Can't seem to split tunnel using tables the way I can in OpenVPN

Can't seem to split tunnel using tables the way I can in OpenVPN

[Text Editor]

[-- Attachment #1: Type: text/plain, Size: 661 bytes --]

Trying to replicate my OpenVPN routing setup, tunnel is split to go to /24
subnet inside OpenVPN without the default traffic going through it.

However, it is setup to use a gateway in OpenVPN to reach the internet when
packets go through the interface


Copying this setup over to Wireguard seems to break - I can ping the
endpoints inside the Wireguard VPN, but trying to reach the internet via
the internet seems to not work



Configuration files on the Server side:

https://pastebin.com/raw/TJvKazSL

Configuration files on the Server side:

https://pastebin.com/raw/2t760WvY


This same concept works on OpenVPN without issue, not sure what is happening

[-- Attachment #2: Type: text/html, Size: 881 bytes --]

Re: Can't seem to split tunnel using tables the way I can in OpenVPN

[Bzzzz]

On Wed, 24 May 2017 19:04:38 -0400
Text Editor <texteditor.si@gmail.com> wrote:

> Trying to replicate my OpenVPN routing setup, tunnel is split to go
> to /24 subnet inside OpenVPN without the default traffic going through
> it.

Hi Text Editor,

=E2=80=A6
> I can ping the
> endpoints inside the Wireguard VPN,

So your WG VPN is acting good, giving you access your server from
another place than your LAN, ie: through a phone tethering or from
a friend's connection.

Your setup seems overly complicated, as touching network I/F confs isn't
a requirement, neither w/ OVPN or WG.

ie: for the server, I took a copy of /etc/init.d/rmnologin (because it
was the last one to be enabled into /etc/rc2.d and I want my VPN to be
the last one to be activated), then I modified it, testing and using the
presence of 'wg-quick' that is far more usable than modifying the
network I/F confs or manually use 'wg' instead; on clients, scripts are
manual, but also use 'wg-quick'.

A quick run of chkconfig and the links are created in the right places,
starting your VPN server at boot and allowing to start/stop it manually.

I won't say it is the best way to do that, but it has the advantage not
to scatter configurations in all the server corners.

> but trying to reach the internet
> via the internet seems to not work
>=20
>=20
>=20
> Configuration files on the Server side:
>=20
> https://pastebin.com/raw/TJvKazSL

IIRC, using 0.0.0.0 means _all_ traffic is routed through the VPN;
IMHO, your server setup should otherwise use something like:

[Peer]
=E2=80=A6
192.168.2.0/24
(/24 IF you intend to use WG to unite 2 LAN; for a roadwarrior, it
might be better to restrict more stricly to it's IP,
eg: 192.168.2.253/32)

> Configuration files on the Server side:
>=20
> https://pastebin.com/raw/2t760WvY
>=20
>=20
> This same concept works on OpenVPN without issue, not sure what is
> happening

AFAIK, given you formerly authorize packets forward (either indefinitely
into /etc/syctl.conf or temporarily by:
echo 1 >/proc/sys/net/ipv4/ip_forward), the only iptables rules you need
(into the server conf file) are:

PostUp =3D iptables -t nat -I POSTROUTING -s <VPN IP segment>/24
-o eth0 -j MASQUERADE

PostDown =3D iptables -t nat -D POSTROUTING -s <VPN IP segment>/24 -o
eth0 -j MASQUERADE

remember that any kind of testing on packets, ie: established, related,
etc) can be a huge loss of time (it has to be computed for _each_
packet), hence, a loss of throughput in your VPN.

And BTW, it is much more dangerous to reveal your keys on the Ternet
than your endpoint IP address=E2=80=A6

Jean-Yves

Re: Can't seem to split tunnel using tables the way I can in OpenVPN

[Kalin KOZHUHAROV]

On Thu, May 25, 2017 at 7:13 PM, Bzzzz <lazyvirus@gmx.com> wrote:
> And BTW, it is much more dangerous to reveal your keys on the Ternet
> than your endpoint IP address=E2=80=A6
>

That just made my day, LoL! I could not help posting it on twitter:
https://twitter.com/thinrope/status/867801802724569088

Kalin.

Re: Can't seem to split tunnel using tables the way I can in OpenVPN

[Bzzzz]

On Thu, 25 May 2017 19:58:19 +0200
Kalin KOZHUHAROV <me.kalin@gmail.com> wrote:

> On Thu, May 25, 2017 at 7:13 PM, Bzzzz <lazyvirus@gmx.com> wrote:
> > And BTW, it is much more dangerous to reveal your keys on the Ternet
> > than your endpoint IP address=E2=80=A6
> >
>=20
> That just made my day, LoL! I could not help posting it on twitter:
> https://twitter.com/thinrope/status/867801802724569088
>=20
> Kalin.

