[WireGuard] WireGuard doesn't work with network namespace on ArchLinux

[WireGuard] WireGuard doesn't work with network namespace on ArchLinux

[sorcus]

[-- Attachment #1: Type: text/plain, Size: 204 bytes --]

https://serverfault.com/questions/797205/required-key-not-available
I don't understand, why it's not working. Can you tell me, it's my fault or bug in wireguard/network namespace? And how can i fix it?

[-- Attachment #2: Type: text/html, Size: 435 bytes --]

Re: [WireGuard] WireGuard doesn't work with network namespace on ArchLinux

[Jason A. Donenfeld]

Next time ask on the mailing list and not on stack overflow. Also
please use better subject lines in future emails. I'm going to paste
your stack overflow entry here, and then respond to that:

> Subject: Required key not available
> Content:
> i try to configure network with VPN (using WireGuard) and Network Namespace. Original instruction - www.wireguard.io/netns/
> I have a client (notebook) on ArchLinux and server (VPS) on ArchLinux. Client has IPv6-only network, server has dual-stack (IPv4 + IPv6) network.
> Client configs and output of some commands: http://pastebin.com/3Qy3PMrp
> Server: http://pastebin.com/CUizE4LS
> When netns.service started, i can ping fc00::10 (VPS, wg0 interface). But if i try ping any other resource (for example ping -6 -c 1 2a00:1450:4010:c01::8a (ipv6.google.com) ) i get an error:
> 'ping: sendmsg: Required key not available'
> Other commands (drill, tracepath6, traceroute, etc.) get the same error.
> I don't know how to fix it. Help please to solve this problem.
> $ cat /etc/wireguard/client.conf
> [Interface]
> PrivateKey = OAT5r6E1hid***iVBnY=
> ListenPort = 52345
> [Peer]
> PublicKey = aMC3f6kw***UDQVwo=
> EndPoint = [2a01:4f8:***:***::5]:40111
> AllowedIPs = fc00::10/7

Re: [WireGuard] WireGuard doesn't work with network namespace on ArchLinux

[Jason A. Donenfeld]

>> $ cat /etc/wireguard/client.conf
>> [Interface]
>> PrivateKey = OAT5r6E1hid***iVBnY=

Never post any part of your private key to the internet. I advise you
to change your keys now.


>> ListenPort = 52345
>> [Peer]
>> PublicKey = aMC3f6kw***UDQVwo=
>> EndPoint = [2a01:4f8:***:***::5]:40111
>> AllowedIPs = fc00::10/7

Here's where you go wrong. On the _client_ you want:
    AllowedIPs=::/0,0.0.0.0/0
In other words, the client trusts the server to send data as any IP,
and the client will send any IP data to the server.

The AllowedIPs you use on the server should most likely be a /128 and
a /32, however.

Re: [WireGuard] WireGuard doesn't work with network namespace on ArchLinux

[sorcus]

-------- Forwarded message -------=0AFrom: sorcus@inwebse.com=0ATo: "Jaso=
n A. Donenfeld" <Jason@zx2c4.com>=0ASent: August 19 2016 11:49 AM=0ASubje=
ct: Re: [WireGuard] WireGuard doesn't work with network namespace on Arch=
Linux=0AAugust 19 2016 8:54 AM, "Jason A. Donenfeld" <Jason@zx2c4.com> wr=
ote:=0A=0A>>> $ cat /etc/wireguard/client.conf=0A>>> [Interface]=0A>>> Pr=
ivateKey =3D OAT5r6E1hid***iVBnY=3D=0A> =0A> Never post any part of your =
private key to the internet. I advise you=0A> to change your keys now.=0A=
=0AOk, i understand.=0A=0A>>> ListenPort =3D 52345=0A>>> [Peer]=0A>>> Pub=
licKey =3D aMC3f6kw***UDQVwo=3D=0A>>> EndPoint =3D [2a01:4f8:***:***::5]:=
40111=0A>>> AllowedIPs =3D fc00::10/7=0A> =0A> Here's where you go wrong.=
 On the _client_ you want:=0A> AllowedIPs=3D::/0,0.0.0.0/0=0A> In other w=
ords, the client trusts the server to send data as any IP,=0A> and the cl=
ient will send any IP data to the server.=0A> =0A> The AllowedIPs you use=
 on the server should most likely be a /128 and=0A> a /32, however.=0A=0A=
There is no error anymore, but packets don't leave on the server.=0A=0AOu=
tput of tcpdump -i wg0 on client:=0AIP6 localhost > 2a00:1450:4010:c01::8=
a ICPMP6, echo request, seq 1, length 64=0AIP6 localhost > 2a00:1450:4010=
:c01::8a ICPMP6, echo request, seq 2, length 64=0AIP6 localhost > 2a00:14=
50:4010:c01::8a ICPMP6, echo request, seq 3, length 64=0A=0AOutput of ip =
netns exec physical tcpdump -t on client:=0AIP6 localhost.52345 > 2a01:4f=
8:***:***::5.40111: UDP, length 141=0AIP6 localhost.52345 > 2a01:4f8:***:=
***::5.40111: UDP, length 141=0AIP6 localhost.52345 > 2a01:4f8:***:***::5=
.40111: UDP, length 141=0A=0AOn server tcpdump doesn't catch any packets.=
 Maybe i need to set some rules with firewall=0A(iptables, nftables)?=0A=
=0AP.S. I apologize for silly questions.

Re: [WireGuard] WireGuard doesn't work with network namespace on ArchLinux

[Jason A. Donenfeld]

You need ip forwarding enabled on the server, of course. I suspect
that's not the issue you're facing though. Instead, I imagine that UDP
port isn't open on the server, or the keys are not configured
correctly.