From: cyberurchin@gmail.com
To: wireguard@lists.zx2c4.com
Subject: Windows Wireguard with Multiple Endpoints in Different Subnets
Date: Fri, 24 Jan 2020 13:55:17 +0100 [thread overview]
Message-ID: <413c4ea5-9e70-acf9-caff-f6049374f7ce@gmail.com> (raw)
Hi Folks,
Here are two question that I have concerning the Windows version of Wireguard.
My setup is as follows: A Windows machine with two Ethernet ports connects to two Linux clients, one on each end. There are two subnets defined for the two ports, 192.168.0.0/24 and 192.168.6.0/24. I need a secure tunnel from the Windows machine to each of the two Linux clients but the two Linux clients do not need to talk to each other.
a) Under Linux, I can define several Wireguad tunnels that work independetly but this doesn't seem to be the case in Windows. In fact, when I activate one tunnel, the other one is automatically deactivated. Why is that?
My work-around looks a little bit like hack but works, in principle. I've defined only one tunnel that includes the two Linux clients as peers even though they are in two different subnets:
[Interface]
PrivateKey = +OdjntqCs/OcJGsdGXXXXXMShNsdUW9EQW33HhvOVlQ=
ListenPort = 51820
Address = 192.168.8.6/24
[Peer]
PublicKey = ujRh46KyQrA0OlJZ77dXXXXXhUd4TaqKkoBhFj6ZlBk=
AllowedIPs = 192.168.8.3/32
Endpoint = 192.168.6.2:51820
[Peer]
PublicKey = 32VGe+PnVCtDio12GcrhKXXXXXlOWqy4ncD6G0U1Mhc=
AllowedIPs = 192.168.8.4/32
Endpoint = 192.168.0.201:51820
So far, so good.
b) The configuration described above breaks when I define a default gateway, e.g. 192.168.0.1. In this case, Wireguard messes up the packages that should go to 192.168.6.2 (the Linux client on the network where the gateway not is) and sends them to 192.168.0.1 (the default gateway). Ping commands to 192.168.6.2, however, work, in the sense that the routing table itself is still ok. It looks like this:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.202 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.0.0 255.255.255.0 On-link 192.168.0.202 281
192.168.0.202 255.255.255.255 On-link 192.168.0.202 281
192.168.0.255 255.255.255.255 On-link 192.168.0.202 281
192.168.6.0 255.255.255.0 On-link 192.168.6.3 311
192.168.6.3 255.255.255.255 On-link 192.168.6.3 311
192.168.6.255 255.255.255.255 On-link 192.168.6.3 311
192.168.8.0 255.255.255.0 On-link 192.168.8.6 261
192.168.8.3 255.255.255.255 On-link 192.168.8.6 5
192.168.8.4 255.255.255.255 On-link 192.168.8.6 5
192.168.8.6 255.255.255.255 On-link 192.168.8.6 261
192.168.8.255 255.255.255.255 On-link 192.168.8.6 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.0.202 281
224.0.0.0 240.0.0.0 On-link 192.168.6.3 311
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.0.202 281
255.255.255.255 255.255.255.255 On-link 192.168.6.3 311
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.0.1 Default
===========================================================================
Any ideas?
There is no IPv6. If I remove the default gateway, the two tunnels work again.
Ah, yes, and a final note - there is a related issue here:
https://lists.zx2c4.com/pipermail/wireguard/2019-September/004493.html
The answer to that post also seems to answer my question, too, but I'd like to get confirmation and maybe the world has moved on in the meantime.
Cheers,
Ingo
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next reply other threads:[~2020-01-28 10:34 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-24 12:55 cyberurchin [this message]
2020-01-28 10:38 ` Windows Wireguard with Multiple Endpoints in Different Subnets Jason A. Donenfeld
2020-02-11 15:19 ` Ingo Naumann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=413c4ea5-9e70-acf9-caff-f6049374f7ce@gmail.com \
--to=cyberurchin@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).