Re: listen on specific IP only
Thanks works like a charm =) interface: wg0-default public key: (no no no) private key: (hidden) listening port: 51820 fwmark: 0xca6c peer: GUUrqy95QclZQZ9zxMkX+5G6HklnSaqhIAJpf7naSFI= endpoint: PUBIP1:53 allowed ips: 192.168.11.0/24, 172.16.16.6/32 latest handshake: 12 seconds ago transfer: 532 B received, 1.12 KiB sent persistent keepalive: every 25 seconds peer: 4H52v5z94+LtLaiSw47V4/1zc8TiaQ05+kI63ESY12Q= endpoint: PUBIP2:53 allowed ips: 0.0.0.0/0, ::/0 latest handshake: 36 seconds ago transfer: 440.24 KiB received, 109.24 KiB sent persistent keepalive: every 25 seconds On 06/20/2018 07:50 PM, Jason A. Donenfeld wrote: We don't allow this in WireGuard by design. However, you can easily work around this with iptables: $ wg set wg0 listen-port 11153 $ iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 11153 Fill in the ... with --destination or --in-interface or whatever you want. Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
listen on specific IP only
Helo, is there a way to listen on specific IP/interface? i need it to use same port for multiple applications - 53 for DNS and wireguard because of firewall rules i can't controll. I have multiple IPs on the server each for specific use. DNS recursor is listening only on private interfaces and i want wireguard will be on public IP. if i try ListenPort=53 it fails with: Jun 20 19:12:52 athos wg-quick[19091]: RTNETLINK answers: Address already in use but all my public IPs are not used with this port: netstat -tulpn |grep 53 tcp0 0 172.16.16.6:53 0.0.0.0:* LISTEN 3372/pdns_recursor tcp0 0 192.168.11.1:53 0.0.0.0:* LISTEN 3372/pdns_recursor tcp0 0 127.0.0.1:530.0.0.0:* LISTEN 3372/pdns_recursor udp0 0 172.16.16.6:53 0.0.0.0:* 3372/pdns_recursor udp30720 0 192.168.11.1:53 0.0.0.0:* 3372/pdns_recursor udp0 0 127.0.0.1:530.0.0.0:* 3372/pdns_recursor is there any workaround for that for now? will some type of DNAT works? Thanks Tomas ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: multi-home difficulty
+1 for binding only on specific IP On 11/21/2017 02:21 PM, d tbsky wrote: > Hi: >I tested wireguard and the speed is amazing. but when I try to > deploy it to our real linux firewall, I found it is hard to make it > work. > >our current linux firewall have multiple interface and multiple > routing tables. local program will get lan ip address and nat to > correct wan ip address when goto internet. > > since wireguard can not bind to specific ip address, it sometimes > use wrong ip address to reply and the vpn communication can not be > established. > > for example: > > config for client site: (assume wan ip is 2.2.2.2) > interface: wg0 > public key: > private key: (hidden) > listening port: 51820 > peer: > endpoint: 1.1.1.1:51820 > allowed ips: 0.0.0.0/0 > > config for server site: (assume wan ip is 1.1.1.1) > interface: wg0 > public key: > private key: (hidden) > listening port: 51820 > peer: > allowed ips: 0.0.0.0/0 > > when client initial connect to server, at server site I saw flow like below: > "cat /proc/net/nf_conntrack | grep 51820" > > ipv4 2 udp 17 23 src=172.18.1.254 dst=2.2.2.2 sport=51820 > dport=51820 packets=1 bytes=120 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 > sport=51820 dport=1085 packets=0 bytes=0 mark=1 zone=0 use=2 > ipv4 2 udp 17 23 src=2.2.2.2 dst=1.1.1.1 sport=51820 > dport=51820 packets=1 bytes=176 [UNREPLIED] src=1.1.1.1 dst=2.2.2.2 > sport=51820 dport=51820 packets=0 bytes=0 mark=1 zone=0 use=2 > > so at first client 2.2.2.2:51820 connect to server 1.1.1.1:51820 > but then server use 172.18.1.254(lan ip address) to reply and 51820 > port is nat to 1085 so the communication is broken. > > if wireguard can bind to specific ip address then there will be no problem. > or if wireguard can reply with the correct ip address.( eg: if client > connect to wireguard ip 1.1.1.1, then wiregurad should reply via ip > address 1.1.1.1) then maybe there will be no problem. > > Regards, > tbskyd > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > signature.asc Description: OpenPGP digital signature ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard