Sanity test forwarding

Kai Hendry kai.hendry at gmail.com
Mon Aug 12 12:08:46 CEST 2019


Sorry, there is more of iproute2 / iptables question I guess, though
in the context of using Wireguard I've never had a problem with
wg-quick, except on my voidlinux / muslc machine!!

hendry at knuckles /etc/wireguard $ sudo grep -vi private wg0.conf
[Interface]
Address = 192.168.2.1
ListenPort = 51820

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A
POSTROUTING -o enp3s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D
POSTROUTING -o enp3s0 -j MASQUERADE

[Peer]
PublicKey = 9ZyNE3if3j5hNcBY9ZnEHOGqLNRQNE5BnWFqkiQLSgo=
AllowedIPs = 192.168.2.2/32
hendry at knuckles /etc/wireguard $ ip route
default via 192.168.1.1 dev enp3s0
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.5
192.168.2.2 dev wg0 scope link
hendry at knuckles /etc/wireguard $ sudo modinfo wireguard
filename:       /lib/modules/5.0.21_1/kernel/net/wireguard.ko.gz
alias:          net-pf-16-proto-16-family-wireguard
alias:          rtnl-link-wireguard
version:        0.0.20190702
author:         Jason A. Donenfeld <Jason at zx2c4.com>
description:    WireGuard secure network tunnel
license:        GPL v2
srcversion:     1A86B7E30E05E9B1FD6681E
depends:        udp_tunnel,ip6_udp_tunnel
retpoline:      Y
name:           wireguard
vermagic:       5.0.21_1 SMP preempt mod_unload modversions


I can connect to the machine just fine, but the forwarding doesn't
work! Docker is fine. Bizarre!

hendry at knuckles /etc/wireguard $ cat /proc/sys/net/ipv4/ip_forward
1
hendry at knuckles /etc/wireguard $ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE
match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE
match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.17.0.3           172.17.0.3           tcp dpt:9115
MASQUERADE  tcp  --  172.17.0.4           172.17.0.4           tcp dpt:hbci

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:ddi-tcp-1 to:172.17.0.2:80
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:9115 to:172.17.0.3:9115
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:cisco-sccp to:172.17.0.4:3000


So any tips how to debug this. I tried creating a veth interface, but
I don't quite grok how veth0 at veth1 & veth1 at veth0 is supposed to work.


Thanks in advance!


More information about the WireGuard mailing list