WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Issues with excluding private IPs
@ 2019-08-15  1:36 Oliver Benning
  2019-08-25 19:18 ` Derrick Lyndon Pallas
  0 siblings, 1 reply; 2+ messages in thread
From: Oliver Benning @ 2019-08-15  1:36 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 1341 bytes --]

My setup (may be unrelated):

I have a public endpoint hosted on Digital Ocean, which I connect to simply through its external IP address as the endpoint. It was setup using Streisand.

The endpoint itself acts as a DNS resolver within the tunnel for ad blocking purposes, so the WireGuard profile uses the endpoint's internal IP address in the DNS field. This setup has been documented online.

The issue (on both Mac and iPhone clients):
I would like to exclude private IPs from the tunnel to connect to internal resources. Connection works fine with AllowedIPs=0.0.0.0/0, it does not work when using the "Exclude private IPs option".

Log just shows:
[NET] peer(5m6B…jmno) - Sending handshake initiation
[NET] peer(5m6B…jmno) - Failed to send handshake initiation write udp4 0.0.0.0:63865->[EXTERNAL-IP]:51820: sendto: network is unreachable

I also have tried using a set of CDR blocks such that the droplet's external ip is excluded from the range and that did not work either. If I have a misconception about the configuration or there is something I should try please let me know.

Recommendation
This may have a been recommended below but I would highly suggest a list of IPs to subtract from the tunnel. My ideal scenario would be:


AllowedIPs = 0.0.0.0/0

ExceptedIPs = 192.168.1.0/24


Cheers,
Oliver


[-- Attachment #1.2: Type: text/html, Size: 5609 bytes --]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<b>My setup (may be unrelated):</b></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I have a public endpoint hosted on Digital Ocean, which I connect to simply through its external IP address as the endpoint. It was setup using Streisand.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
The endpoint itself acts as a DNS resolver within the tunnel for ad blocking purposes, so the WireGuard profile uses the endpoint's internal IP address in the DNS field. This setup has been documented online.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<b>The issue (on both Mac and iPhone clients):</b></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I would like to exclude private IPs from the tunnel to connect to internal resources. Connection works fine with AllowedIPs=0.0.0.0/0, it does not work when using the &quot;Exclude private IPs option&quot;.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Log just shows:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
[NET] peer(5m6B…jmno) - Sending handshake initiation<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
[NET] peer(5m6B…jmno) - Failed to send handshake initiation write udp4 0.0.0.0:63865-&gt;[EXTERNAL-IP]:51820: sendto: network is unreachable<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I also have tried using a set of CDR blocks such that the droplet's external ip is excluded from the range and that did not work either. If I have a misconception about the configuration or there is something I should try please let me know.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<b>Recommendation</b></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
This may have a been recommended below but I would highly suggest a list of IPs to subtract from the tunnel. My ideal scenario would be:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">
<p style="color: rgb(248, 66, 146); margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 15px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;">
<b>AllowedIPs</b><span style="color: #ffffff"> = </span><span style="color: #4491fa">0.0.0.0</span><span style="color: #64a780">/0</span></p>
<p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 15px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;">
<b style="color: rgb(248, 66, 146);">ExceptedIPs</b><span style="color: rgb(255, 255, 255);"> =
</span><span style="color: rgb(68, 145, 250);">192.168.1.0</span><font color="#64a780"><span style="caret-color: rgb(100, 167, 128);">/24</span></font></p>
<p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 15px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;">
<font color="#64a780"><span style="caret-color: rgb(100, 167, 128);"><br>
</span></font></p>
<div style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 15px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;">
<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255); display: inline !important">Cheers,</span><br>
</div>
<div style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 15px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;">
<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255); display: inline !important">Oliver</span></div>
<br>
</div>
</body>
</html>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Issues with excluding private IPs
  2019-08-15  1:36 Issues with excluding private IPs Oliver Benning
@ 2019-08-25 19:18 ` Derrick Lyndon Pallas
  0 siblings, 0 replies; 2+ messages in thread
From: Derrick Lyndon Pallas @ 2019-08-25 19:18 UTC (permalink / raw)
  To: Oliver Benning; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 1699 bytes --]

Doesn't a routing rule solve this issue?

~Derrick • iPhone

> On Aug 14, 2019, at 6:36 PM, Oliver Benning <obenning@fieldeffect.com> wrote:
> 
> My setup (may be unrelated):
> 
> I have a public endpoint hosted on Digital Ocean, which I connect to simply through its external IP address as the endpoint. It was setup using Streisand.
> 
> The endpoint itself acts as a DNS resolver within the tunnel for ad blocking purposes, so the WireGuard profile uses the endpoint's internal IP address in the DNS field. This setup has been documented online.
> 
> The issue (on both Mac and iPhone clients):
> I would like to exclude private IPs from the tunnel to connect to internal resources. Connection works fine with AllowedIPs=0.0.0.0/0, it does not work when using the "Exclude private IPs option".
> 
> Log just shows:
> [NET] peer(5m6B…jmno) - Sending handshake initiation
> [NET] peer(5m6B…jmno) - Failed to send handshake initiation write udp4 0.0.0.0:63865->[EXTERNAL-IP]:51820: sendto: network is unreachable
> 
> I also have tried using a set of CDR blocks such that the droplet's external ip is excluded from the range and that did not work either. If I have a misconception about the configuration or there is something I should try please let me know.
> 
> Recommendation
> This may have a been recommended below but I would highly suggest a list of IPs to subtract from the tunnel. My ideal scenario would be:
> 
> AllowedIPs = 0.0.0.0/0
> ExceptedIPs = 192.168.1.0/24
> 
> Cheers,
> Oliver
> 
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

[-- Attachment #1.2: Type: text/html, Size: 6302 bytes --]

<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Doesn't a routing rule solve this issue?<br><br><div id="AppleMailSignature" dir="ltr">~Derrick&nbsp;• iPhone</div><div dir="ltr"><br>On Aug 14, 2019, at 6:36 PM, Oliver Benning &lt;<a href="mailto:obenning@fieldeffect.com">obenning@fieldeffect.com</a>&gt; wrote:<br><br></div><blockquote type="cite"><div dir="ltr">

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">



<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<b>My setup (may be unrelated):</b></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I have a public endpoint hosted on Digital Ocean, which I connect to simply through its external IP address as the endpoint. It was setup using Streisand.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
The endpoint itself acts as a DNS resolver within the tunnel for ad blocking purposes, so the WireGuard profile uses the endpoint's internal IP address in the DNS field. This setup has been documented online.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<b>The issue (on both Mac and iPhone clients):</b></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I would like to exclude private IPs from the tunnel to connect to internal resources. Connection works fine with AllowedIPs=0.0.0.0/0, it does not work when using the "Exclude private IPs option".</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Log just shows:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
[NET] peer(5m6B…jmno) - Sending handshake initiation<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
[NET] peer(5m6B…jmno) - Failed to send handshake initiation write udp4 0.0.0.0:63865-&gt;[EXTERNAL-IP]:51820: sendto: network is unreachable<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I also have tried using a set of CDR blocks such that the droplet's external ip is excluded from the range and that did not work either. If I have a misconception about the configuration or there is something I should try please let me know.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<b>Recommendation</b></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
This may have a been recommended below but I would highly suggest a list of IPs to subtract from the tunnel. My ideal scenario would be:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">
<p style="color: rgb(248, 66, 146); margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 15px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;">
<b>AllowedIPs</b><span style="color: #ffffff"> = </span><span style="color: #4491fa">0.0.0.0</span><span style="color: #64a780">/0</span></p>
<p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 15px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;">
<b style="color: rgb(248, 66, 146);">ExceptedIPs</b><span style="color: rgb(255, 255, 255);"> =
</span><span style="color: rgb(68, 145, 250);">192.168.1.0</span><font color="#64a780"><span style="caret-color: rgb(100, 167, 128);">/24</span></font></p>
<p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 15px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;">
<font color="#64a780"><span style="caret-color: rgb(100, 167, 128);"><br>
</span></font></p>
<div style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 15px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;">
<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255); display: inline !important">Cheers,</span><br>
</div>
<div style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 15px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;">
<span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255); display: inline !important">Oliver</span></div>
<br>
</div>


</div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>WireGuard mailing list</span><br><span><a href="mailto:WireGuard@lists.zx2c4.com">WireGuard@lists.zx2c4.com</a></span><br><span><a href="https://lists.zx2c4.com/mailman/listinfo/wireguard">https://lists.zx2c4.com/mailman/listinfo/wireguard</a></span><br></div></blockquote></body></html>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-15  1:36 Issues with excluding private IPs Oliver Benning
2019-08-25 19:18 ` Derrick Lyndon Pallas

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox