!DyNqdIXIPmvFJVpIJJ:matrix.org

WireGuard

468 Members
Unofficial matrix channel about wireguard related stuff. Everything about installation, administration and usage can be discussed here! Wireguard - the fast, modern, secure VPN tunnel68 Servers

Load older messages


SenderMessageTime
5 Oct 2022
@drpsydo:matrix.orgdrpsydo

Hello,
I'm trying to setup a site to site configuration with wireguard, but seem to have some sort of routing problem.
The site A doesn't allow it's ports to be accessible from the internet, while site B does. I essentially want to access the client's network from the server side.
Site A is on subnet 192.168.1.0/24 while site B is on subnet 192.168.2.0/24.

Site A does have a wireguard client with the following config:

[Interface]
PrivateKey = <some-privatekey>
Address = 10.220.2.3/32
DNS = 192.168.2.1

[Peer]
PublicKey = <some-publickey>
Endpoint = <some-ip>:<some-port>
AllowedIPs = 10.220.2.1/32

The Server on site B has the following configuration:

[Interface]

Set the IP range that client devices will receive an IP in

Address = 10.220.2.1/24

The port that will be used to listen to connections. 51820 is the default.

ListenPort = <some-port>

server's private key.

PrivateKey = <some-privatekey>

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE

#wireguard client on site A, 192.168.1.253/24
[Peer]
PublicKey = <some-publickey>
AllowedIPs = 10.220.2.3/32, 192.168.1.0/24
PersistentKeepalive = 15

I can reach the server's network without any problems, but the client network is out of reach..

I would be very thankful if someone could help me with this.

16:51:20
@drpsydo:matrix.orgdrpsydoclient.png
Download client.png
16:53:39
@drpsydo:matrix.orgdrpsydoserver.png
Download server.png
16:53:53
@drpsydo:matrix.orgdrpsydo Now it is readable, sorry first time using matrix xD16:54:33
@drpsydo:matrix.orgdrpsydo * Hello, I'm trying to setup a site to site configuration with wireguard, but seem to have some sort of routing problem. The site A doesn't allow it's ports to be accessible from the internet, while site B does. I essentially want to access the client's network from the server side. Site A is on subnet 192.168.1.0/24 while site B is on subnet 192.168.2.0/24. Site A does have a wireguard client with the following config: [Interface] PrivateKey = <some-privatekey> Address = 10.220.2.3/32 DNS = 192.168.2.1 [Peer] PublicKey = <some-publickey> Endpoint = <some-ip>:<some-port> AllowedIPs = 10.220.2.1/32 The Server on site B has the following configuration: [Interface] Address = 10.220.2.1/24 ListenPort = <some-port> PrivateKey = <some-privatekey> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE [Peer] PublicKey = <some-publickey> AllowedIPs = 10.220.2.3/32, 192.168.1.0/24 PersistentKeepalive = 15 I can reach the server's network without any problems, but the client network is out of reach.. I would be very thankful if someone could help me with this. 16:55:37
@drpsydo:matrix.orgdrpsydo * Hello, I'm trying to setup a site to site configuration with wireguard, but seem to have some sort of routing problem. The site A doesn't allow it's ports to be accessible from the internet, while site B does. I essentially want to access the client's network from the server side. Site A is on subnet 192.168.1.0/24 while site B is on subnet 192.168.2.0/24. Site A does have a wireguard client with the following config: [Interface] PrivateKey = <some-privatekey> Address = 10.220.2.3/32 DNS = 192.168.2.1 [Peer] PublicKey = <some-publickey> Endpoint = <some-ip>:<some-port> AllowedIPs = 10.220.2.1/32 The Server on site B has the following configuration: [Interface] Address = 10.220.2.1/24 ListenPort = <some-port> PrivateKey = <some-privatekey> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE; PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE #client IP is 192.168.1.253 [Peer] PublicKey = <some-publickey> AllowedIPs = 10.220.2.3/32, 192.168.1.0/24 PersistentKeepalive = 15 I can reach the server's network without any problems, but the client network is out of reach.. I would be very thankful if someone could help me with this. 16:56:48
@drpsydo:matrix.orgdrpsydo *

Hello,
I'm trying to setup a site to site configuration with wireguard, but seem to have some sort of routing problem.
The site A doesn't allow it's ports to be accessible from the internet, while site B does. I essentially want to access the client's network from the server side.
Site A is on subnet 192.168.1.0/24 while site B is on subnet 192.168.2.0/24.

Site A does have a wireguard client with the following config:

_[Interface]
PrivateKey = <some-privatekey>
Address = 10.220.2.3/32
DNS = 192.168.2.1

[Peer]
PublicKey = <some-publickey>
Endpoint = <some-ip>:<some-port>
AllowedIPs = 10.220.2.1/32

The Server on site B has the following configuration:

[Interface]
Address = 10.220.2.1/24
ListenPort = <some-port>
PrivateKey = <some-privatekey>

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE

#client IP is 192.168.1.253
[Peer]
PublicKey = <some-publickey>
AllowedIPs = 10.220.2.3/32, 192.168.1.0/24
PersistentKeepalive = 15_

I can reach the server's network without any problems, but the client network is out of reach..

I would be very thankful if someone could help me with this.

