need a hand with WG setup

need a hand with WG setup

[Dimitar Vassilev]

[-- Attachment #1.1: Type: text/plain, Size: 1320 bytes --]

Hello,

I'm trying to establish site to site VPN with 2 OpenWRTs 18.6.4 - linux
4.9.184

my problem is that I cannot get any ping running and cannot reach the
remote tunnel ips.
Below is my setup
# ip r
default via 95.87.xxx.xxx dev eth0.2 proto static src 95.87.xxx.xx
95.87.xxx.0/24 dev eth0.2 proto kernel scope link src 95.87.xxxxx.xxx
130.204.xxx.xxx via 95.87.xxx.x dev eth0.2 proto static
192.168.11.0/24 dev br-lan proto kernel scope link src 192.168.11.1
192.168.100.1xx/25 dev wgknxvtun0 proto static scope link
192.168.101.0/24 dev wgknxvrtun0 proto kernel scope link src 192.168.101.1
216.66.xx.xx via 95.87.xxx.1 dev eth0.2 proto static

root@OpenWrt:~# wg show
interface: wgknxvtun0
  public key: f6
  private key: (hidden)
  listening port: 51820

peer: ThW
  endpoint: 130.204.xxx.xxx:51820
  allowed ips: 192.168.100.128/25
  latest handshake: 2 minutes, 15 seconds ago
  transfer: 134.86 KiB received, 121.67 KiB sent
  persistent keepalive: every 25 seconds

  root@OpenWrt:~# wg showconf wgknxvtun0
  [Interface]
  ListenPort = 51820
  PrivateKey = xxxx

  [Peer]
  PublicKey = Tx
  AllowedIPs = 192.168.100.128/25
  Endpoint = 130.204.x.x:51820
  PersistentKeepalive = 25

I've setup a separate FW zone where input, forward and output are default.
Ideas what I'm missing are welcome.

Best,
Dimitar

[-- Attachment #1.2: Type: text/html, Size: 1766 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: need a hand with WG setup

[Kalin KOZHUHAROV]

[-- Attachment #1.1: Type: text/plain, Size: 493 bytes --]

On Tue, 27 Aug 2019, 20:21 Dimitar Vassilev, <dimitar.vassilev@gmail.com>
wrote:

> Hello,
>
> I'm trying to establish site to site VPN with 2 OpenWRTs 18.6.4 - linux
> 4.9.184
>
> my problem is that I cannot get any ping running and cannot reach the
> remote tunnel ips.
>
1. Disable the FW and test.

2. Try ping from one router to the other using the configured public IP
address

3. Ping the other using the WG IP address

If all runs them it is a routing problem left to solve...

Kalin.

[-- Attachment #1.2: Type: text/html, Size: 1041 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: need a hand with WG setup

[Dimitar Vassilev]

[-- Attachment #1.1: Type: text/plain, Size: 1284 bytes --]

Hi Kalin,

1. Disable the FW and test.
>
Tried - disabling one fw shows wg traffic flowing.


> 2. Try ping from one router to the other using the configured public IP
> address
>
> That works as well with the default fw config on OpenWRT/LEDE/LibreCMC


> 3. Ping the other using the WG IP address
>
> my problem is that ping between the WG IP addresses is not working. I see
some PostUp and Postdown examples in the regular configurations like the
ones below
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
ip6tables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
ip6tables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
In the LEDE/OpenWRT derivatives those are marked in the GUI with MASQUERADE
and route allowed ips options, but still I'm getting stuck.  I moved my VPN
network from /25 to another /24 and still was stuck.

> If all runs them it is a routing problem left to solve...
>
> Agree. I'm a bit at loss which routing - the kernel one or the forwarding
of packets. Will tear down and start from scratch with another test.

> Kalin.
>

[-- Attachment #1.2: Type: text/html, Size: 2506 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: need a hand with WG setup

[Dimitar Vassilev]

[-- Attachment #1.1: Type: text/plain, Size: 2106 bytes --]

На ср, 28.08.2019 г. в 13:56 ч. Dimitar Vassilev <dimitar.vassilev@gmail.com>
написа:

> Hi Kalin,
>
> 1. Disable the FW and test.
>>
> Tried - disabling one fw shows wg traffic flowing.
>
>
>> 2. Try ping from one router to the other using the configured public IP
>> address
>>
>> That works as well with the default fw config on OpenWRT/LEDE/LibreCMC
>
>
>> 3. Ping the other using the WG IP address
>>
>> my problem is that ping between the WG IP addresses is not working. I see
> some PostUp and Postdown examples in the regular configurations like the
> ones below
> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
> ip6tables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
> ip6tables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
> In the LEDE/OpenWRT derivatives those are marked in the GUI with
> MASQUERADE and route allowed ips options, but still I'm getting stuck.  I
> moved my VPN network from /25 to another /24 and still was stuck.
>
>> If all runs them it is a routing problem left to solve...
>>
>> Agree. I'm a bit at loss which routing - the kernel one or the forwarding
> of packets. Will tear down and start from scratch with another test.
>
>> Kalin.
>>
>
Hello all,

Problem solved via a trivial solution - add my origin VPN endpoint IP into
the list of AllowedIPs for the peer. Used
https://forum.openwrt.org/t/solved-setup-wireguard-connecting-two-networks/4215
to
achieve this
At least in this setup I see the packets flowing in both directions - RX
and TX
Ny next questions are:

   -  is this normal since I'm behind NAT or there are some OpenWRT
   /Wireguard specifics I'm missing? In the docs and examples I see examples
   with just peer IPs added
   - what should I do to make the flow to a private subnet in DMZ on site B
   from site A ?

Thanks,
Dimitar

[-- Attachment #1.2: Type: text/html, Size: 3750 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: need a hand with WG setup

[Hristo Georgiev]

Hello Dimitar
The WG module is doing the routing for you, in most cases you don’t need PostUp and PostDown scripts. You need SNAT(MASQUERADE) only if you want to route all your internet traffic like 0.0.0.0/0
For site-to-site you need to enable forwarding which most routers do anyway.
Lets assume you have Site A with network 192.168.1.*/24  and Site B with network 192.168.2.*/24 .  
On site A you have router A1 with internal IP 192.168.1.1 and VPN IP 10.8.10.1  and public IP x.x.x.x . 
On site B you have router B1 with internal IP 192.168.2.1 and VPN IP 10.8.10.2 public IP y.y.y.y. 
You config is going to look like this:

— A1 config — 
[Interface]
PrivateKey = YourA1PrivateKeyHere
Address = 10.8.10.1/32
ListenPort = 51820

[Peer]
PublicKey = YourB1PublicKeyHere
AllowedIPs = 10.8.10.2/24, 192.168.2.1/24 
Endpoint = y.y.y.y:51820   #B1 public IP

————————————————

— B1 config — 
[Interface]
PrivateKey = YourB1PrivateKeyHere
Address = 10.8.10.2/32
ListenPort = 51820

[Peer]
PublicKey = YourA1PublicKeyHere
AllowedIPs = 10.8.10.1/24, 192.168.1.1/24 
Endpoint = x.x.x.x:51820   #A1 public IP
 
That is everything!

Example 2, now lets make B1 getaway for client 1 routing all internet traffic on it’s default gate eth0.
in B1 config add >
#Enable SNAT only if B1 is not gateway yet, otherwise you don’t need this script 
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

#Client 1
[Peer]
PublicKey = YourClient1PublicKeyHere
AllowedIPs = 10.8.10.5/32

————————————————

— Client 1 config —
[Interface]
PrivateKey = YourClient1PrivateKeyHere
Address = 10.8.10.5/32

#B1 gate
[Peer]
PublicKey = YourB1PublicKeyHere
AllowedIPs = 10.8.10.2/24, 0.0.0.0/0
Endpoint = y.y.y.y:51820   #B1 public IP
PersistentKeepalive = 25

Thats it. In this example Client 1 is behind NAT and it's changing networks often, that’s way we don’t have Endpoint for it and instead we use keep alive .

Cheers,
Hristo


> On 2 Sep 2019, at 13:00, wireguard-request@lists.zx2c4.com wrote:
> 
> Send WireGuard mailing list submissions to
> 	wireguard@lists.zx2c4.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.zx2c4.com/mailman/listinfo/wireguard
> or, via email, send a message with subject or body 'help' to
> 	wireguard-request@lists.zx2c4.com
> 
> You can reach the person managing the list at
> 	wireguard-owner@lists.zx2c4.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of WireGuard digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: need a hand with WG setup (Dimitar Vassilev)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 1 Sep 2019 14:03:18 +0300
> From: Dimitar Vassilev <dimitar.vassilev@gmail.com>
> To: Kalin KOZHUHAROV <me.kalin@gmail.com>
> Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
> Subject: Re: need a hand with WG setup
> Message-ID:
> 	<CAF+AZZVKOQFfk53e24KO7kFR3cxEuqnJgpnejhvTP5BuVJDbng@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> ?? ??, 28.08.2019 ?. ? 13:56 ?. Dimitar Vassilev <dimitar.vassilev@gmail.com>
> ??????:
> 
>> Hi Kalin,
>> 
>> 1. Disable the FW and test.
>>> 
>> Tried - disabling one fw shows wg traffic flowing.
>> 
>> 
>>> 2. Try ping from one router to the other using the configured public IP
>>> address
>>> 
>>> That works as well with the default fw config on OpenWRT/LEDE/LibreCMC
>> 
>> 
>>> 3. Ping the other using the WG IP address
>>> 
>>> my problem is that ping between the WG IP addresses is not working. I see
>> some PostUp and Postdown examples in the regular configurations like the
>> ones below
>> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
>> POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
>> ip6tables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
>> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
>> POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
>> ip6tables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
>> In the LEDE/OpenWRT derivatives those are marked in the GUI with
>> MASQUERADE and route allowed ips options, but still I'm getting stuck.  I
>> moved my VPN network from /25 to another /24 and still was stuck.
>> 
>>> If all runs them it is a routing problem left to solve...
>>> 
>>> Agree. I'm a bit at loss which routing - the kernel one or the forwarding
>> of packets. Will tear down and start from scratch with another test.
>> 
>>> Kalin.
>>> 
>> 
> Hello all,
> 
> Problem solved via a trivial solution - add my origin VPN endpoint IP into
> the list of AllowedIPs for the peer. Used
> https://forum.openwrt.org/t/solved-setup-wireguard-connecting-two-networks/4215
> to
> achieve this
> At least in this setup I see the packets flowing in both directions - RX
> and TX
> Ny next questions are:
> 
>   -  is this normal since I'm behind NAT or there are some OpenWRT
>   /Wireguard specifics I'm missing? In the docs and examples I see examples
>   with just peer IPs added
>   - what should I do to make the flow to a private subnet in DMZ on site B
>   from site A ?
> 
> Thanks,
> Dimitar
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190901/2b562015/attachment-0001.html>
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
> 
> 
> ------------------------------
> 
> End of WireGuard Digest, Vol 42, Issue 2
> ****************************************

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard