wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
* Wireguard behind NAT
@ 2018-09-03 10:28 Adrián Mihálko
  2018-09-03 10:43 ` Ole-Morten Duesund
  0 siblings, 1 reply; 9+ messages in thread
From: Adrián Mihálko @ 2018-09-03 10:28 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1: Type: text/plain, Size: 596 bytes --]

Is there any way to connect to Wireguard behind a Carrier-grade NAT?

On SIDE_A I have a backup LTE connection, without proper public ip, only
dynamic ip and I server with Wireguard.

SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT
SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org)

SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org)
SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public ip
on SIDE_A)

I heard of Wireguard-P2P, but it's not running on headless server, because
one of their component requires x11.


Best regards,
Adrian

[-- Attachment #2: Type: text/html, Size: 1919 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread
* Re: Wireguard behind NAT
  2018-09-03 10:28 Wireguard behind NAT Adrián Mihálko
@ 2018-09-03 10:43 ` Ole-Morten Duesund
  2018-09-03 10:55   ` Roman Mamedov
  0 siblings, 1 reply; 9+ messages in thread
From: Ole-Morten Duesund @ 2018-09-03 10:43 UTC (permalink / raw)
  To: wireguard

On 9/3/18 12:28 PM, Adrián Mihálko wrote:
> Is there any way to connect to Wireguard behind a Carrier-grade NAT?
> 
> On SIDE_A I have a backup LTE connection, without proper public ip, only 
> dynamic ip and I server with Wireguard.
> 
> SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT
> SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org 
> <http://sideb.dyndns.org/>)
> 
> SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org 
> <http://sideb.dyndns.org/>)
> SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public 
> ip on SIDE_A)
> 
> I heard of Wireguard-P2P, but it's not running on headless server, 
> because one of their component requires x11.

This is pretty much the same as I have - and while SIDE_B_SERVER won't 
be able to establish connection to SIDE_A_SERVER, SIDE_A_SERVER should 
have no problems establishing a connection to SIDE_B_SERVER.

Adding a "PersistentKeepalive = 5" to your config on SIDE_A_SERVER 
should keep the connection up.

- OM

^ permalink raw reply	[flat|nested] 9+ messages in thread
* Re: Wireguard behind NAT
  2018-09-03 10:43 ` Ole-Morten Duesund
@ 2018-09-03 10:55   ` Roman Mamedov
  2018-09-03 10:59     ` Ole-Morten Duesund
  0 siblings, 1 reply; 9+ messages in thread
From: Roman Mamedov @ 2018-09-03 10:55 UTC (permalink / raw)
  To: Ole-Morten Duesund; +Cc: wireguard

On Mon, 3 Sep 2018 12:43:19 +0200
Ole-Morten Duesund <olemd@glemt.net> wrote:

> Adding a "PersistentKeepalive = 5" to your config on SIDE_A_SERVER 
> should keep the connection up.

Do you encounter any difference between 5, 25 and 55, only 5 works for you? If
not, setting it to such a low interval seems wasteful, especially on
LTE/mobile with possibly metered bandwidth and battery concerns.

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 9+ messages in thread
* Re: Wireguard behind NAT
  2018-09-03 10:55   ` Roman Mamedov
@ 2018-09-03 10:59     ` Ole-Morten Duesund
  0 siblings, 0 replies; 9+ messages in thread
From: Ole-Morten Duesund @ 2018-09-03 10:59 UTC (permalink / raw)
  Cc: wireguard

On 9/3/18 12:55 PM, Roman Mamedov wrote:
> On Mon, 3 Sep 2018 12:43:19 +0200
> Ole-Morten Duesund <olemd@glemt.net> wrote:
> 
>> Adding a "PersistentKeepalive = 5" to your config on SIDE_A_SERVER
>> should keep the connection up.
> 
> Do you encounter any difference between 5, 25 and 55, only 5 works for you? If
> not, setting it to such a low interval seems wasteful, especially on
> LTE/mobile with possibly metered bandwidth and battery concerns.

"It works for me?" It's a balance between how long you're willing to 
wait for a possibly idle link if you need to connect from SIDE_B to SIDE_A.

It's tunable and you should probably test what's acceptable to you.

- OM

^ permalink raw reply	[flat|nested] 9+ messages in thread
* Re: Wireguard behind NAT
  2018-09-02 19:51 Adrián Mihálko
  2018-09-07  3:39 ` Jason A. Donenfeld
@ 2018-09-07 15:17 ` Steven Honson
  1 sibling, 0 replies; 9+ messages in thread
From: Steven Honson @ 2018-09-07 15:17 UTC (permalink / raw)
  To: Adrián Mihálko; +Cc: wireguard

[-- Attachment #1: Type: text/plain, Size: 1462 bytes --]

Hi Adrian,

As SIDE_B has a public IP address, the example you give should work fine. In this case, SIDE_A will establish a connection with SIDE_B which effectively punches a NAT hole for return traffic from SIDE_B to SIDE_A.

When configuring the SIDE_A peer on SIDE_B, just leave EndPoint unset.

Inversely, when configuring the SIDE_B peer on SIDE_A, use the dynamic DNS name (and the port that SIDE_B is listening on).

The NAT Hole Punching example Jason provided is more applicable to situations where both WireGuard peers are NATed. In your example it sounds like this is only the case for SIDE_A.

Cheers,
Steven

> On 3 Sep 2018, at 5:51 am, Adrián Mihálko <adriankoooo@gmail.com> wrote:
> 
> Is there any way to connect to Wireguard behind a Carrier-grade NAT? 
> 
> On SIDE_A I have a backup LTE connection, without proper public ip, only dynamic ip and I server with Wireguard. 
> 
> SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT 
> SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org <http://sideb.dyndns.org/>) 
> 
> SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org <http://sideb.dyndns.org/>) 
> SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public ip on SIDE_A) 
> 
> 
> Best regards, 
> Adrian
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard


[-- Attachment #2: Type: text/html, Size: 2607 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread
* Re: Wireguard behind NAT
  2018-09-02 19:51 Adrián Mihálko
@ 2018-09-07  3:39 ` Jason A. Donenfeld
  2018-09-07 15:17 ` Steven Honson
  1 sibling, 0 replies; 9+ messages in thread
From: Jason A. Donenfeld @ 2018-09-07  3:39 UTC (permalink / raw)
  To: Adrián Mihálko; +Cc: WireGuard mailing list

https://git.zx2c4.com/WireGuard/tree/contrib/examples/nat-hole-punching

^ permalink raw reply	[flat|nested] 9+ messages in thread
* Wireguard behind NAT
@ 2018-09-02 19:51 Adrián Mihálko
  2018-09-07  3:39 ` Jason A. Donenfeld
  2018-09-07 15:17 ` Steven Honson
  0 siblings, 2 replies; 9+ messages in thread
From: Adrián Mihálko @ 2018-09-02 19:51 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1: Type: text/plain, Size: 483 bytes --]

Is there any way to connect to Wireguard behind a Carrier-grade NAT?

On SIDE_A I have a backup LTE connection, without proper public ip, only
dynamic ip and I server with Wireguard.

SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT
SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org)

SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org)
SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public ip
on SIDE_A)


Best regards,
Adrian

[-- Attachment #2: Type: text/html, Size: 735 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread
* Re: Wireguard behind NAT
  2018-03-12 11:22 Adrián Mihálko
@ 2018-04-14  2:06 ` Jason A. Donenfeld
  0 siblings, 0 replies; 9+ messages in thread
From: Jason A. Donenfeld @ 2018-04-14  2:06 UTC (permalink / raw)
  To: Adrián Mihálko; +Cc: WireGuard mailing list

If you can have SIDE_A connect to SIDE_B and enable
persistent-keepalive, that should take care of things mostly. If you
can't do that for whatever reason, there are hole punching tricks like
[1] and [2].

[1] https://git.zx2c4.com/WireGuard/tree/contrib/examples/nat-hole-punching
[2] https://github.com/manuels/wireguard-p2p

^ permalink raw reply	[flat|nested] 9+ messages in thread
* Wireguard behind NAT
@ 2018-03-12 11:22 Adrián Mihálko
  2018-04-14  2:06 ` Jason A. Donenfeld
  0 siblings, 1 reply; 9+ messages in thread
From: Adrián Mihálko @ 2018-03-12 11:22 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]

Is there any way to connect to Wireguard behind a Carrier-grade NAT? I have
a backup LTE connection, without proper public ip + I have a home server
with Wireguard.

SIDE_A = LTE connection, without public IP, NAT
SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org)

SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org)
SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, no public ip)

Best regards,
Adrian

[-- Attachment #2: Type: text/html, Size: 618 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread
end of thread, other threads:[~2018-09-07 15:17 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-03 10:28 Wireguard behind NAT Adrián Mihálko
2018-09-03 10:43 ` Ole-Morten Duesund
2018-09-03 10:55   ` Roman Mamedov
2018-09-03 10:59     ` Ole-Morten Duesund
  -- strict thread matches above, loose matches on Subject: below --
2018-09-02 19:51 Adrián Mihálko
2018-09-07  3:39 ` Jason A. Donenfeld
2018-09-07 15:17 ` Steven Honson
2018-03-12 11:22 Adrián Mihálko
2018-04-14  2:06 ` Jason A. Donenfeld

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).