Fwd: Bridging wg and normal interfaces?

Sat Jan 27 14:24:13 CET 2018

Ah alright thanks for the info, I finally figured out everything by myself
though I still have one small problem.

For reference, here's everything I have done:

<begin>

Isolated VM's DHCP: 172.16.1.0/16

Switch wg0: 172.16.0.2/30
Switch ens3: 172.16.1.1/16
Switch ens2: 192.168.2.xx/24 gw 192.168.2.254/24

Router wg0: 172.16.0.1/30
Router eth0: 35.224.54.65/32

# both machines
echo "deb http://deb.debian.org/debian/ unstable main" >
/etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' >
/etc/apt/preferences.d/limit-unstable
apt update
apt-get install -y linux-headers-$(uname -r) wireguard

# both machines /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.proxy_arp = 1

# post up (ens3 of switch) and (eth0 of router) run (wg-quick up wg0)

####isc-dhcp-server (on switch ens3):
option domain-name "pcr";
option domain-name-servers 8.8.8.8, 8.8.4.4;

default-lease-time 600;
max-lease-time 7200;

ddns-update-style none;

authoritative;

subnet 172.16.0.0 netmask 255.255.0.0 {
  range 172.16.1.2 172.16.255.253;
  option routers 172.16.0.1;
}

############### lan vm /etc/wireguard/wg0.conf
[Interface]
PrivateKey = *************
ListenPort = 12345
Address = 172.16.0.2/30
PostUp = ip route add 172.16.0.1/32 via 172.16.0.2 dev wg0 ; route del
default gw 192.168.2.254 ; ip route add 192.168.2.254 dev ens2 ; route add
default gw 172.16.0.1 dev wg0 ; ip route add 35.224.54.65 via 192.168.2.254
; iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT ; iptables -A FORWARD -i wg0
-o ens3 -j ACCEPT

[Peer]
PublicKey = *************
Endpoint = 35.224.54.65:12345
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 1

############### google vm /etc/wireguard/wg0.conf
[Interface]
PrivateKey = *************
ListenPort = 12345
Address = 172.16.0.1/30
PostUp = ip route add 172.16.0.2/32 via 172.16.0.1 dev wg0 ; ip route add
172.16.0.0/16 via 172.16.0.2 dev wg0 ; iptables -A INPUT -i eth0 -p tcp -m
tcp --dport 22 -j ACCEPT ; iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE ; iptables -A FORWARD -i wg0 -j ACCEPT

[Peer]
PublicKey = *************
AllowedIPs = 0.0.0.0/0

<end>

Now the problem I face: whenever I run 'wg-quick up wg0' on a Google Cloud
Engine VM, I can't SSH to it anymore from the WAN side, but the weird thing
is, from the 'switch' I can ping the router just fine, they have a
connection, I can even SSH (sometimes not).

Now what's weird is, when I do all configuration steps with commands (ip ..
wg set .. blabla), and make it with those commands just like the config,
everything works fine. so I have a script that just does the commands.. but
wg-quick should work, everything is the same. Yet this happens.. anything I
can do to debug this behaviour?

On 25 January 2018 at 12:08, Jason A. Donenfeld <Jason at zx2c4.com> wrote:

> WireGuard is layer 3, not layer 2, so bridging is not what you want.
>
> Instead, do ordinary IP routing between different subnets. As you
> appear to already have different subnets, this shouldn't be a problem.
>
> If you'd like to overlap within the same subnet, there's always proxy
> arp, but I'd caution against that approach.
>
> Lots of people run into this confusion about layer 2 vs layer 3. We
> can probably walk you through getting things rolling for your
> particular setup in #wireguard on Freenode, if you have IRC.
>
> Jason
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180127/2e95f954/attachment.html>