wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
* Sanity test forwarding
@ 2019-08-12 10:08 Kai Hendry
  0 siblings, 0 replies; only message in thread
From: Kai Hendry @ 2019-08-12 10:08 UTC (permalink / raw)
  To: wireguard

Sorry, there is more of iproute2 / iptables question I guess, though
in the context of using Wireguard I've never had a problem with
wg-quick, except on my voidlinux / muslc machine!!

hendry@knuckles /etc/wireguard $ sudo grep -vi private wg0.conf
[Interface]
Address = 192.168.2.1
ListenPort = 51820

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A
POSTROUTING -o enp3s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D
POSTROUTING -o enp3s0 -j MASQUERADE

[Peer]
PublicKey = 9ZyNE3if3j5hNcBY9ZnEHOGqLNRQNE5BnWFqkiQLSgo=
AllowedIPs = 192.168.2.2/32
hendry@knuckles /etc/wireguard $ ip route
default via 192.168.1.1 dev enp3s0
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.5
192.168.2.2 dev wg0 scope link
hendry@knuckles /etc/wireguard $ sudo modinfo wireguard
filename:       /lib/modules/5.0.21_1/kernel/net/wireguard.ko.gz
alias:          net-pf-16-proto-16-family-wireguard
alias:          rtnl-link-wireguard
version:        0.0.20190702
author:         Jason A. Donenfeld <Jason@zx2c4.com>
description:    WireGuard secure network tunnel
license:        GPL v2
srcversion:     1A86B7E30E05E9B1FD6681E
depends:        udp_tunnel,ip6_udp_tunnel
retpoline:      Y
name:           wireguard
vermagic:       5.0.21_1 SMP preempt mod_unload modversions


I can connect to the machine just fine, but the forwarding doesn't
work! Docker is fine. Bizarre!

hendry@knuckles /etc/wireguard $ cat /proc/sys/net/ipv4/ip_forward
1
hendry@knuckles /etc/wireguard $ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE
match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE
match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.17.0.3           172.17.0.3           tcp dpt:9115
MASQUERADE  tcp  --  172.17.0.4           172.17.0.4           tcp dpt:hbci

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:ddi-tcp-1 to:172.17.0.2:80
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:9115 to:172.17.0.3:9115
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:cisco-sccp to:172.17.0.4:3000


So any tips how to debug this. I tried creating a veth interface, but
I don't quite grok how veth0@veth1 & veth1@veth0 is supposed to work.


Thanks in advance!
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2019-08-25 15:51 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-12 10:08 Sanity test forwarding Kai Hendry

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).