On Mon, 6 Dec 2021 14:59:45 -0500
Dan Ritter <d...@randomstring.org> wrote:
> So iorich here is allowed to construct a tunnel to hawk, but no IPs
> from hawk are allowed...
>
> Add 10.0.2.1 to iorich's understanding of hawk's allowed ips.
Thanks. That helped, I think.
I added
AllowedIPs = 0.0.0.0/0
to iorich's (the client) configuration in the peer section. Now:
root@iorich:/etc/wireguard# wg
interface: wg0
public key: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
private key: (hidden)
listening port: 41490
fwmark: 0xca6c
peer: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
endpoint: 72.36.20.38:55820
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 23 seconds ago
transfer: 1.87 KiB received, 11.31 KiB sent
root@iorich:/etc/wireguard# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
--- 10.0.2.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4089ms
root@iorich:/etc/wireguard# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.31 0.0.0.0 UG 600 0 0 wls3
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wls3
192.168.100.0 0.0.0.0 255.255.255.0 U 600 0 0 wls3
192.168.122.0 192.168.100.6 255.255.255.0 UG 600 0 0 wls3
192.168.124.0 192.168.100.16 255.255.255.0 UG 600 0 0 wls3
root@iorich:/etc/wireguard# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.0.2.2 netmask 255.255.255.0 destination 10.0.2.2
inet6 fc00:23:5::2 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000
(UNSPEC)
RX packets 59 bytes 3628 (3.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 229 bytes 24840 (24.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@iorich:/etc/wireguard#
And on the server:
root@hawk:/etc/wireguard# wg
interface: wg0
public key: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
private key: (hidden)
listening port: 55820
peer: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
endpoint: 192.168.10.1:41490
allowed ips: 10.0.2.0/24
latest handshake: 1 minute, 43 seconds ago
transfer: 9.81 KiB received, 2.02 KiB sent
root@hawk:/etc/wireguard# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.31 0.0.0.0 UG 0 0 0 enp3s0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
192.168.124.0 192.168.100.16 255.255.255.0 UG 0 0 0 enp3s0
root@hawk:/etc/wireguard# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000
(UNSPEC)
RX packets 253 bytes 26204 (25.5 KiB)
RX errors 10 dropped 0 overruns 0 frame 10
TX packets 71 bytes 4132 (4.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@hawk:/etc/wireguard#
Ping isn't getting through, but at least it isn't complaining. Wg shows
data moving through the tunnel. I suspect a firewall/NATting issue, so I
will start tracking that down.
Hawk's endpoint is the inner IF of my firewall, and iorich's endpoint
is the external IF of the firewall, so that makes sense.
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
