* wg0 packets not being routed?
@ 2018-05-03 21:53 Andy Dorman
2018-05-03 23:03 ` jens
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Andy Dorman @ 2018-05-03 21:53 UTC (permalink / raw)
To: wireguard; +Cc: Ironic Design Development
We are just getting started with Wireguard, so I apologize in advance
for any stupid mistakes I have made to cause this.
I am trying to set up VPN traffic between a local debian server cluster
(allowed 192.168.99.x/24) and a Linode VM cluster (also debian, allowed
192.168.100.x/24).
I have set up wg0 on two servers in the local cluster to confirm I am
doing it correctly and I had no problem installing WG on the Linode
slice once I switched the kernel to grub2 and rebooted into the latest
AMD64 kernel with appropriate headers installed.
The problem is the Qwest edge router my local NOC connects through
complains with "Destination Net Unreachable" as shown here.
# ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
From 65.152.242.37 icmp_seq=1 Destination Net Unreachable
FYI, 65.152.242.37 is the IP of atl-edge-24.inet.qwest.net
...
The local and Linode servers have the wg0 interface configured as shown:
local NOC servers
========================
Server at 192.168.99.7
.............................
interface: wg0
public key: 3piZKS+b1GFMwkAED3ZqIL02VLRfKCSRrfGKeyu1MXU=
private key: (hidden)
listening port: 53339
peer: /RjZ+4Zx+4TIfp8a4tGj4mZQ+ZtQGxThHiXOID4aplQ=
endpoint: 206.166.195.227:53339
allowed ips: 192.168.99.2/32
latest handshake: 1 day, 23 minutes, 5 seconds ago
transfer: 4.03 KiB received, 4.05 KiB sent
peer: eW8d4b4HBxY6szYsgI9V8kzkZqhWY4BaehSxkHaqBx0=
endpoint: 173.230.137.236:53339
allowed ips: 192.168.100.2/32
Server at 192.168.99.2
.............................
interface: wg0
public key: /RjZ+4Zx+4TIfp8a4tGj4mZQ+ZtQGxThHiXOID4aplQ=
private key: (hidden)
listening port: 53339
peer: 3piZKS+b1GFMwkAED3ZqIL02VLRfKCSRrfGKeyu1MXU=
endpoint: 206.166.194.234:53339
allowed ips: 192.168.99.7/32
latest handshake: 1 day, 21 minutes, 42 seconds ago
transfer: 4.05 KiB received, 4.03 KiB sent
peer: eW8d4b4HBxY6szYsgI9V8kzkZqhWY4BaehSxkHaqBx0=
endpoint: 173.230.137.236:53339
allowed ips: 192.168.100.2/32
Linode VM server
========================
interface: wg0
public key: eW8d4b4HBxY6szYsgI9V8kzkZqhWY4BaehSxkHaqBx0=
private key: (hidden)
listening port: 53339
peer: /RjZ+4Zx+4TIfp8a4tGj4mZQ+ZtQGxThHiXOID4aplQ=
endpoint: 206.166.195.227:53339
allowed ips: 192.168.99.2/32
peer: 3piZKS+b1GFMwkAED3ZqIL02VLRfKCSRrfGKeyu1MXU=
endpoint: 206.166.194.234:53339
allowed ips: 192.168.99.7/32
As I said earlier, the two local NOC server can ping each other on the
192.168.99.x block just fine AND they can ping the public endpoint IP
(173.230.137.236) of the Linode server, but both get a "network
unreachable" error from 65.152.242.37 (atl-edge-24.inet.qwest.net) if
they try to ping the Linode server using the allowed IP, 192.168.100.2.
It is as if the packets had the unroutable IP, 192.168.100.2, as their
destination instead of the endpoint, 172.230.137.236.
So what have I missed?
Thank you for Wireguard and any help anyone can provide to show me what
I am doing wrong.
--
Andy Dorman
Ironic Design, Inc.
AnteSpam.com
CONFIDENTIALITY NOTICE: This message is for the named person's use only.
It may contain confidential, proprietary or legally privileged
information. No confidentiality or privilege is waived or lost by any
erroneous transmission. If you receive this message in error, please
immediately destroy it and notify the sender. You must not, directly or
indirectly, use, disclose, distribute, or copy any part of this message
if you are not the intended recipient.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: wg0 packets not being routed?
