Possible routing issue on CentOS 7

randomusername42 randomusername42 at protonmail.com
Wed Jul 24 17:48:32 CEST 2019


Hello,

I am trying to setup a server/client configuration wherein the client
sends ALL network traffic to and through the Wireguard server. I have
a setup a CentOS 7 server, a CentOS 7 client, and a Debian 9 client. The
CentOS systems are using wireguard 1:0.0.20190702-1.fc30 from copr. The
Debian system is using wiregard 0.0.20190227-1 from 'sid (unstable)'.

The CentOS server is operational and has the following config:
----------
[Interface]
Address = 10.0.0.1/24
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = XX

[Peer]
PublicKey = XX
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = XX
AllowedIPs = 10.0.0.3/32

----------

The Debian client is operational and has the following config:
----------
[Interface]
PrivateKey = XX
Address = 10.0.0.2/24
DNS = 1.1.1.1
PostUp = ip route flush cache
PostDown = ip route flush cache

[Peer]
PublicKey = XX
Endpoint = XX:51820
AllowedIPs = 0.0.0.0/0
-----------

Debian client routes (with WG interface active):
-----------
Kernel IP routing table
Destination     Gateway         Genmask       Flags Metric Ref Use Iface
default         192.168.X.1     0.0.0.0         UG   1024   0   0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U    0      0   0 client
192.168.X.0     0.0.0.0         255.255.255.0   U    0      0   0 eth0
----------

CentOS client IS NOT routing traffic over the tunnel. Config:
-----------
[Interface]
PrivateKey = XX
Address = 10.0.0.3/24
DNS = 1.1.1.1
PostUp = ip route flush cache
PostDown = ip route flush cache

[Peer]
PublicKey = XX
Endpoint = XX:51820
AllowedIPs = 0.0.0.0/0
------------

CentOS client routes (with WG interface active):
------------
Kernel IP routing table
Destination     Gateway         Genmask       Flags Metric Ref Use Iface
0.0.0.0         192.168.X.1     0.0.0.0        UG   0      0   0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U    0      0   0 client
192.168.X.0     0.0.0.0         255.255.255.0   U    0      0   0 eth0
-------

In this setup, the Debian client sends all traffic over the tunnel.
I can verify this via watching TCPDUMP, and checking the public IP with
'curl -s checkip.dyndns.com', which returns the ENDPOINT (CentOS 7)
Wireguard server Public IP address.

The CentOS 7 CLIENT, does NOT send all the traffic over this established
tunnel. The WG interface comes up and shows data transferred. I can ping
the endpoint wireguard server via the 10.0.0.1. I can ping the 10.0.0.3
client, from the server. When I run 'curl -s checkip.dyndns.com' on the
CentOS 7 client, I am returned my local Public IP, not the VPN endpoint
Public IP.

I do use the wg-quick utility on all systems to manage the interface.
The CentOS 7 version has a few differences, but nothing that should
cause this anomaly to occur.

Why does the CentOS 7 client NOT route traffic over the tunnel as
expected? How is the same configuration working as expected to tunnel
traffic on the Debian system? Where can I find more information to
explain and fix this issue?


More information about the WireGuard mailing list