WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Wireguard behind NAT
@ 2018-03-12 11:22 Adrián Mihálko
  2018-04-14  2:06 ` Jason A. Donenfeld
  0 siblings, 1 reply; 9+ messages in thread
From: Adrián Mihálko @ 2018-03-12 11:22 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]

Is there any way to connect to Wireguard behind a Carrier-grade NAT? I have
a backup LTE connection, without proper public ip + I have a home server
with Wireguard.

SIDE_A = LTE connection, without public IP, NAT
SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org)

SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org)
SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, no public ip)

Best regards,
Adrian

[-- Attachment #2: Type: text/html, Size: 618 bytes --]

<div dir="ltr">Is there any way to connect to Wireguard behind a Carrier-grade NAT? I have a backup LTE connection, without proper public ip + I have a home server with Wireguard.<div><br></div><div>SIDE_A = LTE connection, without public IP, NAT</div><div>SIDE_A_SERVER = WIREGUARD (connecting to <a href="http://sideb.dyndns.org">sideb.dyndns.org</a>)</div><div><br></div><div>SIDE_B = VDSL with public ip + ddns (<a href="http://sideb.dyndns.org">sideb.dyndns.org</a>)</div><div>SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, no public ip)</div><div><br></div><div>Best regards,</div><div>Adrian</div></div>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Wireguard behind NAT
  2018-03-12 11:22 Wireguard behind NAT Adrián Mihálko
@ 2018-04-14  2:06 ` Jason A. Donenfeld
  0 siblings, 0 replies; 9+ messages in thread
From: Jason A. Donenfeld @ 2018-04-14  2:06 UTC (permalink / raw)
  To: Adrián Mihálko; +Cc: WireGuard mailing list

If you can have SIDE_A connect to SIDE_B and enable
persistent-keepalive, that should take care of things mostly. If you
can't do that for whatever reason, there are hole punching tricks like
[1] and [2].

[1] https://git.zx2c4.com/WireGuard/tree/contrib/examples/nat-hole-punching
[2] https://github.com/manuels/wireguard-p2p

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Wireguard behind NAT
  2018-09-02 19:51 Adrián Mihálko
  2018-09-07  3:39 ` Jason A. Donenfeld
@ 2018-09-07 15:17 ` Steven Honson
  1 sibling, 0 replies; 9+ messages in thread
From: Steven Honson @ 2018-09-07 15:17 UTC (permalink / raw)
  To: Adrián Mihálko; +Cc: wireguard

[-- Attachment #1: Type: text/plain, Size: 1462 bytes --]

Hi Adrian,

As SIDE_B has a public IP address, the example you give should work fine. In this case, SIDE_A will establish a connection with SIDE_B which effectively punches a NAT hole for return traffic from SIDE_B to SIDE_A.

When configuring the SIDE_A peer on SIDE_B, just leave EndPoint unset.

Inversely, when configuring the SIDE_B peer on SIDE_A, use the dynamic DNS name (and the port that SIDE_B is listening on).

The NAT Hole Punching example Jason provided is more applicable to situations where both WireGuard peers are NATed. In your example it sounds like this is only the case for SIDE_A.

Cheers,
Steven

> On 3 Sep 2018, at 5:51 am, Adrián Mihálko <adriankoooo@gmail.com> wrote:
> 
> Is there any way to connect to Wireguard behind a Carrier-grade NAT? 
> 
> On SIDE_A I have a backup LTE connection, without proper public ip, only dynamic ip and I server with Wireguard. 
> 
> SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT 
> SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org <http://sideb.dyndns.org/>) 
> 
> SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org <http://sideb.dyndns.org/>) 
> SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public ip on SIDE_A) 
> 
> 
> Best regards, 
> Adrian
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard


[-- Attachment #2: Type: text/html, Size: 2607 bytes --]

<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Adrian,<div class=""><br class=""></div><div class="">As SIDE_B has a public IP address, the example you give should work fine. In this case, SIDE_A will establish a connection with SIDE_B which effectively punches a NAT hole for return traffic from SIDE_B to SIDE_A.</div><div class=""><br class=""></div><div class="">When configuring the SIDE_A peer on SIDE_B, just leave EndPoint unset.</div><div class=""><br class=""></div><div class="">Inversely, when configuring the SIDE_B peer on SIDE_A, use the dynamic DNS name (and the port that SIDE_B is listening on).</div><div class=""><br class=""></div><div class="">The NAT Hole Punching example Jason provided is more applicable to situations where both WireGuard peers are NATed. In your example it sounds like this is only the case for SIDE_A.</div><div class=""><br class=""></div><div class=""><div class="">Cheers,</div><div class="">Steven</div></div><div><br class=""><blockquote type="cite" class=""><div class="">On 3 Sep 2018, at 5:51 am, Adrián Mihálko &lt;<a href="mailto:adriankoooo@gmail.com" class="">adriankoooo@gmail.com</a>&gt; wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Is there any way to connect to Wireguard behind a Carrier-grade NAT?&nbsp;<div class=""><br class=""></div><div class="">On SIDE_A I have a backup LTE connection, without proper public ip, only dynamic ip and I server with Wireguard.&nbsp;</div><div class=""><br class=""></div><div class="">SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT&nbsp;</div><div class="">SIDE_A_SERVER = WIREGUARD (connecting to <a href="http://sideb.dyndns.org/" class="">sideb.dyndns.org</a>)&nbsp;</div><div class=""><br class=""></div><div class="">SIDE_B = VDSL with public ip + ddns (<a href="http://sideb.dyndns.org/" class="">sideb.dyndns.org</a>)&nbsp;</div><div class="">SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public ip on SIDE_A)&nbsp;</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Best regards,&nbsp;</div><div class="">Adrian</div></div>
_______________________________________________<br class="">WireGuard mailing list<br class=""><a href="mailto:WireGuard@lists.zx2c4.com" class="">WireGuard@lists.zx2c4.com</a><br class="">https://lists.zx2c4.com/mailman/listinfo/wireguard<br class=""></div></blockquote></div><br class=""></body></html>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Wireguard behind NAT
  2018-09-02 19:51 Adrián Mihálko
@ 2018-09-07  3:39 ` Jason A. Donenfeld
  2018-09-07 15:17 ` Steven Honson
  1 sibling, 0 replies; 9+ messages in thread
From: Jason A. Donenfeld @ 2018-09-07  3:39 UTC (permalink / raw)
  To: Adrián Mihálko; +Cc: WireGuard mailing list

https://git.zx2c4.com/WireGuard/tree/contrib/examples/nat-hole-punching

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Wireguard behind NAT
  2018-09-03 10:55   ` Roman Mamedov
@ 2018-09-03 10:59     ` Ole-Morten Duesund
  0 siblings, 0 replies; 9+ messages in thread
From: Ole-Morten Duesund @ 2018-09-03 10:59 UTC (permalink / raw)
  Cc: wireguard

On 9/3/18 12:55 PM, Roman Mamedov wrote:
> On Mon, 3 Sep 2018 12:43:19 +0200
> Ole-Morten Duesund <olemd@glemt.net> wrote:
> 
>> Adding a "PersistentKeepalive = 5" to your config on SIDE_A_SERVER
>> should keep the connection up.
> 
> Do you encounter any difference between 5, 25 and 55, only 5 works for you? If
> not, setting it to such a low interval seems wasteful, especially on
> LTE/mobile with possibly metered bandwidth and battery concerns.

"It works for me?" It's a balance between how long you're willing to 
wait for a possibly idle link if you need to connect from SIDE_B to SIDE_A.

It's tunable and you should probably test what's acceptable to you.

- OM

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Wireguard behind NAT
  2018-09-03 10:43 ` Ole-Morten Duesund
@ 2018-09-03 10:55   ` Roman Mamedov
  2018-09-03 10:59     ` Ole-Morten Duesund
  0 siblings, 1 reply; 9+ messages in thread
From: Roman Mamedov @ 2018-09-03 10:55 UTC (permalink / raw)
  To: Ole-Morten Duesund; +Cc: wireguard

On Mon, 3 Sep 2018 12:43:19 +0200
Ole-Morten Duesund <olemd@glemt.net> wrote:

> Adding a "PersistentKeepalive = 5" to your config on SIDE_A_SERVER 
> should keep the connection up.

Do you encounter any difference between 5, 25 and 55, only 5 works for you? If
not, setting it to such a low interval seems wasteful, especially on
LTE/mobile with possibly metered bandwidth and battery concerns.

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Wireguard behind NAT
  2018-09-03 10:28 Adrián Mihálko
@ 2018-09-03 10:43 ` Ole-Morten Duesund
  2018-09-03 10:55   ` Roman Mamedov
  0 siblings, 1 reply; 9+ messages in thread
From: Ole-Morten Duesund @ 2018-09-03 10:43 UTC (permalink / raw)
  To: wireguard

On 9/3/18 12:28 PM, Adrián Mihálko wrote:
> Is there any way to connect to Wireguard behind a Carrier-grade NAT?
> 
> On SIDE_A I have a backup LTE connection, without proper public ip, only 
> dynamic ip and I server with Wireguard.
> 
> SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT
> SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org 
> <http://sideb.dyndns.org/>)
> 
> SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org 
> <http://sideb.dyndns.org/>)
> SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public 
> ip on SIDE_A)
> 
> I heard of Wireguard-P2P, but it's not running on headless server, 
> because one of their component requires x11.

This is pretty much the same as I have - and while SIDE_B_SERVER won't 
be able to establish connection to SIDE_A_SERVER, SIDE_A_SERVER should 
have no problems establishing a connection to SIDE_B_SERVER.

Adding a "PersistentKeepalive = 5" to your config on SIDE_A_SERVER 
should keep the connection up.

- OM

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Wireguard behind NAT
@ 2018-09-03 10:28 Adrián Mihálko
  2018-09-03 10:43 ` Ole-Morten Duesund
  0 siblings, 1 reply; 9+ messages in thread
From: Adrián Mihálko @ 2018-09-03 10:28 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1: Type: text/plain, Size: 596 bytes --]

Is there any way to connect to Wireguard behind a Carrier-grade NAT?

On SIDE_A I have a backup LTE connection, without proper public ip, only
dynamic ip and I server with Wireguard.

SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT
SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org)

SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org)
SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public ip
on SIDE_A)

I heard of Wireguard-P2P, but it's not running on headless server, because
one of their component requires x11.


Best regards,
Adrian

[-- Attachment #2: Type: text/html, Size: 1919 bytes --]

<span style="color:rgb(49,49,49);word-spacing:1px;background-color:rgb(255,255,255)">Is there any way to connect to Wireguard behind a Carrier-grade NAT? </span><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto"><br></div><div style="font-size:1rem;color:rgb(49,49,49);word-spacing:1px" dir="auto">On SIDE_A I have a backup LTE connection, without proper public ip, only dynamic ip and I server with Wireguard. </div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto"><br></div><div style="font-size:1rem;color:rgb(49,49,49);word-spacing:1px" dir="auto">SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT </div><div style="font-size:1rem;color:rgb(49,49,49);word-spacing:1px" dir="auto">SIDE_A_SERVER = WIREGUARD (connecting to <a href="http://sideb.dyndns.org/" target="_blank" style="font-size:1rem">sideb.dyndns.org</a>) </div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto"><br></div><div style="font-size:1rem;color:rgb(49,49,49);word-spacing:1px" dir="auto">SIDE_B = VDSL with public ip + ddns (<a href="http://sideb.dyndns.org/" target="_blank" style="font-size:1rem">sideb.dyndns.org</a>) </div><div style="font-size:1rem;color:rgb(49,49,49);word-spacing:1px" dir="auto">SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public ip on SIDE_A) </div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto"><br></div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto">I heard of Wireguard-P2P, but it&#39;s not running on headless server, because one of their component requires x11. </div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto"><br></div><div style="color:rgb(49,49,49);word-spacing:1px" dir="auto"><br></div><div style="font-size:1rem;color:rgb(49,49,49);word-spacing:1px" dir="auto">Best regards, </div><div style="font-size:1rem;color:rgb(49,49,49);word-spacing:1px" dir="auto">Adrian</div>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Wireguard behind NAT
@ 2018-09-02 19:51 Adrián Mihálko
  2018-09-07  3:39 ` Jason A. Donenfeld
  2018-09-07 15:17 ` Steven Honson
  0 siblings, 2 replies; 9+ messages in thread
From: Adrián Mihálko @ 2018-09-02 19:51 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1: Type: text/plain, Size: 483 bytes --]

Is there any way to connect to Wireguard behind a Carrier-grade NAT?

On SIDE_A I have a backup LTE connection, without proper public ip, only
dynamic ip and I server with Wireguard.

SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT
SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org)

SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org)
SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public ip
on SIDE_A)


Best regards,
Adrian

[-- Attachment #2: Type: text/html, Size: 735 bytes --]

<div dir="ltr">Is there any way to connect to Wireguard behind a Carrier-grade NAT? <div><br></div><div>On SIDE_A I have a backup LTE connection, without proper public ip, only dynamic ip and I server with Wireguard. </div><div><br></div><div>SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT </div><div>SIDE_A_SERVER = WIREGUARD (connecting to <a href="http://sideb.dyndns.org">sideb.dyndns.org</a>) </div><div><br></div><div>SIDE_B = VDSL with public ip + ddns (<a href="http://sideb.dyndns.org">sideb.dyndns.org</a>) </div><div>SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public ip on SIDE_A) </div><div><br></div><div><br></div><div>Best regards, </div><div>Adrian</div></div>

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, back to index

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-12 11:22 Wireguard behind NAT Adrián Mihálko
2018-04-14  2:06 ` Jason A. Donenfeld
2018-09-02 19:51 Adrián Mihálko
2018-09-07  3:39 ` Jason A. Donenfeld
2018-09-07 15:17 ` Steven Honson
2018-09-03 10:28 Adrián Mihálko
2018-09-03 10:43 ` Ole-Morten Duesund
2018-09-03 10:55   ` Roman Mamedov
2018-09-03 10:59     ` Ole-Morten Duesund

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox