From: Szymon Nowak <szymonn841@gmail.com>
To: Max Schulze <max.schulze@online.de>
Cc: wireguard@lists.zx2c4.com
Subject: Re: wireguard-windows: possibly wrong selection of outgoing IP Address?
Date: Tue, 7 Jun 2022 09:08:13 +0200 [thread overview]
Message-ID: <CA+hy6duTcA38PMWRj6L2U_jwBDnNkFjojGBL-ot-9oJ-BwiHtw@mail.gmail.com> (raw)
In-Reply-To: <4bb8fade-487e-2301-65d0-dea41624682f@online.de>
Hi To do this on the windows server, you need to run NAT on the WG interface
https://openvpn.net/cloud-docs/enabling-routing-nat-on-windows-server-2016/
On Sun, Jun 5, 2022 at 10:23 PM Max Schulze <max.schulze@online.de> wrote:
>
> I am running out of ideas to debug this specific issue.
>
> I am trying to circumvent a double-NAT scenario. I have
>
> wg_serv (10.253.2.9) <-> wg-relais (10.253.2.2) <-> wg_peer ( 10.253.2.3)
>
> wg_serv has an endpoint set for wg-relais, and creates the connection ok (handshake completes, ping works).
> wg_peer has an endpoint that points to wg-relais, which should tunnel the connection as-is to wg_serv on the established connection ( iptables SNAT/DNAT ).
>
> If wg_serv is a linux box, with the exact same config file, everything works. if wg_serv is a windows box, it seems that there are no outgoing packets, but incoming is ok.
>
> First, see that the handshake packet is received (via 10.253.2.2:60026):
>
> 2022-06-05 20:30:17.140946: [TUN] [wireguard] Keypair 536 created for peer 1
>
> 2022-06-05 20:30:22.085949: [TUN] [wireguard] Handshake for peer 1 (10.253.2.2:60026) did not complete after 5 seconds, retrying (try 2)
>
> 2022-06-05 20:30:22.265787: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026)
>
> 2022-06-05 20:30:22.265787: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026)
>
> 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 536 destroyed for peer 1
>
> 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 537 created for peer 1
>
> 2022-06-05 20:30:27.147962: [TUN] [wireguard] Sending keepalive packet to peer 2 (185.230.xxx.yyy:51849)
>
> 2022-06-05 20:30:27.626543: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026)
>
> 2022-06-05 20:30:27.626543: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026)
>
>
>
>
> However, it seems that wireguard sends the outgoing packet with the wrong ip (192.168.99.101) instead of 10.253.2.9 to 10.253.2.2:60026 ?
>
>
>
> Protocol Local Port Local Address Remote Port Remote Address Received Bytes Sent Bytes Rec Pkt Sent Packets
>
> wireguard.exe UDP IPv4 51850 192.168.99.101 51849 185.230.xxx.yyy 81.976 8.584 417 216
>
> wireguard.exe UDP IPv4 51850 10.253.2.9 60026 10.253.2.2 55.648 376
>
> wireguard.exe UDP IPv4 51850 192.168.99.101 60026 10.253.2.2 37.848 398
>
>
> What can I do?
> Can I make the wireguard log more verbose to show IP Paket src/Destination?
>
> Is it possible to also log the src IP of the "handshake response packet"?
>
> Best,
> Max
>
>
> wg_serv config:
>
> [Interface]
>
> PrivateKey = SFhFHVb__2c=
>
> ListenPort = 51850
>
> Address = 10.253.2.9/24
>
>
>
> [Peer]
>
> # wg-vpn-relais
>
> PublicKey = 3A5__wo=
>
> AllowedIPs = 10.253.2.2/30
>
> Endpoint = 185.230.xxx.yyy:51849
>
> PersistentKeepalive = 20
>
>
>
> [Peer]
>
> # peer via vpn relais
>
> PublicKey = FTBC__cqghg=
>
> AllowedIPs = 10.253.2.3/32
>
> PersistentKeepalive = 20
>
>
>
> wg output:
>
> peer: 3A5__o=
>
> endpoint: 185.230.xxx.yyy:51849
>
> allowed ips: 10.253.2.0/30
>
> latest handshake: 1 minute, 55 seconds ago
>
> transfer: 145.71 KiB received, 29.74 KiB sent
>
> persistent keepalive: every 20 seconds
>
>
>
> peer: FTB__hg=
>
> endpoint: 10.253.2.2:60026
>
> allowed ips: 10.253.2.3/32
>
> transfer: 89.46 KiB received, 60.67 KiB sent
>
> persistent keepalive: every 20 seconds
>
>
>
>
>
> PS C:\Windows\system32> Get-NetIPInterface | select ifIndex,InterfaceAlias,AddressFamily,ConnectionState,Forwarding,weakhostreceive,weakhostsend | Sort-Object -Property IfIndex | Format-Table
>
> >>
>
>
>
> ifIndex InterfaceAlias AddressFamily ConnectionState Forwarding WeakHostReceive WeakHostSend
>
> ------- -------------- ------------- --------------- ---------- --------------- ------------
>
> 1 Loopback Pseudo-Interface 1 IPv4 Connected Disabled Disabled Disabled
>
> 1 Loopback Pseudo-Interface 1 IPv6 Connected Disabled Disabled Disabled
>
> 4 LAN-Verbindung* 11 IPv6 Connected Disabled Disabled Disabled
>
> 4 LAN-Verbindung* 11 IPv4 Connected Disabled Disabled Disabled
>
> 8 WLAN IPv4 Disconnected Disabled Disabled Disabled
>
> 8 WLAN IPv6 Disconnected Disabled Disabled Disabled
>
> 12 Ethernet IPv6 Connected Disabled Disabled Disabled
>
> 12 Ethernet IPv4 Connected Disabled Disabled Disabled
>
> 16 LAN-Verbindung* 2 IPv6 Disconnected Disabled Disabled Disabled
>
> 16 LAN-Verbindung* 2 IPv4 Disconnected Disabled Disabled Disabled
>
> 17 LAN-Verbindung* 1 IPv6 Disconnected Disabled Disabled Disabled
>
> 17 LAN-Verbindung* 1 IPv4 Disconnected Disabled Disabled Disabled
>
> 53 wireguard IPv6 Connected Disabled Disabled Disabled
>
> 53 wireguard IPv4 Connected Disabled Disabled Disabled
>
> wg_relais debug state:
>
> wg-vpn-relais # conntrack -L | grep 10.253
>
> udp 17 28 src=178.101.114.260 dst=185.230.xxx.yyy sport=60026 dport=51850 [UNREPLIED] src=10.253.2.9 dst=10.253.2.2 sport=51850 dport=60026 mark=0 use=1
>
next prev parent reply other threads:[~2022-06-07 7:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-05 20:21 wireguard-windows: possibly wrong selection of outgoing IP Address? Max Schulze
2022-06-07 7:08 ` Szymon Nowak [this message]
2022-06-07 8:43 ` Max Schulze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+hy6duTcA38PMWRj6L2U_jwBDnNkFjojGBL-ot-9oJ-BwiHtw@mail.gmail.com \
--to=szymonn841@gmail.com \
--cc=max.schulze@online.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.