wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
* Access subnet behind server.
@ 2021-01-23 16:52 Ken D'Ambrosio
  2021-01-24 16:33 ` Roman Mamedov
  2021-01-24 17:37 ` ml-wireguard
  0 siblings, 2 replies; 3+ messages in thread
From: Ken D'Ambrosio @ 2021-01-23 16:52 UTC (permalink / raw)
  To: wireguard

Hey, all.  I'm relatively new to WireGuard, and have a RasPi at my house 
doing firewall duty.  Installed WG on it, and on a VPS, and am trying to 
get the VPS to access hosts on my home subnet.  So:

VPS <-192.168.50.0/24-> RasPi <--> [192.168.10.0/24]

And, clearly, I'm doing something wrong.

-----------------------------------------------------------
RasPi server/firewall:
[Interface]
Address = 192.168.50.1/24
SaveConfig = false
ListenPort = 51820
PrivateKey = XXX
[Peer]
PublicKey = XXX
AllowedIPs = 192.168.50.11/32

VPS:
[Interface]
Address = 192.168.50.11/24
PrivateKey = XXX
[Peer]
PublicKey = XXX
Endpoint = vpn.foo.bar:51820
AllowedIPs = 192.168.50.0/24,192.168.10.0/24
-----------------------------------------------------------

The client connects just fine, and it can talk to the server's VPN IP 
(192.168.50.1) as well as its internal interface (192.168.10.1).  
Likewise, the server can talk to 192.168.50.11.  But nothing gets inside 
to other 192.168.10.x hosts.  I do have forwarding set up for "all":

root@prouter:/proc# cat /proc/sys/net/ipv4/conf/all/forwarding
1

Note that the config files have gone through several permutations as I 
tried to figure this out, so there may be some dumb stuff, but totally 
open to suggestions right now.  I'm kinda stumped.  Note that a tcpdump 
on the RasPi shows the ping requests coming in, but not being forwarded 
to the internal interface, so I assume I'm just missing Something 
Dumb(tm) in WG land.

Thanks!

-Ken

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Access subnet behind server.
  2021-01-23 16:52 Access subnet behind server Ken D'Ambrosio
@ 2021-01-24 16:33 ` Roman Mamedov
  2021-01-24 17:37 ` ml-wireguard
  1 sibling, 0 replies; 3+ messages in thread
From: Roman Mamedov @ 2021-01-24 16:33 UTC (permalink / raw)
  To: Ken D'Ambrosio; +Cc: wireguard

On Sat, 23 Jan 2021 11:52:56 -0500
Ken D'Ambrosio <ken@jots.org> wrote:

> Hey, all.  I'm relatively new to WireGuard, and have a RasPi at my house 
> doing firewall duty.  Installed WG on it, and on a VPS, and am trying to 
> get the VPS to access hosts on my home subnet.  So:
> 
> VPS <-192.168.50.0/24-> RasPi <--> [192.168.10.0/24]
> 
> And, clearly, I'm doing something wrong.
> 
> -----------------------------------------------------------
> RasPi server/firewall:
> [Interface]
> Address = 192.168.50.1/24
> SaveConfig = false
> ListenPort = 51820
> PrivateKey = XXX
> [Peer]
> PublicKey = XXX
> AllowedIPs = 192.168.50.11/32
> 
> VPS:
> [Interface]
> Address = 192.168.50.11/24
> PrivateKey = XXX
> [Peer]
> PublicKey = XXX
> Endpoint = vpn.foo.bar:51820
> AllowedIPs = 192.168.50.0/24,192.168.10.0/24
> -----------------------------------------------------------
> 
> The client connects just fine, and it can talk to the server's VPN IP 
> (192.168.50.1) as well as its internal interface (192.168.10.1).  
> Likewise, the server can talk to 192.168.50.11.  But nothing gets inside 
> to other 192.168.10.x hosts.  I do have forwarding set up for "all":
> 
> root@prouter:/proc# cat /proc/sys/net/ipv4/conf/all/forwarding
> 1
> 
> Note that the config files have gone through several permutations as I 
> tried to figure this out, so there may be some dumb stuff, but totally 
> open to suggestions right now.  I'm kinda stumped.  Note that a tcpdump 
> on the RasPi shows the ping requests coming in, but not being forwarded 
> to the internal interface, so I assume I'm just missing Something 
> Dumb(tm) in WG land.

Did you allow forwarding in RPi's firewall? Post "iptables-save" from it.


-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Access subnet behind server.
  2021-01-23 16:52 Access subnet behind server Ken D'Ambrosio
  2021-01-24 16:33 ` Roman Mamedov
@ 2021-01-24 17:37 ` ml-wireguard
  1 sibling, 0 replies; 3+ messages in thread
From: ml-wireguard @ 2021-01-24 17:37 UTC (permalink / raw)
  To: Ken D'Ambrosio; +Cc: wireguard

Am 2021-01-23 17:52, schrieb Ken D'Ambrosio:
> The client connects just fine, and it can talk to the server's VPN IP 
> (192.168.50.1) as well as its internal interface (192.168.10.1).  
> Likewise, the server can talk to 192.168.50.11.  But nothing gets 
> inside to other 192.168.10.x hosts.  I do have forwarding set up for 
> "all":

Are the clients in the 192.168.10.0/24 net configured to send the anwser 
packets for 192.168.50.0/24 to the raspberry (eg is the raspberry the 
default gateway for 192.168.50.0/24)?


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-01-24 17:40 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-23 16:52 Access subnet behind server Ken D'Ambrosio
2021-01-24 16:33 ` Roman Mamedov
2021-01-24 17:37 ` ml-wireguard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).