGKeyu1MXU=
endpoint: 206.166.194.234:53339
allowed ips: 192.168.99.7/32
latest handshake: 1 day, 21 minutes, 42 seconds ago
transfer: 4.05 KiB received, 4.03 KiB sent
peer: eW8d4b4HBxY6szYsgI9V8kzkZqhWY4BaehSxkHaqBx0=
endpoint: 173.230.137.236:53339
allowed ips: 192.168.100.2/32
Linode VM server
========================
interface: wg0
public key: eW8d4b4HBxY6szYsgI9V8kzkZqhWY4BaehSxkHaqBx0=
private key: (hidden)
listening port: 53339
peer: /RjZ+4Zx+4TIfp8a4tGj4mZQ+ZtQGxThHiXOID4aplQ=
endpoint: 206.166.195.227:53339
allowed ips: 192.168.99.2/32
peer: 3piZKS+b1GFMwkAED3ZqIL02VLRfKCSRrfGKeyu1MXU=
endpoint: 206.166.194.234:53339
allowed ips: 192.168.99.7/32
As I said earlier, the two local NOC server can ping each other on the
192.168.99.x block just fine AND they can ping the public endpoint IP
(173.230.137.236) of the Linode server, but both get a "network
unreachable" error from 65.152.242.37 (atl-edge-24.inet.qwest.net) if
they try to ping the Linode server using the allowed IP, 192.168.100.2.
It is as if the packets had the unroutable IP, 192.168.100.2, as their
destination instead of the endpoint, 172.230.137.236.
So what have I missed?
Thank you for Wireguard and any help anyone can provide to show me what
I am doing wrong.
--
Andy Dorman
Ironic Design, Inc.
AnteSpam.com
CONFIDENTIALITY NOTICE: This message is for the named person's use only.
It may contain confidential, proprietary or legally privileged
information. No confidentiality or privilege is waived or lost by any
erroneous transmission. If you receive this message in error, please
immediately destroy it and notify the sender. You must not, directly or
indirectly, use, disclose, distribute, or copy any part of this message
if you are not the intended recipient.
next reply other threads:[~2018-05-03 21:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-03 21:53 Andy Dorman [this message]
2018-05-03 23:03 ` wg0 packets not being routed? jens
2018-05-03 23:37 ` Germano Massullo
2018-05-04 0:15 ` Jason A. Donenfeld
2018-05-04 2:53 ` wg0 packets not being routed? FIXED! Andy Dorman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8599540b-b761-57a1-a585-b4395f9bed96@ironicdesign.com \
--to=adorman@ironicdesign.com \
--cc=devel@lists.ironicdesign.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.