Routing between multiple wg interfaces

Routing between multiple wg interfaces

[Adrián Mihálko]

[-- Attachment #1.1: Type: text/plain, Size: 1562 bytes --]

I am trying to route between multiple WG interfaces.

On my primary server:

wg0.conf:

[Interface]
Address = 192.168.6.4/24
ListenPort = 51820
PrivateKey =
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j
ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i
-j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey =
AllowedIPs = 192.168.6.1/32, 192.168.1.0/24
Endpoint = xy.com:51820

wg1.conf:

[Interface]
Address = 192.168.9.1/24
ListenPort = 51821
PrivateKey =

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j
ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i
-j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey =
AllowedIPs = 192.168.9.3/32

---

With wg0 I am connecting to an other server (xy.com:51820). On wg1 I am
accepting client connections.

On this server I can ping everything, so connection is working well.

ping 192.168.6.1 - works
ping 192.168.1.xxx - works

ping 192.168.9.3 - works

---

Now I am connecting my client to this server (client 192.168.9.3):

[Interface]
PrivateKey =
Address = 192.168.9.3/24
DNS = 192.168.9.1

[Peer]
PublicKey =
AllowedIPs = 192.168.9.1/32, 192.168.1.0/24
Endpoint = primaryserver:51821


I can ping server 192.168.9.1 as expected, but I am unable to ping any of
my devices in 192.168.1.0/24.

Anyone knows what's the problem here?

[-- Attachment #1.2: Type: text/html, Size: 2714 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Routing between multiple wg interfaces

[Michael B. Williams]

[-- Attachment #1.1: Type: text/plain, Size: 3497 bytes --]

I'm a bit confused about your configuration files - could you better
organize them and present including the underlying host they are on? From
the question, it's unclear as to whether there are multiple WireGuard
servers or a single server. I see you reference pinging 192.168.1.0/24 but
I do not see any configurations showing that CIDR.

You may need a masquerade or SNAT for your WireGuard (wg0/wg1) interface.
Otherwise, the forwarded packets will be from an invalid range/host and
discarded depending on the exact configuration.

I.e. if your traffic is coming into the server from client -> wg1 but
leaving (forwarding) to wg0 then you'll need a masquerade on wg0  iptables
-t nat -A POSTROUTING -o wg0 -j MASQUERADE

------------------------------

*Michael B. Williams*
Glexia, Inc. - An IT Company
USA Direct: +1 978 477 6797
USA Toll Free: +1 800 675 0297 x101
AUS Direct: +61 3 8594 2265
AUS Toll Free: +61 1800 931 724 x101
Fax: +1.815-301-5570
Michael.Williams@glexia.com
https://www.glexia.com/
https://www.glexia.com.au/

*Legal Notice:*
The information in this electronic mail message is the sender's
confidential business and may be legally privileged. It is intended solely
for the addressee(s). Access to this internet electronic mail message by
anyone else is unauthorized. If you are not the intended recipient, any
disclosure, copying, distribution or any action taken or omitted to be
taken in reliance on it is prohibited and may be unlawful.



On Thu, Sep 12, 2019 at 3:33 PM Adrián Mihálko <adriankoooo@gmail.com>
wrote:

> I am trying to route between multiple WG interfaces.
>
> On my primary server:
>
> wg0.conf:
>
> [Interface]
> Address = 192.168.6.4/24
> ListenPort = 51820
> PrivateKey =
> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j
> ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i
> -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>
> [Peer]
> PublicKey =
> AllowedIPs = 192.168.6.1/32, 192.168.1.0/24
> Endpoint = xy.com:51820
>
> wg1.conf:
>
> [Interface]
> Address = 192.168.9.1/24
> ListenPort = 51821
> PrivateKey =
>
> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j
> ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i
> -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>
> [Peer]
> PublicKey =
> AllowedIPs = 192.168.9.3/32
>
> ---
>
> With wg0 I am connecting to an other server (xy.com:51820). On wg1 I am
> accepting client connections.
>
> On this server I can ping everything, so connection is working well.
>
> ping 192.168.6.1 - works
> ping 192.168.1.xxx - works
>
> ping 192.168.9.3 - works
>
> ---
>
> Now I am connecting my client to this server (client 192.168.9.3):
>
> [Interface]
> PrivateKey =
> Address = 192.168.9.3/24
> DNS = 192.168.9.1
>
> [Peer]
> PublicKey =
> AllowedIPs = 192.168.9.1/32, 192.168.1.0/24
> Endpoint = primaryserver:51821
>
>
> I can ping server 192.168.9.1 as expected, but I am unable to ping any of
> my devices in 192.168.1.0/24.
>
> Anyone knows what's the problem here?
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 8590 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard