I have a piVPN running on a RPI B, in side my home, port forwarded from my home router p, with following config,
Server - wg0
[Interface]
PrivateKey = XXXX
Address = 10.6.0.1/24
MTU = 1500
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
FwMark = 0xca6c
### begin Client ###
[Peer]
PublicKey = XXXX
PresharedKey = XXXX
AllowedIPs = 0.0.0.0, ::0:0
PersistentKeepalive = 30
### end Client ###
and Client conf
[Interface]
PrivateKey = XXXX
ListenPort = 51820
Address = 10.6.0.2/24
MTU = 1500
[Peer]
PublicKey = XXXX
PresharedKey = XXXX
AllowedIPs = 10.6.0.2/32
Endpoint = DDNS_NAME:51820
PersistentKeepalive = 25
I can see that the server sees a handshake on initial connect, however post which I can't ping, nslookup or connect to a share on the LAN side.
My Question:
Do I need to setup a port forwarding on client side as well
I only want o access server resources (split tunnelling),
Any help would be greatly appreciated.
My Home router has another set of WIreguard sitting on top of it, with some rules for PostUp/PostDown.
Hence, I was able to fix the problem by updating the configuration of wire guard by removing the PostUp/PostDown rules on the Home router's WireGuard Configuration.
iptables could be a pain in the neck if not done rightly, watch out for those for any one who is coming at this post.
phew!
Related
I'm a total newbie with Wireguard so please be patient with me.
I'm trying to get a peer-to-peer connection between a Windows 10 machine and a Linux (Debian) machine through a Wireguard VPN, which I'm hosting on a separate Linux server. My current setup allows me to remotely connect from an external network to my Wireguard server as a peer and access the internet through it.
However, I cannot ping my server from a peer, my peers from the server or peers from other peers. I've been following this guide. And my server-side configuration (wg0.conf) looks like this:
[Interface]
## Private IP address for the wg0 interface ##
Address = 10.0.0.1/24
## VPN server listening port ##
ListenPort = 51820
## VPN server private key ##
PrivateKey = <snip>
[Peer]
## Client public key ##
PublicKey = <snip>
## Client IP address ##
AllowedIPs = 10.0.0.3/32
[Peer]
## Client public key ##
PublicKey = <snip>
## Client IP address ##
AllowedIPs = 10.0.0.4/32
My Windows 10 peer configuration:
[Interface]
PrivateKey = <snip>
Address = 10.0.0.3/24
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = <snip>
AllowedIPs = 10.0.0.1/24
Endpoint = <My server's WAN address>:51820
And my Debian peer configuration:
[Interface]
PrivateKey = <snip>
Address = 10.0.0.4/24
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = <snip>
AllowedIPs = 10.0.0.1/24
Endpoint = <My server's WAN address>:51820
I have forwarded the port in question on my server's network for both outbound and inbound traffic. I have also tried additional firewall rules on my server:
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
With no effect. In this case "ens3" being my network interface's name on my server's network.
Running wg show on my server gives me:
interface: wg0
public key: <server's pub key>
private key: (hidden)
listening port: 51820
peer: <WIN10 peer pub key>
allowed ips: 10.0.0.3/32
peer: <DEB11 peer pub key>
allowed ips: 10.0.0.4/32
And pinging any of the network members fails with a 100% packet loss.
I've obviously omitted my keys and public WAN addresses from these snippets.
I have a openVPN server setup on a AWS instance and I would like to use it to route traffic from my home client (client1, 192.168.0.0/24) to a client(client2, 10.81.0.0/16) on a machine on a second network through the openVPN server. I want to route the connections from client1 to client2's network so that I can connect to several devices in client2's network. However I dont have control over the gateway in client2's network so I can't add a route back to the vpn.
As far as I can tell I have the openVPN configuration setup in that once client1 and client2 are connected I can access client2 from client1, the routes are also setup so that if I ping a machine on client2's network the traffic is routed through the vpn but no response happens as client2's network devices do not know how to route the vpn ips back to client2.
