Wireguard can't ping client or server, other WAN traffic unaffected - networking

I'm a total newbie with Wireguard so please be patient with me.
I'm trying to get a peer-to-peer connection between a Windows 10 machine and a Linux (Debian) machine through a Wireguard VPN, which I'm hosting on a separate Linux server. My current setup allows me to remotely connect from an external network to my Wireguard server as a peer and access the internet through it.
However, I cannot ping my server from a peer, my peers from the server or peers from other peers. I've been following this guide. And my server-side configuration (wg0.conf) looks like this:
[Interface]
## Private IP address for the wg0 interface ##
Address = 10.0.0.1/24
## VPN server listening port ##
ListenPort = 51820
## VPN server private key ##
PrivateKey = <snip>
[Peer]
## Client public key ##
PublicKey = <snip>
## Client IP address ##
AllowedIPs = 10.0.0.3/32
[Peer]
## Client public key ##
PublicKey = <snip>
## Client IP address ##
AllowedIPs = 10.0.0.4/32
My Windows 10 peer configuration:
[Interface]
PrivateKey = <snip>
Address = 10.0.0.3/24
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = <snip>
AllowedIPs = 10.0.0.1/24
Endpoint = <My server's WAN address>:51820
And my Debian peer configuration:
[Interface]
PrivateKey = <snip>
Address = 10.0.0.4/24
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = <snip>
AllowedIPs = 10.0.0.1/24
Endpoint = <My server's WAN address>:51820
I have forwarded the port in question on my server's network for both outbound and inbound traffic. I have also tried additional firewall rules on my server:
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
With no effect. In this case "ens3" being my network interface's name on my server's network.
Running wg show on my server gives me:
interface: wg0
public key: <server's pub key>
private key: (hidden)
listening port: 51820
peer: <WIN10 peer pub key>
allowed ips: 10.0.0.3/32
peer: <DEB11 peer pub key>
allowed ips: 10.0.0.4/32
And pinging any of the network members fails with a 100% packet loss.
I've obviously omitted my keys and public WAN addresses from these snippets.

Related

Wireguard Client Can't Ping Wireguard Server or Access Resource on WG's LAN

I have a piVPN running on a RPI B, in side my home, port forwarded from my home router p, with following config,
Server - wg0
[Interface]
PrivateKey = XXXX
Address = 10.6.0.1/24
MTU = 1500
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
FwMark = 0xca6c
### begin Client ###
[Peer]
PublicKey = XXXX
PresharedKey = XXXX
AllowedIPs = 0.0.0.0, ::0:0
PersistentKeepalive = 30
### end Client ###
and Client conf
[Interface]
PrivateKey = XXXX
ListenPort = 51820
Address = 10.6.0.2/24
MTU = 1500
[Peer]
PublicKey = XXXX
PresharedKey = XXXX
AllowedIPs = 10.6.0.2/32
Endpoint = DDNS_NAME:51820
PersistentKeepalive = 25
I can see that the server sees a handshake on initial connect, however post which I can't ping, nslookup or connect to a share on the LAN side.
My Question:
Do I need to setup a port forwarding on client side as well
I only want o access server resources (split tunnelling),
Any help would be greatly appreciated.
My Home router has another set of WIreguard sitting on top of it, with some rules for PostUp/PostDown.
Hence, I was able to fix the problem by updating the configuration of wire guard by removing the PostUp/PostDown rules on the Home router's WireGuard Configuration.
iptables could be a pain in the neck if not done rightly, watch out for those for any one who is coming at this post.
phew!

OpenVPN - How do you NAT a client to another client's network

I have a openVPN server setup on a AWS instance and I would like to use it to route traffic from my home client (client1, 192.168.0.0/24) to a client(client2, 10.81.0.0/16) on a machine on a second network through the openVPN server. I want to route the connections from client1 to client2's network so that I can connect to several devices in client2's network. However I dont have control over the gateway in client2's network so I can't add a route back to the vpn.
As far as I can tell I have the openVPN configuration setup in that once client1 and client2 are connected I can access client2 from client1, the routes are also setup so that if I ping a machine on client2's network the traffic is routed through the vpn but no response happens as client2's network devices do not know how to route the vpn ips back to client2.
I am assuming that I need to setup nat masqurading at client2 but I am unsure how to properly handle this as I am not that familiar with iptables.
tried on client2:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
server.conf
port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
route 10.81.0.0 255.255.0.0
push "route 10.81.0.0 255.255.0.0"
dh none
ecdh-curve prime256v1
... encryption info ...
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
ccd/client2
iroute 10.81.0.0 255.255.0.0
For anyone with a similar issue, I found this https://arashmilani.com/post?id=53 that helped me solve the issue.
For me I needed to add the following instead of what I tried.
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eno2 -o tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno2 -j MASQUERADE
tun0 is the tunnel interface from the VPN and eno2 is the interface for client2's network. 10.8.0.0/24 is the default subnet for the VPN subnet.
The forwarding was the big issue, also the masquerade is based on the ip address range of the VPN on the output interface.

How to expose my behind-the-NAT web-server via Wireguard on public VPS

I have a web server with a few TBs of data at the computer behind NAT.
I want to expose it to Internet via VPS I have at Azure.
So, I thought WireGuard would be a great tool for that, but I can't figure out the config on how to do that.
Here is wg0.conf on that behind-NAT server:
[Interface]
PrivateKey = OBUNhf6***
Address = 192.168.10.2/24
[Peer]
PublicKey = sUukxiqVNJQpcUVLYu/+fmHH+K9qD7Ol9CipOdlOc3c=
AllowedIPs = 192.168.10.1/24
Endpoint = 13.66.155.255:8101
PersistentKeepalive = 25
Running curl on the same computer, show that web server works fine on port 9000:
$ curl -s http://192.168.10.2:9000/
<html><head>
<title>Welcome to nginx!</title>
...
That 13.66.155.255 endpoint - is IP of the VPS.
So, now, I'm configuring my Ubuntu 19.10 VPS on Azure. So wg0.conf:
[Interface]
PrivateKey = sDH1wvnyRKE***
ListenPort = 8101
Address = 192.168.10.1/24
Table = 1234
PostUp = ip rule add ipproto tcp dport 9000 table 1234
PreDown = ip rule delete ipproto tcp dport 9000 table 1234
[Peer]
PublicKey = cnHwqyRLukwYoYw8nl+PH57ZsCKnMmStmXBAZSRNfx0=
AllowedIPs = 192.168.10.0/24
I started WireGuard on both computers.
It looks like KeepAlive packets transmitted successfully (I see transfer increasing).
I can open that web-server from within VPS like this:
VPS# curl 192.168.10.2:9000
<html><head>
<title>Welcome to nginx!</title>
...
But I can't open that webserver from outside of VPS:
% curl http://13.66.155.255:9000/
curl: (7) Failed to connect to 13.66.155.255 port 9000: Connection refused
My Azure firewall (NSG) has ports 8101 and 9000 open.
My Ubuntu firewall disabled.
Kernel PF enabled: net.ipv4.ip_forward=1
What am I missing?
Should I have some kind of iptables configuration on top of that?

Wireguard foward from client via server to client's network

So i have a local pc that i want to connect to a remote network via wireguard. I cannot open ports in the remote network, so i added a server that sits in between.
I can ping the server over vpn from both the Laptop and from the entry point to the remote Network.
I can ping the Laptop and the entry point from the server
I cannot ping the entry point from the Laptop.
I cannot ping the the remote network from the Laptop.
Configs:
Server
[Interface]
Address = 10.5.0.1/24
ListenPort = 1194
PrivateKey = <PrivateKey>
[Peer]
PublicKey = <PublicKey>
AllowedIPs = 10.5.0.2/32,192.168.1.200/16
[Peer] # Laptop
PublicKey = <PublicKey>
AllowedIPs = 10.5.0.200/32
Laptop:
[Interface]
PrivateKey = <PrivateKey>
Address = 10.5.0.200/32
[Peer]
PublicKey = <PublicKey>
Endpoint = <ServerIP>:1194
AllowedIPs = 10.5.0.0/16,192.168.0.0/16
PersistentKeepalive = 15
Entry point to remote network:
[Interface]
PrivateKey = <PrivateKey>
Address = 10.5.0.2/32
[Peer]
PublicKey = <PublicKey>
Endpoint = <ServerIP>:1194
AllowedIPs = 10.5.0.0/16
PersistentKeepalive = 15
I also i set sysctl -w net.ipv4.ip_forward=1 on both the server as well as on the entry point
The solution was adding
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT;
to the server's [Interface]
and adding
PostUp = iptables -t nat -A POSTROUTING -o eno2 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eno2 -j MASQUERADE
to the entry point's [Interface]

L2TP / PPTP server with multi external IP

I have a Debian VPS with 2 IP addresses : example 1.1.1.1 and 2.2.2.2
I've already setup a PPTP service and a L2TP service that work great.
When a VPN client connect to the VPS (IP 1.1.1.1) : his public IP address is 1.1.1.1
But the issue is that when a VPN client connect to the VPS (IP 2.2.2.2) : his public IP address is still 1.1.1.1 instead of 2.2.2.2
How can I fix this ?
Thanks !
assuming you have multiple pptpd listening on 1.1.1.1 and 2.2.2.2 with different configurations for their subnets and also the interfaces are actually up (eth0, eth0:1 etc.)
i.e.
for 1.1.1.1 you could use a config like this (lets call it config1)
option /etc/ppp/pptpd-options
logwtmp
localip 192.168.30.1
remoteip 192.168.30.2-100
and for 2.2.2.2 (lets call it config2)
option /etc/ppp/pptpd-options
logwtmp
localip 192.168.50.1
remoteip 192.168.50.2-100
then listen on both ip's like this
pptpd --listen 1.1.1.1 --conf config1
pptpd --listen 2.2.2.2 --conf config2
you would then use iptables rules like this
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o eth0 -j SNAT --to-source 2.2.2.2

Resources