I'm not sure about the way I should take it=E2=80=A6

When I wrote these lines, I was especially thinking to an old and now
abandoned security project of mine that was a spider digging all possible
information from mostly MLs: IP addresses, account names, e-mail
addresses, keys of course, pet names, kids names, etc;
running in parallel of another spider that used this information to
"dig" the web, the results were "quite interesting"=E2=80=A6

Jean-Yves

Re: Can't seem to split tunnel using tables the way I can in OpenVPN

[Kalin KOZHUHAROV]

Hello Jean-Yves,

I apologize for the misunderstanding, I completely agree with your advice!

I guess the adding of "LoL" at the end didn't make that clearer, I
just re-read my tweet.
Thinking about it, I was re-editing it quite a few times to make it
fit the length restriction and the end result was not clear, when
taken out of context. "FAIL" for me, sorry.

Kalin.

Re: Can't seem to split tunnel using tables the way I can in OpenVPN

[Bzzzz]

On Thu, 25 May 2017 21:14:26 +0200
Kalin KOZHUHAROV <me.kalin@gmail.com> wrote:

Whoops, back in the loop !

(strange behavior of this ML: when you answer to the ML, it answers only
to the sender :/)

> Hello Jean-Yves,
> 
> I apologize for the misunderstanding, I completely agree with your
> advice!  

There's no need to apologize: this is not sooo grave ;-)
I just wasn't sure about the meaning as it could be interpreted any way.

> I guess the adding of "LoL" at the end didn't make that clearer, I
> just re-read my tweet.
> Thinking about it, I was re-editing it quite a few times to make it
> fit the length restriction and the end result was not clear, when
> taken out of context. "FAIL" for me, sorry.  

For your penance, you'll recite 3 times the whole 1970 Unix code
forward AND backward, then you'll copy the wg-quick man 10 times
with a plume and in Gothic !

Jean-Yves

Re: Can't seem to split tunnel using tables the way I can in OpenVPN

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 521 bytes --]

On Thu, 2017-05-25 at 21:28 +0200, Bzzzz wrote:
> 
> (strange behavior of this ML: when you answer to the ML, it answers only
> to the sender :/)

Why do you think that's strange? Your mail client will have two 'reply'
buttons — one for a private reply, and another for a public/group reply
or "reply-all".

If you ask it to send a private reply, you send a private reply.

If you ask it to send a public reply, you send a public reply.

What could be simpler?

http://david.woodhou.se/reply-to-list.html

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 4938 bytes --]

Re: Can't seem to split tunnel using tables the way I can in OpenVPN

[Bzzzz]

On Thu, 25 May 2017 20:32:01 +0100
David Woodhouse <dwmw2@infradead.org> wrote:

> Why do you think that's strange? Your mail client will have two 'reply'
> buttons =E2=80=94 one for a private reply, and another for a public/group=
 reply
> or "reply-all".

I use claws-mail, it has 3 answers possibilities: all/sender/ML,
the strange thing is:
if I hit 'all', it answer=E2=80=A6 all (quite normal until here),
but if I hit 'ML', it only answers to your e-mail address !

What is weird is the ML seems to be put in CC when it should stay the
main receiver.

I'm using Debian stable+backports, claws-mail is from backports, may
be it has a bug, however answering every other ML has the right behavior.

JY

Re: Can't seem to split tunnel using tables the way I can in OpenVPN

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 1005 bytes --]

On Thu, 2017-05-25 at 21:45 +0200, Bzzzz wrote:
> On Thu, 25 May 2017 20:32:01 +0100
> David Woodhouse <dwmw2@infradead.org> wrote:
> 
> > Why do you think that's strange? Your mail client will have two
> 'reply'
> > buttons — one for a private reply, and another for a public/group
> reply
> > or "reply-all".
> 
> I use claws-mail, it has 3 answers possibilities: all/sender/ML,
> the strange thing is:
> if I hit 'all', it answer… all (quite normal until here),
> but if I hit 'ML', it only answers to your e-mail address !
> 
> What is weird is the ML seems to be put in CC when it should stay the
> main receiver.
> 
> I'm using Debian stable+backports, claws-mail is from backports, may
> be it has a bug, however answering every other ML has the right
> behavior.

The list doesn't have the RFC2369 List-Post: header which would allow
the 'Reply to List' option to work.

But that's OK because I just explained to you why it's anti-social and
shouldn't be used anyway.

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 4938 bytes --]

Re: Can't seem to split tunnel using tables the way I can in OpenVPN

[Bzzzz]

On Thu, 25 May 2017 20:50:14 +0100
David Woodhouse <dwmw2@infradead.org> wrote:

> The list doesn't have the RFC2369 List-Post: header which would allow
> the 'Reply to List' option to work.
> 
> But that's OK because I just explained to you why it's anti-social and
> shouldn't be used anyway.

If I had time to lose, this could for sure leads to a looong (and,
almost as surely, sterile) discussion, as it concerns only your own
opinion and you're twisting arguments to reflect only it.
I've no spare time to toy, so have a nice day/night and bye.

JY