Why does it work ?

reiner otto augustus_meyer at yahoo.de
Tue May 1 08:52:24 CEST 2018 

Having found myself a solution to the problem described in https://lists.zx2c4.com/pipermail/wireguard/2018-April/002736.html,
(I only want to tunnel all traffic destined to 1.2.3.4, the ubuntu-server, via wg from client, an openwrt-router. 
Where 1.2.3.4 also is endpoint of tunnel. All other traffic via eth0 of client to the web.)
I am not really happy with my solution, as I found it simply  by try-and-error. And the solution looks odd to me, because in essence
it is the following sequence of statements in my rc.local, when starting wg on the client:
...
        /etc/wireguard/wireguard_up.sh
        /etc/wireguard/wireguard_down.sh
        /etc/wireguard/wireguard_up.sh 

Or, in other words, simple 
        /etc/wireguard/wireguard_up.sh
does not work. (After starting wg on client, wg does not show any received data.)


One difference I found between working and non-working in /proc/net/nf_conntrack:
working:
ipv4     2 udp      17 158 src=192.168.178.49 dst=1.2.3.4 sport=5555 dport=5555 packets=2615 bytes=384236 src=1.2.3.4 dst=192.168.178.49 sport=5555 dport=5555 packets=2414 bytes=447664 [ASSURED] mark=0 use=2


not working:
ipv4     2 udp      17 55 src=192.168.178.49 dst=1.2.3.4 sport=5555 dport=5555 packets=31 bytes=5456 [UNREPLIED] src=172.16.0.1 dst=172.16.18.31 sport=5555 dport=5555 packets=0 bytes=0 mark=0 use=15

192.168.178.49: IP of eth0 of my router/client (received via dhcp)
172.16.0.1:	wg-ip of 1.2.3.4
172.16.18.31:	wg-ip of client

Not using wg-quick anywhere, the configurations of wg:
server, wg0.conf:
[Interface]
ListenPort = 5555
PrivateKey = ....

[Peer]
PublicKey = ....
#No diffference whether using one of next two
#AllowedIPs = 172.16.0.0/16
AllowedIPs = 0.0.0.0/0

server, wg_up.sh:
ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip address add 172.16.0.1/16 dev wg0
ip link set mtu 1420 dev wg0
ip link set wg0 up

server, wg_down.sh:
ip link delete dev wg0
---------
client, wg0.conf:
[Interface]
PrivateKey = ...
ListenPort = 5555
[Peer]
PublicKey = ...
AllowedIPs = 172.16.0.0/16
Endpoint = 1.2.3.4:5555
PersistentKeepalive = 25

client, wg_up.sh:
ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip address add 172.16.18.31/16 dev wg0
ip link set mtu 1420 dev wg0
ip link set wg0 up
iptables -t nat -I POSTROUTING -o wg0 -j MASQUERADE
iptables -t nat -A OUTPUT -d 1.2.3.4 -j DNAT --to-destination 172.16.0.1

client, wg_down.sh:
ip link delete dev wg0
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
iptables -t nat -D OUTPUT -d 1.2.3.4 -j DNAT --to-destination 172.16.0.1


It looks like some important info secretly kept during
        /etc/wireguard/wireguard_up.sh
        /etc/wireguard/wireguard_down.sh
so that next
        /etc/wireguard/wireguard_up.sh
succeeds. 

Having got some feedback from different sources, that
it is not possible to do, what I want, some insight into my "magic"
appreciated :-)

More information about the WireGuard mailing list