WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Routing between multiple wg interfaces
@ 2019-09-12 19:27 Adrián Mihálko
  2019-09-12 20:35 ` Michael B. Williams
  0 siblings, 1 reply; 2+ messages in thread
From: Adrián Mihálko @ 2019-09-12 19:27 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 1562 bytes --]

I am trying to route between multiple WG interfaces.

On my primary server:

wg0.conf:

[Interface]
Address = 192.168.6.4/24
ListenPort = 51820
PrivateKey =
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j
ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i
-j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey =
AllowedIPs = 192.168.6.1/32, 192.168.1.0/24
Endpoint = xy.com:51820

wg1.conf:

[Interface]
Address = 192.168.9.1/24
ListenPort = 51821
PrivateKey =

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j
ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i
-j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey =
AllowedIPs = 192.168.9.3/32

---

With wg0 I am connecting to an other server (xy.com:51820). On wg1 I am
accepting client connections.

On this server I can ping everything, so connection is working well.

ping 192.168.6.1 - works
ping 192.168.1.xxx - works

ping 192.168.9.3 - works

---

Now I am connecting my client to this server (client 192.168.9.3):

[Interface]
PrivateKey =
Address = 192.168.9.3/24
DNS = 192.168.9.1

[Peer]
PublicKey =
AllowedIPs = 192.168.9.1/32, 192.168.1.0/24
Endpoint = primaryserver:51821


I can ping server 192.168.9.1 as expected, but I am unable to ping any of
my devices in 192.168.1.0/24.

Anyone knows what's the problem here?

[-- Attachment #1.2: Type: text/html, Size: 2714 bytes --]

<div dir="ltr"><div dir="ltr"><div>I am trying to route between multiple WG interfaces. <br></div><div><br></div><div>On my primary server:</div><div><br></div><div>wg0.conf:</div><div><br></div><div>[Interface]</div><div>Address = <a href="http://192.168.6.4/24">192.168.6.4/24</a></div><div>ListenPort = 51820</div><div>PrivateKey = </div><div>PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</div><div>PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE</div><div><br></div><div>[Peer]</div><div>PublicKey = </div><div>AllowedIPs = <a href="http://192.168.6.1/32">192.168.6.1/32</a>, <a href="http://192.168.1.0/24">192.168.1.0/24</a></div><div>Endpoint = <a href="http://xy.com:51820">xy.com:51820</a></div><div><br></div><div>wg1.conf:</div><div><br></div><div>[Interface]</div><div>Address = <a href="http://192.168.9.1/24">192.168.9.1/24</a></div><div>ListenPort = 51821</div><div>PrivateKey = </div><div><br></div><div>PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</div><div>PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE</div><div><br></div><div>[Peer]</div><div>PublicKey = </div><div>AllowedIPs = <a href="http://192.168.9.3/32">192.168.9.3/32</a></div><div><br></div><div>---</div><div><br></div><div>With wg0 I am connecting to an other server (<a href="http://xy.com:51820">xy.com:51820</a>). On wg1 I am accepting client connections.</div><div><br></div><div>On this server I can ping everything, so connection is working well. </div><div><br></div><div>ping 192.168.6.1 - works</div><div>ping 192.168.1.xxx - works</div><div><br></div><div>ping 192.168.9.3 - works</div><div><br></div><div>---</div><div><br></div><div>Now I am connecting my client to this server (client 192.168.9.3):</div><div><br></div><div>[Interface]</div><div>PrivateKey = </div><div>Address = <a href="http://192.168.9.3/24">192.168.9.3/24</a></div><div>DNS = 192.168.9.1</div><div><br></div><div>[Peer]</div><div>PublicKey = </div><div>AllowedIPs = <a href="http://192.168.9.1/32">192.168.9.1/32</a>, <a href="http://192.168.1.0/24">192.168.1.0/24</a></div><div>Endpoint = primaryserver:51821</div><div><br></div><div><br></div><div>I can ping server 192.168.9.1 as expected, but I am unable to ping any of my devices in <a href="http://192.168.1.0/24">192.168.1.0/24</a>. </div><div><br></div><div>Anyone knows what&#39;s the problem here?</div></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Routing between multiple wg interfaces
  2019-09-12 19:27 Routing between multiple wg interfaces Adrián Mihálko
@ 2019-09-12 20:35 ` Michael B. Williams
  0 siblings, 0 replies; 2+ messages in thread
From: Michael B. Williams @ 2019-09-12 20:35 UTC (permalink / raw)
  To: Adrián Mihálko; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 3497 bytes --]

I'm a bit confused about your configuration files - could you better
organize them and present including the underlying host they are on? From
the question, it's unclear as to whether there are multiple WireGuard
servers or a single server. I see you reference pinging 192.168.1.0/24 but
I do not see any configurations showing that CIDR.

You may need a masquerade or SNAT for your WireGuard (wg0/wg1) interface.
Otherwise, the forwarded packets will be from an invalid range/host and
discarded depending on the exact configuration.

I.e. if your traffic is coming into the server from client -> wg1 but
leaving (forwarding) to wg0 then you'll need a masquerade on wg0  iptables
-t nat -A POSTROUTING -o wg0 -j MASQUERADE

------------------------------

*Michael B. Williams*
Glexia, Inc. - An IT Company
USA Direct: +1 978 477 6797
USA Toll Free: +1 800 675 0297 x101
AUS Direct: +61 3 8594 2265
AUS Toll Free: +61 1800 931 724 x101
Fax: +1.815-301-5570
Michael.Williams@glexia.com
https://www.glexia.com/
https://www.glexia.com.au/

*Legal Notice:*
The information in this electronic mail message is the sender's
confidential business and may be legally privileged. It is intended solely
for the addressee(s). Access to this internet electronic mail message by
anyone else is unauthorized. If you are not the intended recipient, any
disclosure, copying, distribution or any action taken or omitted to be
taken in reliance on it is prohibited and may be unlawful.



On Thu, Sep 12, 2019 at 3:33 PM Adrián Mihálko <adriankoooo@gmail.com>
wrote:

> I am trying to route between multiple WG interfaces.
>
> On my primary server:
>
> wg0.conf:
>
> [Interface]
> Address = 192.168.6.4/24
> ListenPort = 51820
> PrivateKey =
> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j
> ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i
> -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>
> [Peer]
> PublicKey =
> AllowedIPs = 192.168.6.1/32, 192.168.1.0/24
> Endpoint = xy.com:51820
>
> wg1.conf:
>
> [Interface]
> Address = 192.168.9.1/24
> ListenPort = 51821
> PrivateKey =
>
> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j
> ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i
> -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>
> [Peer]
> PublicKey =
> AllowedIPs = 192.168.9.3/32
>
> ---
>
> With wg0 I am connecting to an other server (xy.com:51820). On wg1 I am
> accepting client connections.
>
> On this server I can ping everything, so connection is working well.
>
> ping 192.168.6.1 - works
> ping 192.168.1.xxx - works
>
> ping 192.168.9.3 - works
>
> ---
>
> Now I am connecting my client to this server (client 192.168.9.3):
>
> [Interface]
> PrivateKey =
> Address = 192.168.9.3/24
> DNS = 192.168.9.1
>
> [Peer]
> PublicKey =
> AllowedIPs = 192.168.9.1/32, 192.168.1.0/24
> Endpoint = primaryserver:51821
>
>
> I can ping server 192.168.9.1 as expected, but I am unable to ping any of
> my devices in 192.168.1.0/24.
>
> Anyone knows what's the problem here?
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 8590 bytes --]

<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:x-small">I&#39;m a bit confused about your configuration files - could you better organize them and present including the underlying host they are on? From the question, it&#39;s unclear as to whether there are multiple WireGuard servers or a single server. I see you reference pinging <a href="http://192.168.1.0/24">192.168.1.0/24</a> but I do not see any configurations showing that CIDR.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:x-small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:x-small">You may need a masquerade or SNAT for your WireGuard (wg0/wg1) interface. Otherwise, the forwarded packets will be from an invalid range/host and discarded depending on the exact configuration.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:x-small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:x-small">I.e. if your traffic is coming into the server from client -&gt; wg1 but leaving (forwarding) to wg0 then you&#39;ll need a masquerade on wg0 

iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

</div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="text-align:left"><font size="1"><br></font></div><div align="center" style="text-align:center"><span style="font-family:Verdana,sans-serif"><font size="1"><hr size="1" width="100%" noshade align="center"></font></span></div><p style="margin-bottom:12pt"><b><span style="font-family:Arial,sans-serif;color:navy"><font size="1">Michael B. Williams</font></span></b><span style="font-family:Verdana,sans-serif"><font size="1"> <br>Glexia, Inc. - An IT Company<br>USA Direct: <span title="Call with Google Voice"><span title="Call with Google Voice"><span title="Call with Google Voice"><span title="Call with Google Voice"><span id="gc-number-2649" class="gc-cs-link" title="Call with Google Voice">+1 978 477 6797</span></span></span></span></span><br>USA Toll Free: <span title="Call with Google Voice"><span title="Call with Google Voice"><span title="Call with Google Voice"><span title="Call with Google Voice"><span id="gc-number-2650" class="gc-cs-link" title="Call with Google Voice">+1 800 675 0297</span></span></span></span></span> x101<br></font></span><span style="font-family:Verdana,sans-serif;font-size:x-small">AUS Direct: </span><span title="Call with Google Voice" style="font-family:Verdana,sans-serif;font-size:x-small"><span title="Call with Google Voice"><span title="Call with Google Voice"><span title="Call with Google Voice">+61 3 8594 2265<br></span></span></span></span><span style="font-family:Verdana,sans-serif;font-size:x-small">AUS Toll Free: </span><span title="Call with Google Voice" style="font-family:Verdana,sans-serif;font-size:x-small"><span title="Call with Google Voice"><span title="Call with Google Voice"><span title="Call with Google Voice">+61 1800 931 724</span></span></span></span><span style="font-family:Verdana,sans-serif;font-size:x-small"> x101<br></span><span style="font-size:x-small;font-family:Verdana,sans-serif">Fax: </span><span title="Call with Google Voice" style="font-size:x-small;font-family:Verdana,sans-serif"><span title="Call with Google Voice"><span title="Call with Google Voice"><span title="Call with Google Voice"><span><span id="gc-number-2651" class="gc-cs-link" title="Call with Google Voice">+1.815-301-5570</span></span><br></span></span></span></span><span style="font-size:x-small;font-family:Verdana,sans-serif"><a href="mailto:Michael.Williams@glexia.com" title="Michael.Williams@glexia.com" style="color:rgb(17,85,204);font-size:x-small;font-family:Verdana,sans-serif" target="_blank">Michael.Williams@glexia.com</a><font color="#000080"><br></font></span><a href="https://www.glexia.com/" title="http://www.glexia.com/" style="font-size:x-small;font-family:Verdana,sans-serif;color:rgb(17,85,204)" target="_blank">https://www.glexia.com/</a><br><a href="https://www.glexia.com.au/" title="http://www.glexia.com/" style="font-size:x-small;font-family:Verdana,sans-serif;color:rgb(17,85,204)" target="_blank">https://www.glexia.com.au/</a><br></p><p style="margin-bottom:12pt"><span style="font-family:Verdana,sans-serif"><font size="1"><b><span style="color:navy">Legal Notice:</span></b><br>The information in this electronic mail message is the sender&#39;s confidential business and may be legally privileged. It is intended solely for the addressee(s). Access to this internet electronic mail message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. <br></font><br></span></p></div></div></div></div></div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 12, 2019 at 3:33 PM Adrián Mihálko &lt;<a href="mailto:adriankoooo@gmail.com">adriankoooo@gmail.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div>I am trying to route between multiple WG interfaces. <br></div><div><br></div><div>On my primary server:</div><div><br></div><div>wg0.conf:</div><div><br></div><div>[Interface]</div><div>Address = <a href="http://192.168.6.4/24" target="_blank">192.168.6.4/24</a></div><div>ListenPort = 51820</div><div>PrivateKey = </div><div>PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</div><div>PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE</div><div><br></div><div>[Peer]</div><div>PublicKey = </div><div>AllowedIPs = <a href="http://192.168.6.1/32" target="_blank">192.168.6.1/32</a>, <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a></div><div>Endpoint = <a href="http://xy.com:51820" target="_blank">xy.com:51820</a></div><div><br></div><div>wg1.conf:</div><div><br></div><div>[Interface]</div><div>Address = <a href="http://192.168.9.1/24" target="_blank">192.168.9.1/24</a></div><div>ListenPort = 51821</div><div>PrivateKey = </div><div><br></div><div>PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</div><div>PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE</div><div><br></div><div>[Peer]</div><div>PublicKey = </div><div>AllowedIPs = <a href="http://192.168.9.3/32" target="_blank">192.168.9.3/32</a></div><div><br></div><div>---</div><div><br></div><div>With wg0 I am connecting to an other server (<a href="http://xy.com:51820" target="_blank">xy.com:51820</a>). On wg1 I am accepting client connections.</div><div><br></div><div>On this server I can ping everything, so connection is working well. </div><div><br></div><div>ping 192.168.6.1 - works</div><div>ping 192.168.1.xxx - works</div><div><br></div><div>ping 192.168.9.3 - works</div><div><br></div><div>---</div><div><br></div><div>Now I am connecting my client to this server (client 192.168.9.3):</div><div><br></div><div>[Interface]</div><div>PrivateKey = </div><div>Address = <a href="http://192.168.9.3/24" target="_blank">192.168.9.3/24</a></div><div>DNS = 192.168.9.1</div><div><br></div><div>[Peer]</div><div>PublicKey = </div><div>AllowedIPs = <a href="http://192.168.9.1/32" target="_blank">192.168.9.1/32</a>, <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a></div><div>Endpoint = primaryserver:51821</div><div><br></div><div><br></div><div>I can ping server 192.168.9.1 as expected, but I am unable to ping any of my devices in <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a>. </div><div><br></div><div>Anyone knows what&#39;s the problem here?</div></div></div>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-12 19:27 Routing between multiple wg interfaces Adrián Mihálko
2019-09-12 20:35 ` Michael B. Williams

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git