ICMP redirect messages throught wg
2rw3n at mailo.com
2rw3n at mailo.com
Fri Oct 22 21:47:00 UTC 2021
Dear all,
I hope it is the right place to ask my question. Sorry if it is not. I have set up a wireguard VPN with 1 server A (192.168.100.1 with public IP and OpenBSD) and 2 clients, B (192.168.100.2, at home behind the ISP router 192.168.1.1 and Ubuntu) and C (192.168.100.3, at work behind a university network and OpenBSD). The VPN works, I mean I can ssh everywhere. Ping also works of course, but when I ping from B to C or C to B I have an ICMP redirect message:
192.168.100.1 > 192.168.100.3: icmp: redirect 192.168.100.2 to host 192.168.100.2
and
192.168.100.1 > 192.168.100.2: icmp: redirect 192.168.100.3 to host 192.168.100.3
If I understand well it is because I have a sub-optimal routing table. Also messages can be ignore with net.inet.ip.redirect=0 on the server (I tried and messages are indeed ignored). But I would like to understand where I loose this optimality, to improve my network (and increase my knowledge :o) because I use default config provide by wireguards tool. More details on my configuration are belows.
Thanks for your kind help,
2rw3n.
On server A:
------------------
* Interface
wg0: flags=81c3<UP,BROADCAST,RUNNING,NOARP,PROMISC,MULTICAST> mtu 1420
index 4 priority 0 llprio 3
wgport XXX
wgpubkey XXX
wgpeer client B pubkey
wgendpoint X.X.X.X XXX
tx: 1044, rx: 1244
last handshake: 3 seconds ago
wgaip 192.168.100.2/32
wgpeer client C pubkey
wgendpoint X.X.X.X XXX
tx: 12864, rx: 12796
last handshake: 75 seconds ago
wgaip 192.168.100.3/32
groups: wg
inet 192.168.100.1 netmask 0xffffff00 broadcast 192.168.100.255
* Routing tables (XXX.XXX.XXX.242 is the public IP)
Destination Gateway Flags Refs Use Mtu Prio Iface
default XXX.XXX.XXX.1 UGS 10 1136 - 8 vio0
224/4 127.0.0.1 URS 0 0 32768 8 lo0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 1 2 32768 1 lo0
XXX.XXX.XXX.1 32:8d:e2:42:a6:79 UHLch 1 25 - 7 vio0
XXX.XXX.XXX.1/32 XXX.XXX.XXX.242 UCS 1 0 - 8 vio0
XXX.XXX.XXX.242 fa:16:3e:db:cf:4b UHLl 0 760 - 1 vio0
XXX.XXX.XXX.242/32 XXX.XXX.XXX.242 UCn 0 0 - 4 vio0
192.168.100/24 192.168.100.1 UCn 2 2 - 4 wg0
192.168.100.1 wg0 UHl 0 0 - 1 wg0
192.168.100.2 link#0 UHc 0 20 - 3 wg0
192.168.100.3 link#0 UHc 1 16 - 3 wg0
192.168.100.255 192.168.100.1 UHb 0 0 - 1 wg0
On client B:
---------------
* Interface
interface: wg0
public key: XXX
private key: (hidden)
listening port: XXX
peer: server A pubkey
endpoint: server A public IP:XXX
allowed ips: 192.168.100.0/24
latest handshake: 11 seconds ago
transfer: 38.16 KiB received, 39.15 KiB sent
persistent keepalive: every 25 seconds
* Routes
default via 192.168.1.1 dev wlp0s20f3 proto dhcp metric 600
169.254.0.0/16 dev wlp0s20f3 scope link metric 1000
192.168.1.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.1.21 metric 600
192.168.100.0/24 dev wg0 proto kernel scope link src 192.168.100.2
and
Destination Passerelle Genmask Indic MSS Fenêtre irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlp0s20f3
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlp0s20f3
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp0s20f3
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
On client C :
-----------------
* Interface
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 4 priority 0 llprio 3
wgport XXX
wgpubkey XXX
wgpeer server A pubkey
wgpka 20 (sec)
wgendpoint server A public IP XXX
tx: 1053728, rx: 1269212
last handshake: 32 seconds ago
wgaip 192.168.100.0/24
groups: wg
inet 192.168.100.3 netmask 0xffffff00 broadcast 192.168.100.255
* Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 10.16.39.254 UGS 6 66 - 8 em0
224/4 127.0.0.1 URS 0 0 32768 8 lo0
10.16.38/23 10.16.38.180 UCn 1 1645 - 4 em0
10.16.38.180 b0:7b:25:1e:e7:04 UHLl 0 11950 - 1 em0
10.16.39.254 40:71:83:3a:a9:c0 UHLch 1 901 - 3 em0
10.16.39.255 10.16.38.180 UHb 0 3207 - 1 em0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 1 6 32768 1 lo0
192.168.100/24 192.168.100.3 UCn 2 0 - 4 wg0
192.168.100.1 link#0 UHc 1 18 - 3 wg0
192.168.100.2 link#0 UHc 2 81 - L 3 wg0
192.168.100.3 wg0 UHl 0 252 - 1 wg0
192.168.100.255 192.168.100.3 UHb 0 0 - 1 wg0
More information about the WireGuard
mailing list