16:57:43
@drpsydo:matrix.orgdrpsydo *

Hello,
I'm trying to setup a site to site configuration with wireguard, but seem to have some sort of routing problem.
The site A doesn't allow it's ports to be accessible from the internet, while site B does. I essentially want to access the client's network from the server side.
Site A is on subnet 192.168.1.0/24 while site B is on subnet 192.168.2.0/24.

Site A does have a wireguard client with the following config:

[Interface]
PrivateKey = <some-privatekey>
Address = 10.220.2.3/32
DNS = 192.168.2.1

[Peer]
PublicKey = <some-publickey>
Endpoint = <some-ip>:<some-port>
AllowedIPs = 10.220.2.1/32

The Server on site B has the following configuration:

[Interface]
Address = 10.220.2.1/24
ListenPort = <some-port>
PrivateKey = <some-privatekey>

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE

#client IP is 192.168.1.253
[Peer]
PublicKey = <some-publickey>
AllowedIPs = 10.220.2.3/32, 192.168.1.0/24
PersistentKeepalive = 15_

I can reach the server's network without any problems, but the client network is out of reach..

I would be very thankful if someone could help me with this.

16:57:53
@drpsydo:matrix.orgdrpsydo *

Hello,
I'm trying to setup a site to site configuration with wireguard, but seem to have some sort of routing problem.
The site A doesn't allow it's ports to be accessible from the internet, while site B does. I essentially want to access the client's network from the server side.
Site A is on subnet 192.168.1.0/24 while site B is on subnet 192.168.2.0/24.

Site A does have a wireguard client with the following config:

[Interface]
PrivateKey = <some-privatekey>
Address = 10.220.2.3/32
DNS = 192.168.2.1

[Peer]
PublicKey = <some-publickey>
Endpoint = <some-ip>:<some-port>
AllowedIPs = 10.220.2.1/32

The Server on site B has the following configuration:

[Interface]
Address = 10.220.2.1/24
ListenPort = <some-port>
PrivateKey = <some-privatekey>

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE

#client IP is 192.168.1.253
[Peer]
PublicKey = <some-publickey>
AllowedIPs = 10.220.2.3/32, 192.168.1.0/24
PersistentKeepalive = 15

I can reach the server's network without any problems, but the client network is out of reach..

I would be very thankful if someone could help me with this.

16:58:25
@matrix_help:matrix.org@matrix_help:matrix.orgRedacted or Malformed Event19:37:37
@matrix_help:matrix.org@matrix_help:matrix.org left the room.19:48:07
@drpsydo:matrix.orgdrpsydoThis is the routing table on the server: root@v-vpn-21:/etc/wireguard# ip route default via 192.168.2.1 dev ens18 proto static 10.220.2.0/24 dev wg0 proto kernel scope link src 10.220.2.1 192.168.1.0/24 dev wg0 scope link 192.168.2.0/24 dev ens18 proto kernel scope link src 192.168.2.52 Even though I have a route to the 192.168.1.0/24 subnet via the wireguard tunnel, I can't ping the client network. So I think maybe something is wrong with the Iptables rules?20:06:15
6 Oct 2022
@wsloan:848.shXanarin banned @matrix_help:matrix.org@matrix_help:matrix.org (Posting spam).01:42:30
@wsloan:848.shXanarin drpsydo: Are the failed pings happening with 192.168.1.253, the address that’s assigned to the Wireguard node on site A, or a different IP address on the 192.168.1.0/24 subnet? 03:10:19
@datastack:digitale-gesellschaft.ch@datastack:digitale-gesellschaft.ch left the room.05:13:26
@drpsydo:matrix.orgdrpsydoI can ping the site B with the client (192.168.1.253) in site A. But the server in site B (192.168.2.52) can't ping the client in site A.06:58:52
@mostafaario:matrix.org@mostafaario:matrix.org joined the room.07:30:25
@kambizfatemi:matrix.orgkambizfatemi joined the room.08:23:24
@emad1381:matrix.orgemad joined the room.08:28:09
@shervin007:matrix.org@shervin007:matrix.org joined the room.09:14:47
@shervin007:matrix.org@shervin007:matrix.org left the room.09:15:08
@thenikzad:matrix.orgthenikzad joined the room.11:08:10
@shervin110:matrix.orgAli Khanmohammadi joined the room.11:23:27
@mostafaario:matrix.org@mostafaario:matrix.org left the room.14:20:01
@wsloan:848.shXanarin drpsydo: Well, the first thing that I'm noticing is that the AllowedIPs directive in the client's config does not contain 192.168.2.0/24, which may be the issue if the ping packet has a source IP of 192.168.2.52. However, if the ping packet has a source IP of 10.220.2.1 then this isn't the issue 16:24:22
@drpsydo:matrix.orgdrpsydoThat might be the issue. I will check this and try using ping -S to get the source IP right. 16:33:06
@dapodapo:matrix.org@dapodapo:matrix.org joined the room.17:09:16
@dapodapo:matrix.org@dapodapo:matrix.org left the room.17:09:48
@drpsydo:matrix.orgdrpsydoThe ping from the server (192.168.2.52) to the client (192.168.1.253) is not working even after I have added the 192.168.2.0/24 subnet to the AllowedIPs of the client. The server also can't ping the client from 10.220.2.1 to 192.168.1.253. The only client IP I can ping from both server IPs is the one the client has as it's wireguard address (10.220.2.3). I've enabled the net.ipv4.ip_forward=1 on the client, without any change. 18:44:44
@hi_test:matrix.orgMosa joined the room.20:36:53

There are no newer messages yet.


Back to Room List