Sanity test forwarding

From: Kai Hendry <kai.hendry@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: Sanity test forwarding
Date: Mon, 12 Aug 2019 18:08:46 +0800	[thread overview]
Message-ID: <CAF8XF0cO6h2f3dtWOKtPX-EFg0ne4cUor65VzVg_9Gdg9y85xA@mail.gmail.com> (raw)

Sorry, there is more of iproute2 / iptables question I guess, though
in the context of using Wireguard I've never had a problem with
wg-quick, except on my voidlinux / muslc machine!!

hendry@knuckles /etc/wireguard $ sudo grep -vi private wg0.conf
[Interface]
Address = 192.168.2.1
ListenPort = 51820

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A
POSTROUTING -o enp3s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D
POSTROUTING -o enp3s0 -j MASQUERADE

[Peer]
PublicKey = 9ZyNE3if3j5hNcBY9ZnEHOGqLNRQNE5BnWFqkiQLSgo=
AllowedIPs = 192.168.2.2/32
hendry@knuckles /etc/wireguard $ ip route
default via 192.168.1.1 dev enp3s0
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.5
192.168.2.2 dev wg0 scope link
hendry@knuckles /etc/wireguard $ sudo modinfo wireguard
filename:       /lib/modules/5.0.21_1/kernel/net/wireguard.ko.gz
alias:          net-pf-16-proto-16-family-wireguard
alias:          rtnl-link-wireguard
version:        0.0.20190702
author:         Jason A. Donenfeld <Jason@zx2c4.com>
description:    WireGuard secure network tunnel
license:        GPL v2
srcversion:     1A86B7E30E05E9B1FD6681E
depends:        udp_tunnel,ip6_udp_tunnel
retpoline:      Y
name:           wireguard
vermagic:       5.0.21_1 SMP preempt mod_unload modversions

I can connect to the machine just fine, but the forwarding doesn't
work! Docker is fine. Bizarre!

hendry@knuckles /etc/wireguard $ cat /proc/sys/net/ipv4/ip_forward
1
hendry@knuckles /etc/wireguard $ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE
match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE
match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.17.0.3           172.17.0.3           tcp dpt:9115
MASQUERADE  tcp  --  172.17.0.4           172.17.0.4           tcp dpt:hbci

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:ddi-tcp-1 to:172.17.0.2:80
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:9115 to:172.17.0.3:9115
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:cisco-sccp to:172.17.0.4:3000

So any tips how to debug this. I tried creating a veth interface, but
I don't quite grok how veth0@veth1 & veth1@veth0 is supposed to work.

Thanks in advance!
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard