WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Using WG to route between two LANs
@ 2020-10-22 15:43 Dashamir Hoxha
  2020-10-28  3:22 ` Samuel Holland
  0 siblings, 1 reply; 3+ messages in thread
From: Dashamir Hoxha @ 2020-10-22 15:43 UTC (permalink / raw)
  To: wireguard


[-- Attachment #1: Type: text/plain, Size: 744 bytes --]

Hi,

I have created a network as shown in this diagram:
https://cloud.flossk.org/s/ZsLtNLsxmo8rxPD

The red arrows show the WG connections. Only the server has a public IP.
From client1 I can ping to the internet and also to client4: `ping 192.168.0.3`
However I cannot ping to the LAN IP of client4: `ping 172.26.0.2`

My ultimate goal is to be able to ping from client2 on LAN1 to client5 on LAN2
(both of which have no WG configuration and interface), routing through
the WG network (client1 --> server <-- client4).

Is this possible? I think that it should work, with proper routing,
but I am not able
to figure out the proper configurations. Has anybody tried something like this?
Do you have any suggestions or advice?

Thanks,
Dashamir

[-- Attachment #2: networks-1.png --]
[-- Type: image/png, Size: 25913 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Using WG to route between two LANs
  2020-10-22 15:43 Using WG to route between two LANs Dashamir Hoxha
@ 2020-10-28  3:22 ` Samuel Holland
  2020-10-28  3:39   ` Dashamir Hoxha
  0 siblings, 1 reply; 3+ messages in thread
From: Samuel Holland @ 2020-10-28  3:22 UTC (permalink / raw)
  To: Dashamir Hoxha, wireguard

Hello,

On 10/22/20 10:43 AM, Dashamir Hoxha wrote:
> I have created a network as shown in this diagram:
> https://cloud.flossk.org/s/ZsLtNLsxmo8rxPD
> 
> The red arrows show the WG connections. Only the server has a public IP.
> From client1 I can ping to the internet and also to client4: `ping 192.168.0.3`
> However I cannot ping to the LAN IP of client4: `ping 172.26.0.2`
> 
> My ultimate goal is to be able to ping from client2 on LAN1 to client5 on LAN2
> (both of which have no WG configuration and interface), routing through
> the WG network (client1 --> server <-- client4).
> 
> Is this possible? I think that it should work, with proper routing,
> but I am not able
> to figure out the proper configurations. Has anybody tried something like this?
> Do you have any suggestions or advice?

Yes, this is possible. You need:
 - LAN1 needs to be in the AllowedIPs for client1 on the server
 - LAN2 needs to be in the AllowedIPs for client4 on the server
 - A route on client1 to LAN2: ip route add 172.26.0.0/16 dev wg0
 - A route on client4 to LAN1: ip route add 172.25.0.0/16 dev wg0
 - Routes on the server to both LANS (same as above)

A gateway for the routes is not needed. Once Linux passes the packet to the
WireGuard interface, cryptokey routing (AllowedIPs) is used.

You do not need any NAT.

Cheers,
Samuel

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Using WG to route between two LANs
  2020-10-28  3:22 ` Samuel Holland
@ 2020-10-28  3:39   ` Dashamir Hoxha
  0 siblings, 0 replies; 3+ messages in thread
From: Dashamir Hoxha @ 2020-10-28  3:39 UTC (permalink / raw)
  To: Samuel Holland; +Cc: wireguard

On Wed, Oct 28, 2020 at 4:22 AM Samuel Holland <samuel@sholland.org> wrote:
>
> Hello,
>
> On 10/22/20 10:43 AM, Dashamir Hoxha wrote:
> > I have created a network as shown in this diagram:
> > https://cloud.flossk.org/s/ZsLtNLsxmo8rxPD
> >
> > The red arrows show the WG connections. Only the server has a public IP.
> > From client1 I can ping to the internet and also to client4: `ping 192.168.0.3`
> > However I cannot ping to the LAN IP of client4: `ping 172.26.0.2`
> >
> > My ultimate goal is to be able to ping from client2 on LAN1 to client5 on LAN2
> > (both of which have no WG configuration and interface), routing through
> > the WG network (client1 --> server <-- client4).
> >
> > Is this possible? I think that it should work, with proper routing,
> > but I am not able
> > to figure out the proper configurations. Has anybody tried something like this?
> > Do you have any suggestions or advice?
>
> Yes, this is possible. You need:
>  - LAN1 needs to be in the AllowedIPs for client1 on the server
>  - LAN2 needs to be in the AllowedIPs for client4 on the server

Thanks Samuel. Actually I figured out that I was missing this (LAN1 on
AllowedIPs for client1 on the server, and LAN2 for client4).

https://gitlab.com/docker-scripts/wireguard/-/blob/master/testing/test5.sh

>  - A route on client1 to LAN2: ip route add 172.26.0.0/16 dev wg0
>  - A route on client4 to LAN1: ip route add 172.25.0.0/16 dev wg0
>  - Routes on the server to both LANS (same as above)

Actually I am using `wg-quick` and it adds these routes automatically.

Instead, I have to add routes to clients on LAN1 and LAN2 that don't have
WG interfaces. For example on client2 and client3 I have to add:
`ip route add to 172.26.0.0/16 via 172.25.0.2 dev eth0`
And on client5 and client6 add the route:
`ip route add to 172.25.0.0/16 via 172.26.0.2 dev eth0`

>
> A gateway for the routes is not needed. Once Linux passes the packet to the
> WireGuard interface, cryptokey routing (AllowedIPs) is used.
>
> You do not need any NAT.

That's right. All the WG network seems  to work like a router.

>
> Cheers,
> Samuel

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-22 15:43 Using WG to route between two LANs Dashamir Hoxha
2020-10-28  3:22 ` Samuel Holland
2020-10-28  3:39   ` Dashamir Hoxha

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git