Hello Dimitar The WG module is doing the routing for you, in most cases you don’t need PostUp and PostDown scripts. You need SNAT(MASQUERADE) only if you want to route all your internet traffic like 0.0.0.0/0 For site-to-site you need to enable forwarding which most routers do anyway. Lets assume you have Site A with network 192.168.1.*/24 and Site B with network 192.168.2.*/24 . On site A you have router A1 with internal IP 192.168.1.1 and VPN IP 10.8.10.1 and public IP x.x.x.x . On site B you have router B1 with internal IP 192.168.2.1 and VPN IP 10.8.10.2 public IP y.y.y.y. You config is going to look like this:
— A1 config — [Interface] PrivateKey = YourA1PrivateKeyHere Address = 10.8.10.1/32 ListenPort = 51820 [Peer] PublicKey = YourB1PublicKeyHere AllowedIPs = 10.8.10.2/24, 192.168.2.1/24 Endpoint = y.y.y.y:51820 #B1 public IP ———————————————— — B1 config — [Interface] PrivateKey = YourB1PrivateKeyHere Address = 10.8.10.2/32 ListenPort = 51820 [Peer] PublicKey = YourA1PublicKeyHere AllowedIPs = 10.8.10.1/24, 192.168.1.1/24 Endpoint = x.x.x.x:51820 #A1 public IP That is everything! Example 2, now lets make B1 getaway for client 1 routing all internet traffic on it’s default gate eth0. in B1 config add > #Enable SNAT only if B1 is not gateway yet, otherwise you don’t need this script PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE #Client 1 [Peer] PublicKey = YourClient1PublicKeyHere AllowedIPs = 10.8.10.5/32 ———————————————— — Client 1 config — [Interface] PrivateKey = YourClient1PrivateKeyHere Address = 10.8.10.5/32 #B1 gate [Peer] PublicKey = YourB1PublicKeyHere AllowedIPs = 10.8.10.2/24, 0.0.0.0/0 Endpoint = y.y.y.y:51820 #B1 public IP PersistentKeepalive = 25 Thats it. In this example Client 1 is behind NAT and it's changing networks often, that’s way we don’t have Endpoint for it and instead we use keep alive . Cheers, Hristo > On 2 Sep 2019, at 13:00, [email protected] wrote: > > Send WireGuard mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.zx2c4.com/mailman/listinfo/wireguard > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of WireGuard digest..." > > > Today's Topics: > > 1. Re: need a hand with WG setup (Dimitar Vassilev) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 1 Sep 2019 14:03:18 +0300 > From: Dimitar Vassilev <[email protected]> > To: Kalin KOZHUHAROV <[email protected]> > Cc: WireGuard mailing list <[email protected]> > Subject: Re: need a hand with WG setup > Message-ID: > <caf+azzvkoqffk53e24ko7kfr3cxeuqnjgpnejhvtp5buvjd...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > ?? ??, 28.08.2019 ?. ? 13:56 ?. Dimitar Vassilev <[email protected]> > ??????: > >> Hi Kalin, >> >> 1. Disable the FW and test. >>> >> Tried - disabling one fw shows wg traffic flowing. >> >> >>> 2. Try ping from one router to the other using the configured public IP >>> address >>> >>> That works as well with the default fw config on OpenWRT/LEDE/LibreCMC >> >> >>> 3. Ping the other using the WG IP address >>> >>> my problem is that ping between the WG IP addresses is not working. I see >> some PostUp and Postdown examples in the regular configurations like the >> ones below >> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A >> POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; >> ip6tables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE >> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D >> POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; >> ip6tables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE >> In the LEDE/OpenWRT derivatives those are marked in the GUI with >> MASQUERADE and route allowed ips options, but still I'm getting stuck. I >> moved my VPN network from /25 to another /24 and still was stuck. >> >>> If all runs them it is a routing problem left to solve... >>> >>> Agree. I'm a bit at loss which routing - the kernel one or the forwarding >> of packets. Will tear down and start from scratch with another test. >> >>> Kalin. >>> >> > Hello all, > > Problem solved via a trivial solution - add my origin VPN endpoint IP into > the list of AllowedIPs for the peer. Used > https://forum.openwrt.org/t/solved-setup-wireguard-connecting-two-networks/4215 > to > achieve this > At least in this setup I see the packets flowing in both directions - RX > and TX > Ny next questions are: > > - is this normal since I'm behind NAT or there are some OpenWRT > /Wireguard specifics I'm missing? In the docs and examples I see examples > with just peer IPs added > - what should I do to make the flow to a private subnet in DMZ on site B > from site A ? > > Thanks, > Dimitar > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190901/2b562015/attachment-0001.html> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > WireGuard mailing list > [email protected] > https://lists.zx2c4.com/mailman/listinfo/wireguard > > > ------------------------------ > > End of WireGuard Digest, Vol 42, Issue 2 > **************************************** _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
