need a hand with WG setup

Hristo Georgiev hristo.metal at gmail.com
Tue Sep 3 10:28:15 CEST 2019 

Hello Dimitar
The WG module is doing the routing for you, in most cases you don’t need PostUp and PostDown scripts. You need SNAT(MASQUERADE) only if you want to route all your internet traffic like 0.0.0.0/0
For site-to-site you need to enable forwarding which most routers do anyway.
Lets assume you have Site A with network 192.168.1.*/24  and Site B with network 192.168.2.*/24 .  
On site A you have router A1 with internal IP 192.168.1.1 and VPN IP 10.8.10.1  and public IP x.x.x.x . 
On site B you have router B1 with internal IP 192.168.2.1 and VPN IP 10.8.10.2 public IP y.y.y.y. 
You config is going to look like this:

— A1 config — 
[Interface]
PrivateKey = YourA1PrivateKeyHere
Address = 10.8.10.1/32
ListenPort = 51820

[Peer]
PublicKey = YourB1PublicKeyHere
AllowedIPs = 10.8.10.2/24, 192.168.2.1/24 
Endpoint = y.y.y.y:51820   #B1 public IP

————————————————

— B1 config — 
[Interface]
PrivateKey = YourB1PrivateKeyHere
Address = 10.8.10.2/32
ListenPort = 51820

[Peer]
PublicKey = YourA1PublicKeyHere
AllowedIPs = 10.8.10.1/24, 192.168.1.1/24 
Endpoint = x.x.x.x:51820   #A1 public IP
 
That is everything!

Example 2, now lets make B1 getaway for client 1 routing all internet traffic on it’s default gate eth0.
in B1 config add >
#Enable SNAT only if B1 is not gateway yet, otherwise you don’t need this script 
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

#Client 1
[Peer]
PublicKey = YourClient1PublicKeyHere
AllowedIPs = 10.8.10.5/32

————————————————

— Client 1 config —
[Interface]
PrivateKey = YourClient1PrivateKeyHere
Address = 10.8.10.5/32

#B1 gate
[Peer]
PublicKey = YourB1PublicKeyHere
AllowedIPs = 10.8.10.2/24, 0.0.0.0/0
Endpoint = y.y.y.y:51820   #B1 public IP
PersistentKeepalive = 25

Thats it. In this example Client 1 is behind NAT and it's changing networks often, that’s way we don’t have Endpoint for it and instead we use keep alive .

Cheers,
Hristo


> On 2 Sep 2019, at 13:00, wireguard-request at lists.zx2c4.com wrote:
> 
> Send WireGuard mailing list submissions to
> 	wireguard at lists.zx2c4.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.zx2c4.com/mailman/listinfo/wireguard
> or, via email, send a message with subject or body 'help' to
> 	wireguard-request at lists.zx2c4.com
> 
> You can reach the person managing the list at
> 	wireguard-owner at lists.zx2c4.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of WireGuard digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: need a hand with WG setup (Dimitar Vassilev)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 1 Sep 2019 14:03:18 +0300
> From: Dimitar Vassilev <dimitar.vassilev at gmail.com>
> To: Kalin KOZHUHAROV <me.kalin at gmail.com>
> Cc: WireGuard mailing list <wireguard at lists.zx2c4.com>
> Subject: Re: need a hand with WG setup
> Message-ID:
> 	<CAF+AZZVKOQFfk53e24KO7kFR3cxEuqnJgpnejhvTP5BuVJDbng at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> ?? ??, 28.08.2019 ?. ? 13:56 ?. Dimitar Vassilev <dimitar.vassilev at gmail.com>
> ??????:
> 
>> Hi Kalin,
>> 
>> 1. Disable the FW and test.
>>> 
>> Tried - disabling one fw shows wg traffic flowing.
>> 
>> 
>>> 2. Try ping from one router to the other using the configured public IP
>>> address
>>> 
>>> That works as well with the default fw config on OpenWRT/LEDE/LibreCMC
>> 
>> 
>>> 3. Ping the other using the WG IP address
>>> 
>>> my problem is that ping between the WG IP addresses is not working. I see
>> some PostUp and Postdown examples in the regular configurations like the
>> ones below
>> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
>> POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
>> ip6tables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
>> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
>> POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
>> ip6tables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
>> In the LEDE/OpenWRT derivatives those are marked in the GUI with
>> MASQUERADE and route allowed ips options, but still I'm getting stuck.  I
>> moved my VPN network from /25 to another /24 and still was stuck.
>> 
>>> If all runs them it is a routing problem left to solve...
>>> 
>>> Agree. I'm a bit at loss which routing - the kernel one or the forwarding
>> of packets. Will tear down and start from scratch with another test.
>> 
>>> Kalin.
>>> 
>> 
> Hello all,
> 
> Problem solved via a trivial solution - add my origin VPN endpoint IP into
> the list of AllowedIPs for the peer. Used
> https://forum.openwrt.org/t/solved-setup-wireguard-connecting-two-networks/4215
> to
> achieve this
> At least in this setup I see the packets flowing in both directions - RX
> and TX
> Ny next questions are:
> 
>   -  is this normal since I'm behind NAT or there are some OpenWRT
>   /Wireguard specifics I'm missing? In the docs and examples I see examples
>   with just peer IPs added
>   - what should I do to make the flow to a private subnet in DMZ on site B
>   from site A ?
> 
> Thanks,
> Dimitar
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190901/2b562015/attachment-0001.html>
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
> 
> 
> ------------------------------
> 
> End of WireGuard Digest, Vol 42, Issue 2
> ****************************************

More information about the WireGuard mailing list