* Re: need a hand with WG setup [not found] <mailman.3.1567418401.24918.wireguard@lists.zx2c4.com> @ 2019-09-03 8:28 ` Hristo Georgiev 0 siblings, 0 replies; 5+ messages in thread From: Hristo Georgiev @ 2019-09-03 8:28 UTC (permalink / raw) To: dimitar.vassilev; +Cc: WireGuard mailing list Hello Dimitar The WG module is doing the routing for you, in most cases you don’t need PostUp and PostDown scripts. You need SNAT(MASQUERADE) only if you want to route all your internet traffic like 0.0.0.0/0 For site-to-site you need to enable forwarding which most routers do anyway. Lets assume you have Site A with network 192.168.1.*/24 and Site B with network 192.168.2.*/24 . On site A you have router A1 with internal IP 192.168.1.1 and VPN IP 10.8.10.1 and public IP x.x.x.x . On site B you have router B1 with internal IP 192.168.2.1 and VPN IP 10.8.10.2 public IP y.y.y.y. You config is going to look like this: — A1 config — [Interface] PrivateKey = YourA1PrivateKeyHere Address = 10.8.10.1/32 ListenPort = 51820 [Peer] PublicKey = YourB1PublicKeyHere AllowedIPs = 10.8.10.2/24, 192.168.2.1/24 Endpoint = y.y.y.y:51820 #B1 public IP ———————————————— — B1 config — [Interface] PrivateKey = YourB1PrivateKeyHere Address = 10.8.10.2/32 ListenPort = 51820 [Peer] PublicKey = YourA1PublicKeyHere AllowedIPs = 10.8.10.1/24, 192.168.1.1/24 Endpoint = x.x.x.x:51820 #A1 public IP That is everything! Example 2, now lets make B1 getaway for client 1 routing all internet traffic on it’s default gate eth0. in B1 config add > #Enable SNAT only if B1 is not gateway yet, otherwise you don’t need this script PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE #Client 1 [Peer] PublicKey = YourClient1PublicKeyHere AllowedIPs = 10.8.10.5/32 ———————————————— — Client 1 config — [Interface] PrivateKey = YourClient1PrivateKeyHere Address = 10.8.10.5/32 #B1 gate [Peer] PublicKey = YourB1PublicKeyHere AllowedIPs = 10.8.10.2/24, 0.0.0.0/0 Endpoint = y.y.y.y:51820 #B1 public IP PersistentKeepalive = 25 Thats it. In this example Client 1 is behind NAT and it's changing networks often, that’s way we don’t have Endpoint for it and instead we use keep alive . Cheers, Hristo > On 2 Sep 2019, at 13:00, wireguard-request@lists.zx2c4.com wrote: > > Send WireGuard mailing list submissions to > wireguard@lists.zx2c4.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.zx2c4.com/mailman/listinfo/wireguard > or, via email, send a message with subject or body 'help' to > wireguard-request@lists.zx2c4.com > > You can reach the person managing the list at > wireguard-owner@lists.zx2c4.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of WireGuard digest..." > > > Today's Topics: > > 1. Re: need a hand with WG setup (Dimitar Vassilev) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 1 Sep 2019 14:03:18 +0300 > From: Dimitar Vassilev <dimitar.vassilev@gmail.com> > To: Kalin KOZHUHAROV <me.kalin@gmail.com> > Cc: WireGuard mailing list <wireguard@lists.zx2c4.com> > Subject: Re: need a hand with WG setup > Message-ID: > <CAF+AZZVKOQFfk53e24KO7kFR3cxEuqnJgpnejhvTP5BuVJDbng@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > ?? ??, 28.08.2019 ?. ? 13:56 ?. Dimitar Vassilev <dimitar.vassilev@gmail.com> > ??????: > >> Hi Kalin, >> >> 1. Disable the FW and test. >>> >> Tried - disabling one fw shows wg traffic flowing. >> >> >>> 2. Try ping from one router to the other using the configured public IP >>> address >>> >>> That works as well with the default fw config on OpenWRT/LEDE/LibreCMC >> >> >>> 3. Ping the other using the WG IP address >>> >>> my problem is that ping between the WG IP addresses is not working. I see >> some PostUp and Postdown examples in the regular configurations like the >> ones below >> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A >> POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; >> ip6tables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE >> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D >> POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; >> ip6tables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE >> In the LEDE/OpenWRT derivatives those are marked in the GUI with >> MASQUERADE and route allowed ips options, but still I'm getting stuck. I >> moved my VPN network from /25 to another /24 and still was stuck. >> >>> If all runs them it is a routing problem left to solve... >>> >>> Agree. I'm a bit at loss which routing - the kernel one or the forwarding >> of packets. Will tear down and start from scratch with another test. >> >>> Kalin. >>> >> > Hello all, > > Problem solved via a trivial solution - add my origin VPN endpoint IP into > the list of AllowedIPs for the peer. Used > https://forum.openwrt.org/t/solved-setup-wireguard-connecting-two-networks/4215 > to > achieve this > At least in this setup I see the packets flowing in both directions - RX > and TX > Ny next questions are: > > - is this normal since I'm behind NAT or there are some OpenWRT > /Wireguard specifics I'm missing? In the docs and examples I see examples > with just peer IPs added > - what should I do to make the flow to a private subnet in DMZ on site B > from site A ? > > Thanks, > Dimitar > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190901/2b562015/attachment-0001.html> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > > > ------------------------------ > > End of WireGuard Digest, Vol 42, Issue 2 > **************************************** _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 5+ messages in thread
* need a hand with WG setup @ 2019-08-27 17:20 Dimitar Vassilev 2019-08-27 17:57 ` Kalin KOZHUHAROV 0 siblings, 1 reply; 5+ messages in thread From: Dimitar Vassilev @ 2019-08-27 17:20 UTC (permalink / raw) To: wireguard [-- Attachment #1.1: Type: text/plain, Size: 1320 bytes --] Hello, I'm trying to establish site to site VPN with 2 OpenWRTs 18.6.4 - linux 4.9.184 my problem is that I cannot get any ping running and cannot reach the remote tunnel ips. Below is my setup # ip r default via 95.87.xxx.xxx dev eth0.2 proto static src 95.87.xxx.xx 95.87.xxx.0/24 dev eth0.2 proto kernel scope link src 95.87.xxxxx.xxx 130.204.xxx.xxx via 95.87.xxx.x dev eth0.2 proto static 192.168.11.0/24 dev br-lan proto kernel scope link src 192.168.11.1 192.168.100.1xx/25 dev wgknxvtun0 proto static scope link 192.168.101.0/24 dev wgknxvrtun0 proto kernel scope link src 192.168.101.1 216.66.xx.xx via 95.87.xxx.1 dev eth0.2 proto static root@OpenWrt:~# wg show interface: wgknxvtun0 public key: f6 private key: (hidden) listening port: 51820 peer: ThW endpoint: 130.204.xxx.xxx:51820 allowed ips: 192.168.100.128/25 latest handshake: 2 minutes, 15 seconds ago transfer: 134.86 KiB received, 121.67 KiB sent persistent keepalive: every 25 seconds root@OpenWrt:~# wg showconf wgknxvtun0 [Interface] ListenPort = 51820 PrivateKey = xxxx [Peer] PublicKey = Tx AllowedIPs = 192.168.100.128/25 Endpoint = 130.204.x.x:51820 PersistentKeepalive = 25 I've setup a separate FW zone where input, forward and output are default. Ideas what I'm missing are welcome. Best, Dimitar [-- Attachment #1.2: Type: text/html, Size: 1766 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: need a hand with WG setup 2019-08-27 17:20 Dimitar Vassilev @ 2019-08-27 17:57 ` Kalin KOZHUHAROV 2019-08-28 10:56 ` Dimitar Vassilev 0 siblings, 1 reply; 5+ messages in thread From: Kalin KOZHUHAROV @ 2019-08-27 17:57 UTC (permalink / raw) To: Dimitar Vassilev; +Cc: WireGuard mailing list [-- Attachment #1.1: Type: text/plain, Size: 493 bytes --] On Tue, 27 Aug 2019, 20:21 Dimitar Vassilev, <dimitar.vassilev@gmail.com> wrote: > Hello, > > I'm trying to establish site to site VPN with 2 OpenWRTs 18.6.4 - linux > 4.9.184 > > my problem is that I cannot get any ping running and cannot reach the > remote tunnel ips. > 1. Disable the FW and test. 2. Try ping from one router to the other using the configured public IP address 3. Ping the other using the WG IP address If all runs them it is a routing problem left to solve... Kalin. [-- Attachment #1.2: Type: text/html, Size: 1041 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: need a hand with WG setup 2019-08-27 17:57 ` Kalin KOZHUHAROV @ 2019-08-28 10:56 ` Dimitar Vassilev 2019-09-01 11:03 ` Dimitar Vassilev 0 siblings, 1 reply; 5+ messages in thread From: Dimitar Vassilev @ 2019-08-28 10:56 UTC (permalink / raw) To: Kalin KOZHUHAROV; +Cc: WireGuard mailing list [-- Attachment #1.1: Type: text/plain, Size: 1284 bytes --] Hi Kalin, 1. Disable the FW and test. > Tried - disabling one fw shows wg traffic flowing. > 2. Try ping from one router to the other using the configured public IP > address > > That works as well with the default fw config on OpenWRT/LEDE/LibreCMC > 3. Ping the other using the WG IP address > > my problem is that ping between the WG IP addresses is not working. I see some PostUp and Postdown examples in the regular configurations like the ones below PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE In the LEDE/OpenWRT derivatives those are marked in the GUI with MASQUERADE and route allowed ips options, but still I'm getting stuck. I moved my VPN network from /25 to another /24 and still was stuck. > If all runs them it is a routing problem left to solve... > > Agree. I'm a bit at loss which routing - the kernel one or the forwarding of packets. Will tear down and start from scratch with another test. > Kalin. > [-- Attachment #1.2: Type: text/html, Size: 2506 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: need a hand with WG setup 2019-08-28 10:56 ` Dimitar Vassilev @ 2019-09-01 11:03 ` Dimitar Vassilev 0 siblings, 0 replies; 5+ messages in thread From: Dimitar Vassilev @ 2019-09-01 11:03 UTC (permalink / raw) To: Kalin KOZHUHAROV; +Cc: WireGuard mailing list [-- Attachment #1.1: Type: text/plain, Size: 2106 bytes --] На ср, 28.08.2019 г. в 13:56 ч. Dimitar Vassilev <dimitar.vassilev@gmail.com> написа: > Hi Kalin, > > 1. Disable the FW and test. >> > Tried - disabling one fw shows wg traffic flowing. > > >> 2. Try ping from one router to the other using the configured public IP >> address >> >> That works as well with the default fw config on OpenWRT/LEDE/LibreCMC > > >> 3. Ping the other using the WG IP address >> >> my problem is that ping between the WG IP addresses is not working. I see > some PostUp and Postdown examples in the regular configurations like the > ones below > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; > ip6tables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; > ip6tables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE > In the LEDE/OpenWRT derivatives those are marked in the GUI with > MASQUERADE and route allowed ips options, but still I'm getting stuck. I > moved my VPN network from /25 to another /24 and still was stuck. > >> If all runs them it is a routing problem left to solve... >> >> Agree. I'm a bit at loss which routing - the kernel one or the forwarding > of packets. Will tear down and start from scratch with another test. > >> Kalin. >> > Hello all, Problem solved via a trivial solution - add my origin VPN endpoint IP into the list of AllowedIPs for the peer. Used https://forum.openwrt.org/t/solved-setup-wireguard-connecting-two-networks/4215 to achieve this At least in this setup I see the packets flowing in both directions - RX and TX Ny next questions are: - is this normal since I'm behind NAT or there are some OpenWRT /Wireguard specifics I'm missing? In the docs and examples I see examples with just peer IPs added - what should I do to make the flow to a private subnet in DMZ on site B from site A ? Thanks, Dimitar [-- Attachment #1.2: Type: text/html, Size: 3750 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-09-03 8:28 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <mailman.3.1567418401.24918.wireguard@lists.zx2c4.com> 2019-09-03 8:28 ` need a hand with WG setup Hristo Georgiev 2019-08-27 17:20 Dimitar Vassilev 2019-08-27 17:57 ` Kalin KOZHUHAROV 2019-08-28 10:56 ` Dimitar Vassilev 2019-09-01 11:03 ` Dimitar Vassilev
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).