Hello Quân, Configs look good. Make sure wireguard is configured correctly (and so are the clients of each server) to route the packets to the other server's subnet over the WG server. Also, later you might need to use some TCPMSS fixing and/or MTU/MSS setting of the routes by using charon.plugins.kernel_netlink.mss/mtu to make TCP work. Dump traffic on wg0 of the other server while you ping one of its wg clients from this server. That should give you an idea regarding how far the packets make it. You can also configure logging of martians via sysctl and use an iptables TRACE rule to see the processing of the packets in your iptables rule set.
Kind regards Noel Am 11.02.20 um 17:59 schrieb Nguyễn Hồng Quân: > Update: > > After I added this to each server: > > iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT > > I can ping Sun's WireGuard IP (192.168.18.1) from Moon and vice versa. > But I cannot ping other IPs in the WireGuard LAN yet (cannot ping > 192.168.18.19 from Moon, even that the machine is up). > > On Tue, Feb 11, 2020 at 11:48 PM Nguyễn Hồng Quân <[email protected] > <mailto:[email protected]>> wrote: > > Hi Noel > > Here are all the log and swanctl config (except the certificates). > I create the connection config in /etc/swanctl/conf.d/, without modifying > the default /etc/swanctl/swanctl.conf (keep it as original as packaged by > Ubuntu 19.10). > > https://bitbucket.org/snippets/hongquan/ynzxjg > > > -- > Quân > >
signature.asc
Description: OpenPGP digital signature
