SOLVED Re: Forwarding over wireguard
On Wed, 8 Dec 2021 13:30:45 -0700 Charles Curley wrote: > I have a wireguard setup that lets me ping from either endpoint to the > other. Using the client, I would like to address hosts on the home > (server's) network by their local IP addresses. > > On the client, I can ping the other end of the tunnel, but not any > local addresses. On the client: > > root@iorich:~# ping 192.168.100.30 > PING 192.168.100.30 (192.168.100.30) 56(84) bytes of data. > From 10.0.2.3 icmp_seq=1 Destination Host Unreachable > ping: sendmsg: Required key not available > From 10.0.2.3 icmp_seq=2 Destination Host Unreachable > ping: sendmsg: Required key not available > From 10.0.2.3 icmp_seq=3 Destination Host Unreachable > ping: sendmsg: Required key not available > From 10.0.2.3 icmp_seq=4 Destination Host Unreachable > ping: sendmsg: Required key not available > From 10.0.2.3 icmp_seq=5 Destination Host Unreachable > ping: sendmsg: Required key not available > > --- 192.168.100.30 ping statistics --- > 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time > 4087ms > > root@iorich:~# Solution: put the network(s) you want to address over wireguard into the client's list of AllowedIPs. AllowedIPs = 10.0.2.0/24, 192.168.100.0/24 This means removing the PostUp route add and PostDown route del statements from the client's configuration, otherwise route will complain. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Re: Forwarding over wireguard
On Wed, 8 Dec 2021 18:56:51 -0500 Dan Ritter wrote: > Charles Curley wrote: > > I have a wireguard setup that lets me ping from either endpoint to > > the other. Using the client, I would like to address hosts on the > > home (server's) network by their local IP addresses. > > > > The client's routing table looks fine after you start wg0. What > does the home server's routing table look like? root@hawk:/etc/wireguard# route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface default freeman.localdo 0.0.0.0 UG0 00 enp3s0 10.0.2.00.0.0.0 255.255.255.0 U 0 00 wg0 192.168.100.0 0.0.0.0 255.255.255.0 U 0 00 enp3s0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 00 virbr0 192.168.124.0 jhegaala.locald 255.255.255.0 UG0 00 enp3s0 root@hawk:/etc/wireguard# > > Is it forwarding IPv4 packets for anything else, or is this the > first time it's been a router? Not the first time. It forwards packets for 192.168.122.0/24, a virtual network of virtual machines. > > Does it have any firewall policies or rules? Yes. However, dropping all firewall rules makes no discernible difference. I also instrumented both interfaces with "tcpdump -i wg0". I saw plenty of DNS and ICMP traffic originating on the client, aimed at the server's wg0 IF. But nothing for 192.168.100.0/24 showed up. > > -dsr- > -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Re: Forwarding over wireguard
Charles Curley wrote: > I have a wireguard setup that lets me ping from either endpoint to the > other. Using the client, I would like to address hosts on the home > (server's) network by their local IP addresses. > The client's routing table looks fine after you start wg0. What does the home server's routing table look like? Is it forwarding IPv4 packets for anything else, or is this the first time it's been a router? Does it have any firewall policies or rules? -dsr-
Forwarding over wireguard
I have a wireguard setup that lets me ping from either endpoint to the other. Using the client, I would like to address hosts on the home (server's) network by their local IP addresses. On the client, I can ping the other end of the tunnel, but not any local addresses. On the client: root@iorich:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface default 172.20.10.1 0.0.0.0 UG60000 wls3 link-local 0.0.0.0 255.255.0.0 U 1000 00 wls3 172.20.10.0 0.0.0.0 255.255.255.240 U 60000 wls3 root@iorich:~# wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.0.2.3/24 dev wg0 [#] ip -6 address add fc00:23:5::3/64 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] resolvconf -a tun.wg0 -m 0 -x [#] route add -net 192.168.100.0 netmask 255.255.255.0 dev wg0 root@iorich:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface default 172.20.10.1 0.0.0.0 UG60000 wls3 10.0.2.00.0.0.0 255.255.255.0 U 0 00 wg0 link-local 0.0.0.0 255.255.0.0 U 1000 00 wls3 172.20.10.0 0.0.0.0 255.255.255.240 U 60000 wls3 192.168.100.0 0.0.0.0 255.255.255.0 U 0 00 wg0 root@iorich:~# ping 10.0.2.1 PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data. 64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=182 ms 64 bytes from 10.0.2.1: icmp_seq=2 ttl=64 time=163 ms 64 bytes from 10.0.2.1: icmp_seq=3 ttl=64 time=170 ms 64 bytes from 10.0.2.1: icmp_seq=4 ttl=64 time=187 ms 64 bytes from 10.0.2.1: icmp_seq=5 ttl=64 time=170 ms --- 10.0.2.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4007ms rtt min/avg/max/mdev = 162.936/174.474/186.802/8.809 ms root@iorich:~# ping 192.168.100.30 PING 192.168.100.30 (192.168.100.30) 56(84) bytes of data. From 10.0.2.3 icmp_seq=1 Destination Host Unreachable ping: sendmsg: Required key not available From 10.0.2.3 icmp_seq=2 Destination Host Unreachable ping: sendmsg: Required key not available From 10.0.2.3 icmp_seq=3 Destination Host Unreachable ping: sendmsg: Required key not available From 10.0.2.3 icmp_seq=4 Destination Host Unreachable ping: sendmsg: Required key not available From 10.0.2.3 icmp_seq=5 Destination Host Unreachable ping: sendmsg: Required key not available --- 192.168.100.30 ping statistics --- 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4087ms root@iorich:~# Searching on "ping: sendmsg: Required key not available" turned up no examples or solutions. On the hypothesis that the key referred to was a wireguard key, I checked those. Those appear to be OK. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/