this post was submitted on 16 Aug 2024
15 points (94.1% liked)

Linux

48077 readers
687 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I installed WireGuard on my host and set this configuration /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = [REDACTED]
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE


[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.3/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.4/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.5/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.6/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.7/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.8/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.9/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.10/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.11/32

Nmap scan when wg0 is down:

Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-16 03:26 CDT
Host is up (0.050s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT    STATE    SERVICE
22/tcp  open     ssh
179/tcp filtered bgp

Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds

Nmap scan when wg0 is up:

Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-16 03:27 CDT
All 1000 scanned ports are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 201.43 seconds

I also cannot connect to host via ssh. How to fix this issue?

Upd. Fixed my changing server WireGuard IP to 10.0.1.1. 10.0.0.1 was already taken

all 22 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 2 months ago (3 children)

Because the default route is changing. You have ALL traffic being routed over Wireguard here. How would you expect that to allow the interface routing to work for the local network if you're telling this to punt all traffic to this specific connection?

[–] [email protected] 2 points 2 months ago (1 children)

You have ALL traffic being routed over Wireguard here.

Please correct me if I'm wrong, but isn't it the other way around? All Wireguard traffic is forwarded to the local interface.

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago) (1 children)

AllowdIPs defines the traffic to be routed. These are single IPs, not subnets.

Edit: discussion talking about this same problem to illustrate: https://forum.gl-inet.com/t/split-tunnel-via-vpn-policy-or-via-wireguard-allowedips-config/31318

[–] [email protected] 1 points 2 months ago (1 children)

I don't think that's what the setting does. Anyway, I have them set to a /32 IP in my server config and it works nonetheless. I get full access to the /24 behind the server from the client.

[–] [email protected] 0 points 2 months ago* (last edited 2 months ago) (1 children)

That's exactly what it does. Easy to see if OP new how to read their route tables.

Here's another: https://serverfault.com/questions/1102455/wireguard-policy-based-routing

[–] [email protected] 1 points 2 months ago (1 children)

What are you trying to say? That reply also shows AllowedIPs set to a /32 on the server side.

[–] [email protected] 0 points 2 months ago (2 children)

For Peers. There's no other route in OPs post. Like they said, when wg0 goes up, he can't reach anything else. All that happens is this interface comes out, changes the routing tables and forwarding, but doesn't go anywhere. It needs to be routed to the existing default gateway of the host. All this does is blackhole to the wg0 interface.

[–] [email protected] 1 points 2 months ago (1 children)

Like I said in another thread on this post, I'm pretty sure that's because they are forwarding input but not output in the PostUp rules. Setting a /32 in AllowedIPs works fine for me.

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago) (1 children)

Thanks for help. Everything is fixed, read post update

[–] [email protected] 1 points 2 months ago (1 children)

Oh yeah, can't use the same IP range as your LAN, that will lead to problems. :D Glad it's fixed.

Out of curiosity, does forwarding work now without the output (-o) command in PostUp?

[–] [email protected] 1 points 2 months ago

I left PostUp as is and didn't try removing -o))

[–] atzanteol 1 points 2 months ago (1 children)

What "other route" are you expecting to see? My configuration looks very similar to OPs though I have an extra iptables entry in PostUp:

PostUp   = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

Is that what you mean?

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago)

Thanks for help. Everything is fixed, read post update

[–] [email protected] 1 points 2 months ago (2 children)

I removed all PostUp rules and cleared iptables but still the same problem

[–] [email protected] -1 points 2 months ago

Well, I mean...I can't give you an entire tutorial on how Wireguard works here, but you have it way wrong.

If you're not sure of the concepts and what you're trying to do, I don't know how to answer any questions for you. If you're not familiar with what split-tunneling, subnet routing, and routing tables...you need to get way familiar before you start messing with this.

Your rules aren't the problem. You're only allowing a single IP at a time across many connections here. Learn to read your routing tables and debug from there.

[–] [email protected] 2 points 2 months ago

I think the problem might be your PostUp/PostDown lines have an in-interface (-i) but are missing an out-interface (-o) for the forwarding. Try this:

PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
[–] atzanteol 2 points 2 months ago (1 children)

What does your client config look like? What IP are you connecting to for nmap/ssh?

[–] [email protected] 2 points 2 months ago (1 children)

I didn't connect any client yet.

[–] atzanteol 1 points 2 months ago

Ah - I see.

I can never remember how all the iptables stuff works but here is what I have in my configuration which is basically attempting the same thing:

PostUp   = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

Mine's a little different and works for me.