Accessing Network on each Wireguard Peer
Cobin Bluth
cbluth at gmail.com
Tue Aug 7 15:02:57 CEST 2018
Hi Wireguard Fans,
Here is my wireguard setup, please see the following:
https://gist.github.com/cbluth/d5bd1c5746c976fef73fb5ab4e67b355
I have three physical nodes; Host1, Host2, Host3, all of which have a
public interface.
I would like to protect/encrypt the communications between all the hosts.
I have a working setup of IPSec+vxlan, and I would like to migrate to
wireguard.
Each host runs kvm/libvirtd and hosts a number of virtual machine guests,
each with its own network.
Everything in my wireguard setup seems to be working well, and it seems
quite fast.
With this wireguard configuration, VM guests on Host1, located inside
192.168.1.0/24, can ping guests located on Host2 (192.168.2.0/24) and Host3
(192.168.3.0/24), and vice versa.
The only thing that I cant get to work properly, is that I need to be able
to reach any guest from Host1, because Host1 is my bastion entrypoint into
the network; for example, Host1 itself cannot ping to guests on Host2, but
guests on Host1 *CAN* ping guests on Host2. I can ping any virbr0 interface
from any physical host, but I cannot ping the guests behind each virbr0 in
the libvirt network.
I assume it is an issue with routing, but I am not sure, and I am hoping
that someone can assist me.
But one thing that I have noticed is that the gateway to each peer's guest
network is different between my vxlan configuration and what wireguard
provides.
Here are the working routes when my network is using ipsec+vxlan:
*root at host1 ~ # route -n*
*Kernel IP routing table*
*Destination Gateway Genmask Flags Metric Ref Use
Iface*
*0.0.0.0 x.x.x.x 0.0.0.0 UG 0 0 0
enp0s31f6*
*x.x.x.x 0.0.0.0 255.255.255.255 UH 0 0 0
enp0s31f6*
*172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0
vxlan0*
*192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
virbr0*
*192.168.2.0 172.16.1.2 255.255.255.0 UG 0 0 0
vxlan0*
*192.168.3.0 172.16.1.3 255.255.255.0 UG 0 0 0
vxlan0*
*192.168.4.0 172.16.1.4 255.255.255.0 UG 0 0 0
vxlan0*
*192.168.5.0 172.16.1.5 255.255.255.0 UG 0 0 0
vxlan0*
*192.168.6.0 172.16.0.6 255.255.255.0 UG 0 0 0
vxlan0*
*root at host1 ~ # *
Here are the routes after bringing up wireguard:
*root at host1 ~ # route -n*
*Kernel IP routing table*
*Destination Gateway Genmask Flags Metric Ref Use
Iface*
*0.0.0.0 x.x.x.x 0.0.0.0 UG 0 0 0
enp0s31f6*
*x.x.x.x 0.0.0.0 255.255.255.255 UH 0 0 0
enp0s31f6*
*172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0
wg0*
*192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
virbr0*
*192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
wg0*
*192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0
wg0*
*192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0
wg0*
*192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0
wg0*
*192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0
wg0*
*root at host1 ~ #*
Here is a tracepath with wireguard installed/running.
*root at host1 ~ # tracepath 192.168.2.1*
* 1?: [LOCALHOST] pmtu 1420*
* 1: 192.168.2.1 1.282ms reached*
* 1: 192.168.2.1 1.069ms reached*
* Resume: pmtu 1420 hops 1 back 1 *
*root at host1 ~ # tracepath 192.168.2.143*
* 1?: [LOCALHOST] pmtu 1420*
* 1: 172.16.1.2 0.754ms *
* 1: 172.16.1.2 0.679ms *
* 2: no reply*
* 3: no reply*
*^C*
*root at host1 ~ #*
To reiterate, the wireguard setup is working well, except pinging remote
guests located on each peer.
Is there something I am doing wrong? Is wireguard a good solution to my
network scenario?
Thanks,
-Cobin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180807/73d765e6/attachment-0001.html>
More information about the WireGuard
mailing list