Possible routing issue on CentOS 7
randomusername42
randomusername42 at protonmail.com
Wed Jul 24 17:48:32 CEST 2019
Hello,
I am trying to setup a server/client configuration wherein the client
sends ALL network traffic to and through the Wireguard server. I have
a setup a CentOS 7 server, a CentOS 7 client, and a Debian 9 client. The
CentOS systems are using wireguard 1:0.0.20190702-1.fc30 from copr. The
Debian system is using wiregard 0.0.20190227-1 from 'sid (unstable)'.
The CentOS server is operational and has the following config:
----------
[Interface]
Address = 10.0.0.1/24
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = XX
[Peer]
PublicKey = XX
AllowedIPs = 10.0.0.2/32
[Peer]
PublicKey = XX
AllowedIPs = 10.0.0.3/32
----------
The Debian client is operational and has the following config:
----------
[Interface]
PrivateKey = XX
Address = 10.0.0.2/24
DNS = 1.1.1.1
PostUp = ip route flush cache
PostDown = ip route flush cache
[Peer]
PublicKey = XX
Endpoint = XX:51820
AllowedIPs = 0.0.0.0/0
-----------
Debian client routes (with WG interface active):
-----------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.X.1 0.0.0.0 UG 1024 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 client
192.168.X.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
----------
CentOS client IS NOT routing traffic over the tunnel. Config:
-----------
[Interface]
PrivateKey = XX
Address = 10.0.0.3/24
DNS = 1.1.1.1
PostUp = ip route flush cache
PostDown = ip route flush cache
[Peer]
PublicKey = XX
Endpoint = XX:51820
AllowedIPs = 0.0.0.0/0
------------
CentOS client routes (with WG interface active):
------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.X.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 client
192.168.X.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
-------
In this setup, the Debian client sends all traffic over the tunnel.
I can verify this via watching TCPDUMP, and checking the public IP with
'curl -s checkip.dyndns.com', which returns the ENDPOINT (CentOS 7)
Wireguard server Public IP address.
The CentOS 7 CLIENT, does NOT send all the traffic over this established
tunnel. The WG interface comes up and shows data transferred. I can ping
the endpoint wireguard server via the 10.0.0.1. I can ping the 10.0.0.3
client, from the server. When I run 'curl -s checkip.dyndns.com' on the
CentOS 7 client, I am returned my local Public IP, not the VPN endpoint
Public IP.
I do use the wg-quick utility on all systems to manage the interface.
The CentOS 7 version has a few differences, but nothing that should
cause this anomaly to occur.
Why does the CentOS 7 client NOT route traffic over the tunnel as
expected? How is the same configuration working as expected to tunnel
traffic on the Debian system? Where can I find more information to
explain and fix this issue?
More information about the WireGuard
mailing list