2018-05-03 21:53 wg0 packets not being routed? Andy Dorman
@ 2018-05-03 23:03 ` jens
2018-05-03 23:37 ` Germano Massullo
2018-05-04 0:15 ` Jason A. Donenfeld
2 siblings, 0 replies; 5+ messages in thread
From: jens @ 2018-05-03 23:03 UTC (permalink / raw)
To: wireguard
On 03.05.2018 23:53, Andy Dorman wrote:
> I am trying to set up VPN traffic between a local debian server cluster
> (allowed 192.168.99.x/24) and a Linode VM cluster (also debian, allowed
> 192.168.100.x/24).
>
look at the outcome of *ip route* and try to understand where your
traffic for the 100.xy or the 99.xy go.
it looks like you made a mistake there.
your ping log suggests that.
in general you gave all the wg-clients some kind of network (the same
/24 or /xx ) and then use normal routing/ip commands/structure with your
wg0 interface.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: wg0 packets not being routed?
2018-05-03 21:53 wg0 packets not being routed? Andy Dorman
2018-05-03 23:03 ` jens
@ 2018-05-03 23:37 ` Germano Massullo
2018-05-04 0:15 ` Jason A. Donenfeld
2 siblings, 0 replies; 5+ messages in thread
From: Germano Massullo @ 2018-05-03 23:37 UTC (permalink / raw)
To: wireguard
I haven't understood well your configuration, but I can suggest you to
give a look to mine, in which a "gateway" is implemented. Look in
particular Example 2 (Esempio 2). For the few Italian words you could
just use an online translator, but they are not so much important
https://groups.google.com/forum/#!topic/ninux-ml/yHXe-dVss2M
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: wg0 packets not being routed?
2018-05-03 21:53 wg0 packets not being routed? Andy Dorman
2018-05-03 23:03 ` jens
2018-05-03 23:37 ` Germano Massullo
@ 2018-05-04 0:15 ` Jason A. Donenfeld
2018-05-04 2:53 ` wg0 packets not being routed? FIXED! Andy Dorman
2 siblings, 1 reply; 5+ messages in thread
From: Jason A. Donenfeld @ 2018-05-04 0:15 UTC (permalink / raw)
To: Andy Dorman; +Cc: Ironic Design Development, WireGuard mailing list
Hello Andy,
The mistake you've made is that your NOC servers don't have a route
indicating that 192.168.100.0/24 should go to wg0, and likely your
Linode server doesn't have a route indicating that 192.168.99.0/25
should go to wg0. Instead, packets to these addresses are going out of
your default route, which is to the Internet, which rightfully rejects
RFC1918 addresses.
You can fix this in two ways:
1) Just use 192.168.99.0/24 addresses on both sides, so the route can
be inferred from the IP you're using. Or,
2) If you want to keep your existing structures of subnets, then just
add those routes:
nocbox $ ip route add 192.168.100.0/24 dev wg0
linode $ ip route add 192.168.99.0/24 dev wg0
If you're using wg-quick(8) to configure things, this will be taken
care of automatically, by the way.
Jason
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: wg0 packets not being routed? FIXED!
2018-05-04 0:15 ` Jason A. Donenfeld
@ 2018-05-04 2:53 ` Andy Dorman
0 siblings, 0 replies; 5+ messages in thread
From: Andy Dorman @ 2018-05-04 2:53 UTC (permalink / raw)
To: WireGuard mailing list; +Cc: Ironic Design Development
On 5/3/18 7:15 PM, Jason A. Donenfeld wrote:
> ip route add 192.168.100.0/24 dev wg0
Thank you everyone, that was it. Once I added an explicit route for the
remote IP block on each server it ALL worked (and latency is pretty
good, under 30ms over about a 10-hop route).
Somehow I had gotten the idea that the setup was more complicated if I
used the same IP block on both ends of the VPN. I am pretty sure I did
NOT get that from the wireguard.com web site. When I find the doc that
mislead me I will work with the author to make it clearer for a nube
like me.
Thank you again.
--
Andy
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-05-04 2:51 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-03 21:53 wg0 packets not being routed? Andy Dorman
2018-05-03 23:03 ` jens
2018-05-03 23:37 ` Germano Massullo
2018-05-04 0:15 ` Jason A. Donenfeld
2018-05-04 2:53 ` wg0 packets not being routed? FIXED! Andy Dorman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).