Hi To do this on the windows server, you need to run NAT on the WG interface https://openvpn.net/cloud-docs/enabling-routing-nat-on-windows-server-2016/
On Sun, Jun 5, 2022 at 10:23 PM Max Schulze <max.schu...@online.de> wrote: > > I am running out of ideas to debug this specific issue. > > I am trying to circumvent a double-NAT scenario. I have > > wg_serv (10.253.2.9) <-> wg-relais (10.253.2.2) <-> wg_peer ( 10.253.2.3) > > wg_serv has an endpoint set for wg-relais, and creates the connection ok > (handshake completes, ping works). > wg_peer has an endpoint that points to wg-relais, which should tunnel the > connection as-is to wg_serv on the established connection ( iptables > SNAT/DNAT ). > > If wg_serv is a linux box, with the exact same config file, everything works. > if wg_serv is a windows box, it seems that there are no outgoing packets, but > incoming is ok. > > First, see that the handshake packet is received (via 10.253.2.2:60026): > > 2022-06-05 20:30:17.140946: [TUN] [wireguard] Keypair 536 created for peer 1 > > 2022-06-05 20:30:22.085949: [TUN] [wireguard] Handshake for peer 1 > (10.253.2.2:60026) did not complete after 5 seconds, retrying (try 2) > > 2022-06-05 20:30:22.265787: [TUN] [wireguard] Receiving handshake initiation > from peer 1 (10.253.2.2:60026) > > 2022-06-05 20:30:22.265787: [TUN] [wireguard] Sending handshake response to > peer 1 (10.253.2.2:60026) > > 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 536 destroyed for peer 1 > > 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 537 created for peer 1 > > 2022-06-05 20:30:27.147962: [TUN] [wireguard] Sending keepalive packet to > peer 2 (185.230.xxx.yyy:51849) > > 2022-06-05 20:30:27.626543: [TUN] [wireguard] Receiving handshake initiation > from peer 1 (10.253.2.2:60026) > > 2022-06-05 20:30:27.626543: [TUN] [wireguard] Sending handshake response to > peer 1 (10.253.2.2:60026) > > > > > However, it seems that wireguard sends the outgoing packet with the wrong ip > (192.168.99.101) instead of 10.253.2.9 to 10.253.2.2:60026 ? > > > > Protocol Local Port Local Address Remote Port Remote Address > Received Bytes Sent Bytes Rec Pkt Sent Packets > > wireguard.exe UDP IPv4 51850 192.168.99.101 51849 > 185.230.xxx.yyy 81.976 8.584 417 216 > > wireguard.exe UDP IPv4 51850 10.253.2.9 60026 10.253.2.2 > 55.648 376 > > wireguard.exe UDP IPv4 51850 192.168.99.101 60026 10.253.2.2 > 37.848 398 > > > What can I do? > Can I make the wireguard log more verbose to show IP Paket src/Destination? > > Is it possible to also log the src IP of the "handshake response packet"? > > Best, > Max > > > wg_serv config: > > [Interface] > > PrivateKey = SFhFHVb__2c= > > ListenPort = 51850 > > Address = 10.253.2.9/24 > > > > [Peer] > > # wg-vpn-relais > > PublicKey = 3A5__wo= > > AllowedIPs = 10.253.2.2/30 > > Endpoint = 185.230.xxx.yyy:51849 > > PersistentKeepalive = 20 > > > > [Peer] > > # peer via vpn relais > > PublicKey = FTBC__cqghg= > > AllowedIPs = 10.253.2.3/32 > > PersistentKeepalive = 20 > > > > wg output: > > peer: 3A5__o= > > endpoint: 185.230.xxx.yyy:51849 > > allowed ips: 10.253.2.0/30 > > latest handshake: 1 minute, 55 seconds ago > > transfer: 145.71 KiB received, 29.74 KiB sent > > persistent keepalive: every 20 seconds > > > > peer: FTB__hg= > > endpoint: 10.253.2.2:60026 > > allowed ips: 10.253.2.3/32 > > transfer: 89.46 KiB received, 60.67 KiB sent > > persistent keepalive: every 20 seconds > > > > > > PS C:\Windows\system32> Get-NetIPInterface | select > ifIndex,InterfaceAlias,AddressFamily,ConnectionState,Forwarding,weakhostreceive,weakhostsend > | Sort-Object -Property IfIndex | Format-Table > > >> > > > > ifIndex InterfaceAlias AddressFamily ConnectionState Forwarding > WeakHostReceive WeakHostSend > > ------- -------------- ------------- --------------- ---------- > --------------- ------------ > > 1 Loopback Pseudo-Interface 1 IPv4 Connected Disabled > Disabled Disabled > > 1 Loopback Pseudo-Interface 1 IPv6 Connected Disabled > Disabled Disabled > > 4 LAN-Verbindung* 11 IPv6 Connected Disabled > Disabled Disabled > > 4 LAN-Verbindung* 11 IPv4 Connected Disabled > Disabled Disabled > > 8 WLAN IPv4 Disconnected Disabled > Disabled Disabled > > 8 WLAN IPv6 Disconnected Disabled > Disabled Disabled > > 12 Ethernet IPv6 Connected Disabled > Disabled Disabled > > 12 Ethernet IPv4 Connected Disabled > Disabled Disabled > > 16 LAN-Verbindung* 2 IPv6 Disconnected Disabled > Disabled Disabled > > 16 LAN-Verbindung* 2 IPv4 Disconnected Disabled > Disabled Disabled > > 17 LAN-Verbindung* 1 IPv6 Disconnected Disabled > Disabled Disabled > > 17 LAN-Verbindung* 1 IPv4 Disconnected Disabled > Disabled Disabled > > 53 wireguard IPv6 Connected Disabled > Disabled Disabled > > 53 wireguard IPv4 Connected Disabled > Disabled Disabled > > wg_relais debug state: > > wg-vpn-relais # conntrack -L | grep 10.253 > > udp 17 28 src=178.101.114.260 dst=185.230.xxx.yyy sport=60026 > dport=51850 [UNREPLIED] src=10.253.2.9 dst=10.253.2.2 sport=51850 dport=60026 > mark=0 use=1 >
