[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wireguard on Bullseye

On 12/6/2021 10:22 PM, Charles Curley wrote:

On Mon, 6 Dec 2021 14:59:45 -0500
Dan Ritter <dsr@randomstring.org> wrote:


So iorich here is allowed to construct a tunnel to hawk, but no IPs
from hawk are allowed...

Add 10.0.2.1 to iorich's understanding of hawk's allowed ips.


Thanks. That helped, I think.

I added

AllowedIPs = 0.0.0.0/0

to iorich's (the client) configuration in the peer section. Now:

root@iorich:/etc/wireguard# wg
interface: wg0
   public key: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
   private key: (hidden)
   listening port: 41490
   fwmark: 0xca6c

peer: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
   endpoint: 72.36.20.38:55820
   allowed ips: 0.0.0.0/0
   latest handshake: 1 minute, 23 seconds ago
   transfer: 1.87 KiB received, 11.31 KiB sent
root@iorich:/etc/wireguard# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.

--- 10.0.2.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4089ms

root@iorich:/etc/wireguard# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.100.31  0.0.0.0         UG    600    0        0 wls3
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wls3
192.168.100.0   0.0.0.0         255.255.255.0   U     600    0        0 wls3
192.168.122.0   192.168.100.6   255.255.255.0   UG    600    0        0 wls3
192.168.124.0   192.168.100.16  255.255.255.0   UG    600    0        0 wls3
root@iorich:/etc/wireguard# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
         inet 10.0.2.2  netmask 255.255.255.0  destination 10.0.2.2
         inet6 fc00:23:5::2  prefixlen 64  scopeid 0x0<global>
         unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
         RX packets 59  bytes 3628 (3.5 KiB)
         RX errors 0  dropped 0  overruns 0  frame 0
         TX packets 229  bytes 24840 (24.2 KiB)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@iorich:/etc/wireguard#

And on the server:

root@hawk:/etc/wireguard# wg
interface: wg0
   public key: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
   private key: (hidden)
   listening port: 55820

peer: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
   endpoint: 192.168.10.1:41490
   allowed ips: 10.0.2.0/24
   latest handshake: 1 minute, 43 seconds ago
   transfer: 9.81 KiB received, 2.02 KiB sent
root@hawk:/etc/wireguard# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.100.31  0.0.0.0         UG    0      0        0 enp3s0
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 enp3s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
192.168.124.0   192.168.100.16  255.255.255.0   UG    0      0        0 enp3s0
root@hawk:/etc/wireguard# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
         unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
         RX packets 253  bytes 26204 (25.5 KiB)
         RX errors 10  dropped 0  overruns 0  frame 10
         TX packets 71  bytes 4132 (4.0 KiB)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@hawk:/etc/wireguard#

Ping isn't getting through, but at least it isn't complaining. Wg shows
data moving through the tunnel. I suspect a firewall/NATting issue, so I
will start tracking that down.



Looking at the logs should help you understand if it is a FW issue.

If you can not disable your firewall, allowing ping is a good idea!!! :)

CIDR notation is generaly used when defining a subnet or an IP range.
but rarely when you need to access a specific IP.

--
John Doe
Reply to: