From: d tbsky <tbskyd@gmail.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: multi-home difficulty
Date: Fri, 24 Nov 2017 01:06:59 +0800 [thread overview]
Message-ID: <CAC6SzHLUP5TFnra63T_DXkqxPpDQr_-n5KCNGkWqG02DyBvgVA@mail.gmail.com> (raw)
In-Reply-To: <CAHmME9qeUw5VsaEoAG=i0=5LfOq4aPGi2KjDHKDjAPorXKJgbA@mail.gmail.com>
2017-11-23 7:35 GMT+08:00 Jason A. Donenfeld <Jason@zx2c4.com>:
> On Tue, Nov 21, 2017 at 3:35 PM, d tbsky <tbskyd@gmail.com> wrote:
>> thanks for the quick reply. my wireguard configuration is in the
>> previous mail, so I think the linux firewall part is what you want.
>
> Right. So if you can give me minimal instructions on how to set up a
> box that exhibits the buggy behavior you're seeing, I can try to fix
> it.
>
> Jason
sorry for the delay. I try to make a minimal config to reproduce the
problem in our firewall, but it's not easy. the communication
sometimes works, sometimes failed. suddenly I remember many years ago
I got similar problems with openvpn. according the manual pages of
openvpn:
--multihome
Configure a multi-homed UDP server. This option needs
to be used when a server has more than one IP
address (e.g. multiple interfaces, or secondary IP
addresses), and is not using --local to force bind=E2=80=90
ing to one specific address only. This option will add
some extra lookups to the packet path to ensure
that the UDP reply packets are always sent from the
address that the client is talking to. This is not
supported on all platforms, and it adds more processing,
so it's not enabled by default.
Note: this option is only relevant for UDP servers.
Note 2: if you do an IPv6+IPv4 dual-stack bind on a
Linux machine with multiple IPv4 address, connec=E2=80=90
tions to IPv4 addresses will not work right on kernels
before 3.15, due to missing kernel support for
the IPv4-mapped case (some distributions have ported
this to earlier kernel versions, though).
I forgot these. many strange things happen if you didn't bind
specific ip, even with "--multihome"
finally I made a environment for you to test. my OS is rehl 7.4,
kernel version 3.10.0-693.5.2
1. build a virtual rhel 7.4 box, bind 2 virtio nic to it. (single
nic won't show the problem, I don't now why).
2. stop NetworkManager
3. setup network environment like below(skip eth0, setup eth1 with
two ip addresses):
ip addr flush dev eth1
ip addr add 10.99.1.99/24 dev eth1
ip addr add 10.99.1.100/24 dev eth1
ip link set eth1 up
ip route add default via 10.99.1.254
ip link add wg0 type wireguard
ip addr add 172.31.21.1 peer 172.31.21.2 dev wg0
wg setconf wg0 /root/server.conf
ip link set wg0 up
/root/server.conf like below:
[Interface]
PrivateKey =3D ****
ListenPort =3D 51820
[Peer]
PublicKey =3D ****
AllowedIPs =3D 0.0.0.0/0
4. setup wireguard at client site. client.conf like below:
[Interface]
PrivateKey =3D ****
ListenPort =3D 51820
[Peer]
PublicKey =3D ****
Endpoint =3D 10.99.1.100:51820
AllowedIPs =3D 0.0.0.0/0
5. at client site, "ping 172.31.21.1".
6. at server site, "modprobe nf_conntrack_ipv4;cat
/proc/net/nf_conntrack | grep 51820":
ipv4 2 udp 17 29 src=3D10.99.1.99 dst=3D10.99.20.254 sport=3D51820
dport=3D51820 [UNREPLIED] src=3D10.99.20.254 dst=3D10.99.1.99 sport=3D51820
dport=3D51820 mark=3D0 zone=3D0 use=3D2
ipv4 2 udp 17 29 src=3D10.99.20.254 dst=3D10.99.1.100 sport=3D5182=
0
dport=3D51820 [UNREPLIED] src=3D10.99.1.100 dst=3D10.99.20.254 sport=3D5182=
0
dport=3D51820 mark=3D0 zone=3D0 use=3D2
I don't know if you can reproduce in your environment.
hope wireguard can bind to specific ip in the future..
Regards,
tbskyd
next prev parent reply other threads:[~2017-11-23 17:01 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-21 13:21 multi-home difficulty d tbsky
2017-11-21 13:32 ` Tomas Herceg
2017-11-21 14:15 ` Jason A. Donenfeld
2017-11-21 14:35 ` d tbsky
2017-11-22 23:35 ` Jason A. Donenfeld
2017-11-23 17:06 ` d tbsky [this message]
2017-11-29 11:05 ` d tbsky
2017-11-29 13:13 ` Jason A. Donenfeld
2017-11-29 13:51 ` Jason A. Donenfeld
2017-11-29 14:08 ` d tbsky
2017-11-29 14:10 ` Jason A. Donenfeld
2017-11-29 14:16 ` d tbsky
2017-11-29 14:49 ` Jason A. Donenfeld
2017-11-30 6:15 ` d tbsky
2017-11-30 6:22 ` d tbsky
2017-11-30 6:30 ` d tbsky
2017-12-01 7:44 ` d tbsky
2017-12-03 17:45 ` d tbsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAC6SzHLUP5TFnra63T_DXkqxPpDQr_-n5KCNGkWqG02DyBvgVA@mail.gmail.com \
--to=tbskyd@gmail.com \
--cc=Jason@zx2c4.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.