can't route through wireguard

Shibumi · 2017-12-17 09:02:18

Hello,
I am currently playing around with wireguard.
I did the following:

1. I have successfully created a keypair on client and server.
2. I have created config files for my client and my server:

server # cat /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PrivateKey = <privatekey server>

[Peer]
PublicKey = <public key client>
AllowedIPs = 10.0.0.2/24

client # cat /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.2/24
PrivateKey = <private key clientr>

[Peer]
PublicKey = <public key server>
AllowedIPs = 0.0.0.0/24
Endpoint = 37.120.168.88:51820
PersistentKeepalive = 25

When I do:

server # wg-quick up wg0

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 dev wg0
[#] ip link set wg0 up

client # wg-quick up wg0

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip address add 10.0.0.2/24 dev wg0
[#] ip link set mtu 1420 dev wg0
[#] ip link set wg0 up
[#] ip route add 0.0.0.0/24 dev wg0

server # wg

interface: wg0
  public key: <public key server>
  private key: (hidden)
  listening port: 51820

peer: <public key client>
  endpoint: 80.187.103.3:31583
  allowed ips: 10.0.0.0/24
  latest handshake: 6 seconds ago
  transfer: 3.79 KiB received, 1.17 KiB sent

client # wg

interface: wg0
  public key:  <public key client>
  private key: (hidden)
  listening port: 43601

peer: <public key server>
  endpoint: 37.120.168.88:51820
  allowed ips: 0.0.0.0/24
  latest handshake: 44 seconds ago
  transfer: 184 B received, 552 B sent
  persistent keepalive: every 25 seconds

server # ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:82:ec:f2:e2 brd ff:ff:ff:ff:ff:ff
    inet 37.120.168.88/22 brd 37.120.171.255 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:82ff:feec:f2e2/64 scope link 
       valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

client # ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 08:11:96:05:bb:c4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.123/24 brd 192.168.123.255 scope global dynamic wlp3s0
       valid_lft 42796sec preferred_lft 42796sec
    inet6 fdca:f45e:7b7d::5cf/128 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fdca:f45e:7b7d:0:a11:96ff:fe05:bbc4/64 scope global mngtmpaddr noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::a11:96ff:fe05:bbc4/64 scope link 
       valid_lft forever preferred_lft forever
3: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether f0:de:f1:83:d5:5e brd ff:ff:ff:ff:ff:ff
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.2/24 scope global wg0
       valid_lft forever preferred_lft forever

EDIT:

I can see traffic between the server and the client now. But how can I route all traffic through my server (I want to use it as a VPN).
When I try to ping 10.0.0.1 (my server) I get the following:

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
From 10.0.0.2 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.0.0.2 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.0.0.2 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Required key not available

Last edited by Shibumi (2017-12-17 10:30:14)

positronik · 2017-12-17 17:01:46

What ip r says?

zx2c4 · 2017-12-17 23:31:38

AllowedIPs = 10.0.0.2/24 --> AllowedIPs = 10.0.0.2/32
AllowedIPs = 0.0.0.0/24 --> AllowedIPs = 0.0.0.0/0

Make those two changes and things will probably work.

Shibumi · 2017-12-18 11:45:48

zx2c4 wrote:

AllowedIPs = 10.0.0.2/24 --> AllowedIPs = 10.0.0.2/32
AllowedIPs = 0.0.0.0/24 --> AllowedIPs = 0.0.0.0/0
Make those two changes and things will probably work.

Thanks!
The problem was the wrong CIDR for 0.0.0.0. /24 makes no sense, indeed *facepalm*
With 0.0.0.0/0 it works as expected.

I didn't change AllowedIPs = 10.0.0.2/24 because I probably want to add more clients to the server, but thx for the hint.

wg-quick up wg0 set's up the ip routes automatically now.

Arch Linux

#1 2017-12-17 09:02:18

can't route through wireguard

#2 2017-12-17 17:01:46

Re: can't route through wireguard

#3 2017-12-17 23:31:38

Re: can't route through wireguard

#4 2017-12-18 11:45:48

Re: can't route through wireguard

Board footer