* Accessing Network on each Wireguard Peer
@ 2018-08-07 13:02 Cobin Bluth
0 siblings, 0 replies; only message in thread
From: Cobin Bluth @ 2018-08-07 13:02 UTC (permalink / raw)
To: wireguard
[-- Attachment #1: Type: text/plain, Size: 4110 bytes --]
Hi Wireguard Fans,
Here is my wireguard setup, please see the following:
https://gist.github.com/cbluth/d5bd1c5746c976fef73fb5ab4e67b355
I have three physical nodes; Host1, Host2, Host3, all of which have a
public interface.
I would like to protect/encrypt the communications between all the hosts.
I have a working setup of IPSec+vxlan, and I would like to migrate to
wireguard.
Each host runs kvm/libvirtd and hosts a number of virtual machine guests,
each with its own network.
Everything in my wireguard setup seems to be working well, and it seems
quite fast.
With this wireguard configuration, VM guests on Host1, located inside
192.168.1.0/24, can ping guests located on Host2 (192.168.2.0/24) and Host3
(192.168.3.0/24), and vice versa.
The only thing that I cant get to work properly, is that I need to be able
to reach any guest from Host1, because Host1 is my bastion entrypoint into
the network; for example, Host1 itself cannot ping to guests on Host2, but
guests on Host1 *CAN* ping guests on Host2. I can ping any virbr0 interface
from any physical host, but I cannot ping the guests behind each virbr0 in
the libvirt network.
I assume it is an issue with routing, but I am not sure, and I am hoping
that someone can assist me.
But one thing that I have noticed is that the gateway to each peer's guest
network is different between my vxlan configuration and what wireguard
provides.
Here are the working routes when my network is using ipsec+vxlan:
*root@host1 ~ # route -n*
*Kernel IP routing table*
*Destination Gateway Genmask Flags Metric Ref Use
Iface*
*0.0.0.0 x.x.x.x 0.0.0.0 UG 0 0 0
enp0s31f6*
*x.x.x.x 0.0.0.0 255.255.255.255 UH 0 0 0
enp0s31f6*
*172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0
vxlan0*
*192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
virbr0*
*192.168.2.0 172.16.1.2 255.255.255.0 UG 0 0 0
vxlan0*
*192.168.3.0 172.16.1.3 255.255.255.0 UG 0 0 0
vxlan0*
*192.168.4.0 172.16.1.4 255.255.255.0 UG 0 0 0
vxlan0*
*192.168.5.0 172.16.1.5 255.255.255.0 UG 0 0 0
vxlan0*
*192.168.6.0 172.16.0.6 255.255.255.0 UG 0 0 0
vxlan0*
*root@host1 ~ # *
Here are the routes after bringing up wireguard:
*root@host1 ~ # route -n*
*Kernel IP routing table*
*Destination Gateway Genmask Flags Metric Ref Use
Iface*
*0.0.0.0 x.x.x.x 0.0.0.0 UG 0 0 0
enp0s31f6*
*x.x.x.x 0.0.0.0 255.255.255.255 UH 0 0 0
enp0s31f6*
*172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0
wg0*
*192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
virbr0*
*192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
wg0*
*192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0
wg0*
*192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0
wg0*
*192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0
wg0*
*192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0
wg0*
*root@host1 ~ #*
Here is a tracepath with wireguard installed/running.
*root@host1 ~ # tracepath 192.168.2.1*
* 1?: [LOCALHOST] pmtu 1420*
* 1: 192.168.2.1 1.282ms reached*
* 1: 192.168.2.1 1.069ms reached*
* Resume: pmtu 1420 hops 1 back 1 *
*root@host1 ~ # tracepath 192.168.2.143*
* 1?: [LOCALHOST] pmtu 1420*
* 1: 172.16.1.2 0.754ms *
* 1: 172.16.1.2 0.679ms *
* 2: no reply*
* 3: no reply*
*^C*
*root@host1 ~ #*
To reiterate, the wireguard setup is working well, except pinging remote
guests located on each peer.
Is there something I am doing wrong? Is wireguard a good solution to my
network scenario?
Thanks,
-Cobin
[-- Attachment #2: Type: text/html, Size: 7755 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-08-07 12:52 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-07 13:02 Accessing Network on each Wireguard Peer Cobin Bluth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).