WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Accessing Network on each Wireguard Peer
@ 2018-08-07 13:02 Cobin Bluth
  0 siblings, 0 replies; only message in thread
From: Cobin Bluth @ 2018-08-07 13:02 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1: Type: text/plain, Size: 4110 bytes --]

Hi Wireguard Fans,

Here is my wireguard setup, please see the following:
https://gist.github.com/cbluth/d5bd1c5746c976fef73fb5ab4e67b355

I have three physical nodes; Host1, Host2, Host3, all of which have a
public interface.
I would like to protect/encrypt the communications between all the hosts.
I have a working setup of IPSec+vxlan, and I would like to migrate to
wireguard.

Each host runs kvm/libvirtd and hosts a number of virtual machine guests,
each with its own network.
Everything in my wireguard setup seems to be working well, and it seems
quite fast.
With this wireguard configuration, VM guests on Host1, located inside
192.168.1.0/24, can ping guests located on Host2 (192.168.2.0/24) and Host3
(192.168.3.0/24), and vice versa.

The only thing that I cant get to work properly, is that I need to be able
to reach any guest from Host1, because Host1 is my bastion entrypoint into
the network; for example, Host1 itself cannot ping to guests on Host2, but
guests on Host1 *CAN* ping guests on Host2. I can ping any virbr0 interface
from any physical host, but I cannot ping the guests behind each virbr0 in
the libvirt network.

I assume it is an issue with routing, but I am not sure, and I am hoping
that someone can assist me.
But one thing that I have noticed is that the gateway to each peer's guest
network is different between my vxlan configuration and what wireguard
provides.

Here are the working routes when my network is using ipsec+vxlan:

*root@host1 ~ # route -n*
*Kernel IP routing table*
*Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface*
*0.0.0.0         x.x.x.x         0.0.0.0         UG    0      0        0
enp0s31f6*
*x.x.x.x         0.0.0.0         255.255.255.255 UH    0      0        0
enp0s31f6*
*172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0
vxlan0*
*192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
virbr0*
*192.168.2.0     172.16.1.2      255.255.255.0   UG    0      0        0
vxlan0*
*192.168.3.0     172.16.1.3      255.255.255.0   UG    0      0        0
vxlan0*
*192.168.4.0     172.16.1.4      255.255.255.0   UG    0      0        0
vxlan0*
*192.168.5.0     172.16.1.5      255.255.255.0   UG    0      0        0
vxlan0*
*192.168.6.0     172.16.0.6      255.255.255.0   UG    0      0        0
vxlan0*
*root@host1 ~ # *


Here are the routes after bringing up wireguard:

*root@host1 ~ # route -n*
*Kernel IP routing table*
*Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface*
*0.0.0.0         x.x.x.x         0.0.0.0         UG    0      0        0
enp0s31f6*
*x.x.x.x         0.0.0.0         255.255.255.255 UH    0      0        0
enp0s31f6*
*172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0
wg0*
*192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
virbr0*
*192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0
wg0*
*192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0
wg0*
*192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0
wg0*
*192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0
wg0*
*192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0
wg0*
*root@host1 ~ #*


Here is a tracepath with wireguard installed/running.

*root@host1 ~ # tracepath 192.168.2.1*
* 1?: [LOCALHOST]                      pmtu 1420*
* 1:  192.168.2.1                                           1.282ms reached*
* 1:  192.168.2.1                                           1.069ms reached*
*     Resume: pmtu 1420 hops 1 back 1 *
*root@host1 ~ # tracepath 192.168.2.143*
* 1?: [LOCALHOST]                      pmtu 1420*
* 1:  172.16.1.2                                            0.754ms *
* 1:  172.16.1.2                                            0.679ms *
* 2:  no reply*
* 3:  no reply*
*^C*
*root@host1 ~ #*

To reiterate, the wireguard setup is working well, except pinging remote
guests located on each peer.
Is there something I am doing wrong? Is wireguard a good solution to my
network scenario?

Thanks,

-Cobin

[-- Attachment #2: Type: text/html, Size: 7755 bytes --]

<div dir="ltr"><div style="color:rgb(33,33,33);font-size:13px">Hi Wireguard Fans,</div><div style="color:rgb(33,33,33);font-size:13px"><br></div><span style="color:rgb(33,33,33);font-size:13px">Here is my wireguard setup, please see the following:</span><br style="color:rgb(33,33,33);font-size:13px"><a href="https://gist.github.com/cbluth/d5bd1c5746c976fef73fb5ab4e67b355" target="_blank" style="font-size:13px">https://gist.github.com/cbluth/d5bd1c5746c976fef73fb5ab4e67b355</a><br style="color:rgb(33,33,33);font-size:13px"><br style="color:rgb(33,33,33);font-size:13px"><span style="color:rgb(33,33,33);font-size:13px">I have three physical nodes; Host1, Host2, Host3, all of which have a public interface.</span><br style="color:rgb(33,33,33);font-size:13px"><span style="color:rgb(33,33,33);font-size:13px">I would like to protect/encrypt the communications between all the hosts.</span><br style="color:rgb(33,33,33);font-size:13px"><span style="color:rgb(33,33,33);font-size:13px">I have a working setup of IPSec+vxlan, and I would like to migrate to wireguard.</span><div style="color:rgb(33,33,33)"><br>Each host runs kvm/libvirtd and hosts a number of virtual machine guests, each with its own network.<br>Everything in my wireguard setup seems to be working well, and it seems quite fast.<br>With this wireguard configuration, VM guests on Host1, located inside <a href="http://192.168.1.0/24" target="_blank" style="font-size:13px">192.168.1.0/24</a>, can ping guests located on Host2 (<a href="http://192.168.2.0/24" target="_blank" style="font-size:13px">192.168.2.0/24</a>) and Host3 (<a href="http://192.168.3.0/24" target="_blank" style="font-size:13px">192.168.3.0/24</a>), and vice versa.<br><br><div style="font-size:13px">The only thing that I cant get to work properly, is that I need to be able to reach any guest from Host1, because Host1 is my bastion entrypoint into the network; for example, Host1 itself cannot ping to guests on Host2, but guests on Host1 *CAN* ping guests on Host2. I can ping any virbr0 interface from any physical host, but I cannot ping the guests behind each virbr0 in the libvirt network.</div><div style="font-size:13px"><br></div><div style="font-size:13px">I assume it is an issue with routing, but I am not sure, and I am hoping that someone can assist me.<br>But one thing that I have noticed is that the gateway to each peer&#39;s guest network is different between my vxlan configuration and what wireguard provides.<br><br>Here are the working routes when my network is using ipsec+vxlan:<br><br><div><font face="monospace"><b>root@host1 ~ # route -n</b></font></div><div><font face="monospace"><b>Kernel IP routing table</b></font></div><div><font face="monospace"><b>Destination     Gateway         Genmask         Flags Metric Ref    Use Iface</b></font></div><div><font face="monospace"><b>0.0.0.0         x.x.x.x         0.0.0.0         UG    0      0        0 enp0s31f6</b></font></div><div><font face="monospace"><b>x.x.x.x         0.0.0.0         255.255.255.255 UH    0      0        0 enp0s31f6</b></font></div><div><font face="monospace"><b>172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 vxlan0</b></font></div><div><font face="monospace"><b>192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 virbr0</b></font></div><div><font face="monospace"><b>192.168.2.0     172.16.1.2      255.255.255.0   UG    0      0        0 vxlan0</b></font></div><div><font face="monospace"><b>192.168.3.0     172.16.1.3      255.255.255.0   UG    0      0        0 vxlan0</b></font></div><div><font face="monospace"><b>192.168.4.0     172.16.1.4      255.255.255.0   UG    0      0        0 vxlan0</b></font></div><div><font face="monospace"><b>192.168.5.0     172.16.1.5      255.255.255.0   UG    0      0        0 vxlan0</b></font></div><div><font face="monospace"><b>192.168.6.0     172.16.0.6      255.255.255.0   UG    0      0        0 vxlan0</b></font></div><div><font face="monospace"><b>root@host1 ~ # </b></font></div></div><div style="font-size:13px"><br><br>Here are the routes after bringing up wireguard:<br><br><div><b><font face="monospace">root@host1 ~ # route -n</font></b></div><div><b><font face="monospace">Kernel IP routing table</font></b></div><div><b><font face="monospace">Destination     Gateway         Genmask         Flags Metric Ref    Use Iface</font></b></div><div><b><font face="monospace">0.0.0.0         x.x.x.x         0.0.0.0         UG    0      0        0 enp0s31f6</font></b></div><div><b><font face="monospace">x.x.x.x         0.0.0.0         255.255.255.255 UH    0      0        0 enp0s31f6</font></b></div><div><b><font face="monospace">172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0</font></b></div><div><b><font face="monospace">192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 virbr0</font></b></div><div><b><font face="monospace">192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0</font></b></div><div><b><font face="monospace">192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0</font></b></div><div><b><font face="monospace">192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0</font></b></div><div><b><font face="monospace">192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0</font></b></div><div><b><font face="monospace">192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0</font></b></div><div><b><font face="monospace">root@host1 ~ #</font></b></div></div><div style="font-size:13px"><br><br>Here is a tracepath with wireguard installed/running.<br><br><div><b><font face="monospace">root@host1 ~ # tracepath 192.168.2.1</font></b></div><div><b><font face="monospace"> 1?: [LOCALHOST]                      pmtu 1420</font></b></div><div><b><font face="monospace"> 1:  192.168.2.1                                           1.282ms reached</font></b></div><div><b><font face="monospace"> 1:  192.168.2.1                                           1.069ms reached</font></b></div><div><b><font face="monospace">     Resume: pmtu 1420 hops 1 back 1 </font></b></div><div><b><font face="monospace">root@host1 ~ # tracepath 192.168.2.143</font></b></div><div><b><font face="monospace"> 1?: [LOCALHOST]                      pmtu 1420</font></b></div><div><b><font face="monospace"> 1:  172.16.1.2                                            0.754ms </font></b></div><div><b><font face="monospace"> 1:  172.16.1.2                                            0.679ms </font></b></div><div><b><font face="monospace"> 2:  no reply</font></b></div><div><b><font face="monospace"> 3:  no reply</font></b></div><div><b><font face="monospace">^C</font></b></div><div><b><font face="monospace">root@host1 ~ #</font></b></div><br>To reiterate, the wireguard setup is working well, except pinging remote guests located on each peer.<br>Is there something I am doing wrong? Is wireguard a good solution to my network scenario?</div><div style="font-size:13px"><br></div><div style="font-size:13px">Thanks,</div><div style="font-size:13px"><br></div><div style="">-Cobin</div><div style=""><br></div><div style=""><br></div></div></div>

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-07 13:02 Accessing Network on each Wireguard Peer Cobin Bluth

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox