Sorry, there is more of iproute2 / iptables question I guess, though in the context of using Wireguard I've never had a problem with wg-quick, except on my voidlinux / muslc machine!!
hendry@knuckles /etc/wireguard $ sudo grep -vi private wg0.conf [Interface] Address = 192.168.2.1 ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE [Peer] PublicKey = 9ZyNE3if3j5hNcBY9ZnEHOGqLNRQNE5BnWFqkiQLSgo= AllowedIPs = 192.168.2.2/32 hendry@knuckles /etc/wireguard $ ip route default via 192.168.1.1 dev enp3s0 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.5 192.168.2.2 dev wg0 scope link hendry@knuckles /etc/wireguard $ sudo modinfo wireguard filename: /lib/modules/5.0.21_1/kernel/net/wireguard.ko.gz alias: net-pf-16-proto-16-family-wireguard alias: rtnl-link-wireguard version: 0.0.20190702 author: Jason A. Donenfeld <[email protected]> description: WireGuard secure network tunnel license: GPL v2 srcversion: 1A86B7E30E05E9B1FD6681E depends: udp_tunnel,ip6_udp_tunnel retpoline: Y name: wireguard vermagic: 5.0.21_1 SMP preempt mod_unload modversions I can connect to the machine just fine, but the forwarding doesn't work! Docker is fine. Bizarre! hendry@knuckles /etc/wireguard $ cat /proc/sys/net/ipv4/ip_forward 1 hendry@knuckles /etc/wireguard $ sudo iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.17.0.0/16 anywhere MASQUERADE all -- anywhere anywhere MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:http MASQUERADE tcp -- 172.17.0.3 172.17.0.3 tcp dpt:9115 MASQUERADE tcp -- 172.17.0.4 172.17.0.4 tcp dpt:hbci Chain DOCKER (2 references) target prot opt source destination RETURN all -- anywhere anywhere DNAT tcp -- anywhere anywhere tcp dpt:ddi-tcp-1 to:172.17.0.2:80 DNAT tcp -- anywhere anywhere tcp dpt:9115 to:172.17.0.3:9115 DNAT tcp -- anywhere anywhere tcp dpt:cisco-sccp to:172.17.0.4:3000 So any tips how to debug this. I tried creating a veth interface, but I don't quite grok how veth0@veth1 & veth1@veth0 is supposed to work. Thanks in advance! _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
