WireGuard Archive on lore.kernel.org
 help / Atom feed
* Connection between two clients
@ 2018-08-15  7:17 Andreas Fink
  2018-08-16 19:40 ` Kalin KOZHUHAROV
  0 siblings, 1 reply; 4+ messages in thread
From: Andreas Fink @ 2018-08-15  7:17 UTC (permalink / raw)
  To: wireguard

Hello,
I have a problem establishing a direct connection between two clients,
my setup is the following:

Client1 <--> Server <--> Client2

i.e. I have a publicly reachable server, and two clients that are
connected to the server. My configurations are:

Server.conf
[Interface]
PrivateKey = ServerPrivateKey
ListenPort = 51820
Address = 192.168.12.1/24
[Peer]
PublicKey = Client1PublicKey
AllowedIPs = 192.168.12.3/32
[Peer]
PublicKey = Client1PublicKey
AllowedIPs = 192.168.12.2/32

Client1.conf
[Interface]
PrivateKey = Client1PrivateKey
ListenPort = 21003
Address = 192.168.12.3/24
[Peer]
PublicKey = ServerPublicKey
Endpoint = myserver.com:51820
AllowedIPs = 192.168.12.1/24
PersistentKeepalive = 25

Client2.conf
[Interface]
PrivateKey = Client2PrivateKey
ListenPort = 21002
Address = 192.168.12.2/24
[Peer]
PublicKey = ServerPublicKey
Endpoint = myserver.com:51820
AllowedIPs = 192.168.12.1/24
PersistentKeepalive = 25



I am able to ping between client1 to server and client2 to server.
However trying to ping client2 from client1 directly fails...
Looking at the server with tcpdump I can see, that there is an incoming
ping from 192.168.12.3 > 192.168.12.2, however there is nothing
reaching at 192.168.12.2. The ping is not forwarded to 192.168.12.2.
Do I need to setup iptables rules? What's the easiest way to get a
direct connection between two clients?

Cheers
Andreas

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Connection between two clients
  2018-08-15  7:17 Connection between two clients Andreas Fink
@ 2018-08-16 19:40 ` Kalin KOZHUHAROV
  2018-08-16 19:52   ` Eldon
  2018-08-17  6:00   ` Andreas Fink
  0 siblings, 2 replies; 4+ messages in thread
From: Kalin KOZHUHAROV @ 2018-08-16 19:40 UTC (permalink / raw)
  To: Andreas Fink; +Cc: WireGuard mailing list

[-- Attachment #1: Type: text/plain, Size: 252 bytes --]

Probanly a routing problem, check `ip route show` on (one) client and
server.

Also you might need to enable ip forwarding on server (usually enabled on
firewalls and routers). No iptables are not necessary if everything is one
subnet.

Cheers,
Kalin.

[-- Attachment #2: Type: text/html, Size: 403 bytes --]

<div dir="auto"><div>Probanly a routing problem, check `ip route show` on (one) client and server.</div><div dir="auto"><br><div dir="auto">Also you might need to enable ip forwarding on server (usually enabled on firewalls and routers). No iptables are not necessary if everything is one subnet.</div><div dir="auto"><br></div><div dir="auto">Cheers,<br><div dir="auto">Kalin.</div></div></div></div>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Connection between two clients
  2018-08-16 19:40 ` Kalin KOZHUHAROV
@ 2018-08-16 19:52   ` Eldon
  2018-08-17  6:00   ` Andreas Fink
  1 sibling, 0 replies; 4+ messages in thread
From: Eldon @ 2018-08-16 19:52 UTC (permalink / raw)
  To: WireGuard mailing list

Here is some documentation on how some of this can be done:

https://unix.stackexchange.com/questions/14056/what-is-kernel-ip-forwarding/14058#14058

https://docs.fedoraproject.org/en-US/Fedora/18/html/Security_Guide/sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules.html

On Thu, Aug 16, 2018 at 09:40:20PM +0200, Kalin KOZHUHAROV wrote:
> Probanly a routing problem, check `ip route show` on (one) client and
> server.
> 
> Also you might need to enable ip forwarding on server (usually enabled on
> firewalls and routers). No iptables are not necessary if everything is one
> subnet.
> 
> Cheers,
> Kalin.

> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Connection between two clients
  2018-08-16 19:40 ` Kalin KOZHUHAROV
  2018-08-16 19:52   ` Eldon
@ 2018-08-17  6:00   ` Andreas Fink
  1 sibling, 0 replies; 4+ messages in thread
From: Andreas Fink @ 2018-08-17  6:00 UTC (permalink / raw)
  To: Kalin KOZHUHAROV; +Cc: WireGuard mailing list

On Thu, 16 Aug 2018 21:40:20 +0200
Kalin KOZHUHAROV <me.kalin@gmail.com> wrote:

> Probanly a routing problem, check `ip route show` on (one) client and
> server.
> 
> Also you might need to enable ip forwarding on server (usually
> enabled on firewalls and routers). No iptables are not necessary if
> everything is one subnet.
> 
> Cheers,
> Kalin.

Yes, the ip forwarding was the trick I was missing.
Maybe it is worth adding a note in the documentation/quick start guide
that this is needed for client-to-client communication through a server.

Thank you
Andreas

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-15  7:17 Connection between two clients Andreas Fink
2018-08-16 19:40 ` Kalin KOZHUHAROV
2018-08-16 19:52   ` Eldon
2018-08-17  6:00   ` Andreas Fink

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox