From: Kai Hendry <kai.hendry@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: Sanity test forwarding
Date: Mon, 12 Aug 2019 18:08:46 +0800 [thread overview]
Message-ID: <CAF8XF0cO6h2f3dtWOKtPX-EFg0ne4cUor65VzVg_9Gdg9y85xA@mail.gmail.com> (raw)
Sorry, there is more of iproute2 / iptables question I guess, though
in the context of using Wireguard I've never had a problem with
wg-quick, except on my voidlinux / muslc machine!!
hendry@knuckles /etc/wireguard $ sudo grep -vi private wg0.conf
[Interface]
Address = 192.168.2.1
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A
POSTROUTING -o enp3s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D
POSTROUTING -o enp3s0 -j MASQUERADE
[Peer]
PublicKey = 9ZyNE3if3j5hNcBY9ZnEHOGqLNRQNE5BnWFqkiQLSgo=
AllowedIPs = 192.168.2.2/32
hendry@knuckles /etc/wireguard $ ip route
default via 192.168.1.1 dev enp3s0
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.5
192.168.2.2 dev wg0 scope link
hendry@knuckles /etc/wireguard $ sudo modinfo wireguard
filename: /lib/modules/5.0.21_1/kernel/net/wireguard.ko.gz
alias: net-pf-16-proto-16-family-wireguard
alias: rtnl-link-wireguard
version: 0.0.20190702
author: Jason A. Donenfeld <Jason@zx2c4.com>
description: WireGuard secure network tunnel
license: GPL v2
srcversion: 1A86B7E30E05E9B1FD6681E
depends: udp_tunnel,ip6_udp_tunnel
retpoline: Y
name: wireguard
vermagic: 5.0.21_1 SMP preempt mod_unload modversions
I can connect to the machine just fine, but the forwarding doesn't
work! Docker is fine. Bizarre!
hendry@knuckles /etc/wireguard $ cat /proc/sys/net/ipv4/ip_forward
1
hendry@knuckles /etc/wireguard $ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE
match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE
match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- anywhere anywhere
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:http
MASQUERADE tcp -- 172.17.0.3 172.17.0.3 tcp dpt:9115
MASQUERADE tcp -- 172.17.0.4 172.17.0.4 tcp dpt:hbci
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp
dpt:ddi-tcp-1 to:172.17.0.2:80
DNAT tcp -- anywhere anywhere tcp
dpt:9115 to:172.17.0.3:9115
DNAT tcp -- anywhere anywhere tcp
dpt:cisco-sccp to:172.17.0.4:3000
So any tips how to debug this. I tried creating a veth interface, but
I don't quite grok how veth0@veth1 & veth1@veth0 is supposed to work.
Thanks in advance!
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
reply other threads:[~2019-08-25 15:51 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAF8XF0cO6h2f3dtWOKtPX-EFg0ne4cUor65VzVg_9Gdg9y85xA@mail.gmail.com \
--to=kai.hendry@gmail.com \
--cc=hendry@iki.fi \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).