You are not logged in.
After trying and failing to figure out why my configuration isn't
working, I'm posting my configuration here in hopes that someone can
spot my error.
I have two routers on two separate networks connected over the
internet with wireguard. The hosts on these 2 networks have access to
one another (e.g. each router forwards to the other site, over the wireguard tunnel).
Now, I want to also connect my laptop to these two networks over the
internet, and also my android phone. Neither of these are working.
When I try to connect from the laptop (named valyria in the
configuration below), "sudo wg" shows nonzero bytes sent to one of the
endpoints, but zero bytes received.
What steps can I take to debug further? The public ips and private
keys have been redacted in the info below, but I've double checked
that they match up. Thanks.
(Note: I also sent this to the wireguard devel mailing list but got no answer. AFAIK there's no wg-users mailing list).
-Todd
(configuration follows, sorry if it's long).
(asgard - site 1, 192.168.98/24
bifrost - site 2, 192.168.99/24
valyria - laptop
pixel - android phone)
=== Valyria (laptop): ===
todd@valyria ~
0 % sudo cat /etc/wireguard/wg0.conf
# valyria
[Interface]
Address = 10.0.0.4/24
PrivateKey = <private key>
# asgard
[Peer]
PublicKey = NHHni6R4iwrc0ukcz7TgqjTLD+cMdfpw7TPdDm2h9BA=
AllowedIps = 192.168.98.0/24, 10.0.0.3
Endpoint = <internet routable public ipv4 for asgard>:7000
# bifrost
[Peer]
PublicKey = SgnFzbmuKMzXFf0feAj2kMG4Z7qtIxyy+iGBFg4jTXs=
AllowedIps = 192.168.99.0/24, 10.0.0.2
Endpoint = <internet routable public ipv4 for bifrost>:7000
todd@valyria ~
0 % sudo wg
interface: wg0
public key: NX7x+ha0moLIKb7/oBeinqRb4Eau4mx3mJW0n3G9LQs=
private key: (hidden)
listening port: 47635
peer: NHHni6R4iwrc0ukcz7TgqjTLD+cMdfpw7TPdDm2h9BA=
endpoint: <internet routable public ipv4 for asgard>:7000
allowed ips: 192.168.98.0/24, 10.0.0.3/32
peer: SgnFzbmuKMzXFf0feAj2kMG4Z7qtIxyy+iGBFg4jTXs=
endpoint: <internet routable public ipv4 for bifrost>:7000
allowed ips: 192.168.99.0/24, 10.0.0.2/32
transfer: 0 B received, 4.19 KiB sent
=== Site 1 (asgard, 192.168.98/24): ===
todd@asgard ~
0 asgard % cat /etc/wireguard/etc/wireguard/wg0.conf
# asgard
[Interface]
Address = 10.0.0.3/24
ListenPort = 7000
PrivateKey = <private key>
# bifrost
[Peer]
PublicKey = SgnFzbmuKMzXFf0feAj2kMG4Z7qtIxyy+iGBFg4jTXs=
AllowedIps = 10.0.0.2, 192.168.99.0/24
Endpoint = <internet routable public ipv4 for bifrost>:7000
# valyria
[Peer]
PublicKey = NX7x+ha0moLIKb7/oBeinqRb4Eau4mx3mJW0n3G9LQs=
AllowedIps = 10.0.0.4
# pixel
[Peer]
PublicKey = Z2EDTQkko64rEVuJset4Z1l8+Xmse3buU7Y1/1w8MhQ=
AllowedIps = 10.0.0.5
todd@asgard ~
0 asgard % sudo wg
interface: wg0
public key: NHHni6R4iwrc0ukcz7TgqjTLD+cMdfpw7TPdDm2h9BA=
private key: (hidden)
listening port: 7000
peer: SgnFzbmuKMzXFf0feAj2kMG4Z7qtIxyy+iGBFg4jTXs=
endpoint: <internet routable public ipv4 for bifrost>7000
allowed ips: 192.168.99.0/24, 10.0.0.2/32
latest handshake: 53 seconds ago
transfer: 108.03 MiB received, 92.82 MiB sent
peer: NX7x+ha0moLIKb7/oBeinqRb4Eau4mx3mJW0n3G9LQs=
allowed ips: 10.0.0.4/32
peer: Z2EDTQkko64rEVuJset4Z1l8+Xmse3buU7Y1/1w8MhQ=
allowed ips: 10.0.0.5/32
=== Site 2 (bifrost, 192.168.99/24): ===
todd@bifrost ~
0 bifrost % cat /etc/wireguard/etc/wireguard/wg0.conf
# bifrost
[Interface]
Address = 10.0.0.2/24
ListenPort = 7000
PrivateKey = <private key>
# asgard
[Peer]
PublicKey = NHHni6R4iwrc0ukcz7TgqjTLD+cMdfpw7TPdDm2h9BA=
AllowedIps = 192.168.98.0/24, 10.0.0.3
Endpoint = <internet routable public ipv4 for asgard>:7000
# pixel
[Peer]
PublicKey = Z2EDTQkko64rEVuJset4Z1l8+Xmse3buU7Y1/1w8MhQ=
AllowedIps = 10.0.0.5
# valyria
[Peer]
PublicKey = NX7x+ha0moLIKb7/oBeinqRb4Eau4mx3mJW0n3G9LQs=
AllowedIps = 10.0.0.4
todd@bifrost ~
bifrost % sudo wg
interface: wg0
public key: SgnFzbmuKMzXFf0feAj2kMG4Z7qtIxyy+iGBFg4jTXs=
private key: (hidden)
listening port: 7000
peer: NHHni6R4iwrc0ukcz7TgqjTLD+cMdfpw7TPdDm2h9BA=
endpoint: <internet routable public ipv4 for asgard>:7000
allowed ips: 192.168.98.0/24, 10.0.0.3/32
latest handshake: 1 minute, 32 seconds ago
transfer: 92.62 MiB received, 107.93 MiB sent
peer: Z2EDTQkko64rEVuJset4Z1l8+Xmse3buU7Y1/1w8MhQ=
allowed ips: 10.0.0.5/32
peer: NX7x+ha0moLIKb7/oBeinqRb4Eau4mx3mJW0n3G9LQs=
allowed ips: 10.0.0.4/32
Last edited by hossbeast (2018-12-16 06:18:00)
Offline
Figured it out. I needed to explicitly permit traffic on the wireguard listening port, on the routers.
This is not necessary when it's just the routers talking to each other, because they both initiate a connection, and both permit existing connections.
But it's necessary for a connect-only peer (laptop, phone). Obvious in retrospect.
Offline