I am assuming that I need to setup nat masqurading at client2 but I am unsure how to properly handle this as I am not that familiar with iptables.
tried on client2:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
server.conf
port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
route 10.81.0.0 255.255.0.0
push "route 10.81.0.0 255.255.0.0"
dh none
ecdh-curve prime256v1
... encryption info ...
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
ccd/client2
iroute 10.81.0.0 255.255.0.0
For anyone with a similar issue, I found this https://arashmilani.com/post?id=53 that helped me solve the issue.
For me I needed to add the following instead of what I tried.
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eno2 -o tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno2 -j MASQUERADE
tun0 is the tunnel interface from the VPN and eno2 is the interface for client2's network. 10.8.0.0/24 is the default subnet for the VPN subnet.
The forwarding was the big issue, also the masquerade is based on the ip address range of the VPN on the output interface.
So i have a local pc that i want to connect to a remote network via wireguard. I cannot open ports in the remote network, so i added a server that sits in between.
I can ping the server over vpn from both the Laptop and from the entry point to the remote Network.
I can ping the Laptop and the entry point from the server
I cannot ping the entry point from the Laptop.
I cannot ping the the remote network from the Laptop.
Configs:
Server
[Interface]
Address = 10.5.0.1/24
ListenPort = 1194
PrivateKey = <PrivateKey>
[Peer]
PublicKey = <PublicKey>
AllowedIPs = 10.5.0.2/32,192.168.1.200/16
[Peer] # Laptop
PublicKey = <PublicKey>
AllowedIPs = 10.5.0.200/32
Laptop:
[Interface]
PrivateKey = <PrivateKey>
Address = 10.5.0.200/32
[Peer]
PublicKey = <PublicKey>
Endpoint = <ServerIP>:1194
AllowedIPs = 10.5.0.0/16,192.168.0.0/16
PersistentKeepalive = 15
Entry point to remote network:
[Interface]
PrivateKey = <PrivateKey>
Address = 10.5.0.2/32
[Peer]
PublicKey = <PublicKey>
Endpoint = <ServerIP>:1194
AllowedIPs = 10.5.0.0/16
PersistentKeepalive = 15
I also i set sysctl -w net.ipv4.ip_forward=1 on both the server as well as on the entry point
The solution was adding
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT;
to the server's [Interface]
and adding
PostUp = iptables -t nat -A POSTROUTING -o eno2 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eno2 -j MASQUERADE
to the entry point's [Interface]
I have an ELK stack. In front of both Logstash hosts, I set up two NGINX loadbalancers as transparent proxies.
UDP traffic is working as a charm.
TCP works with the config:
stream {
upstream syslog {
server sapvmlogstash01.sa.projectplace.com:514;
server sapvmlogstash02.sa.projectplace.com:514;
}
server {
listen 514;
proxy_pass syslog;
}
}
But I get as source_ip and source_host the LB instead of the input server's IP.
Setting the same adding proxy_bind $remote_addr transparent; doesn't work, throwing a timeout.
*1 upstream timed out (110: Connection timed out) while connecting to upstream, client: $SOURCEHOST_IP, server: 0.0.0.0:514, upstream: "$LOGSTASH_IP:514", bytes from/to client:0/0, bytes from/to upstream:0/0
I tried setting up TPROXY from here:
https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/
Logstash host:
route add default gw $NGINX_IP
route del default gw $DEFAULT_GW
NGINX host:
# Following nginx how-to
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p udp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -s $LOGSTASH_IP/24 --sport 514 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 0
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
# Enabling Upstream Servers to Reach External Servers
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
But still failing like before with the Timeout.
What is missing to get a transparent TCP host?
The official doc said:
proxy_bind $remote_addr transparent;
In order for this parameter to work, it is usually necessary to run nginx worker processes with the superuser privileges. On Linux it is not required (1.13.8) as if the transparent parameter is specified, worker processes inherit the CAP_NET_RAW capability from the master process. It is also necessary to configure kernel routing table to intercept network traffic from the proxied server.
FYI: https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/
I have a Debian VPS with 2 IP addresses : example 1.1.1.1 and 2.2.2.2
I've already setup a PPTP service and a L2TP service that work great.
When a VPN client connect to the VPS (IP 1.1.1.1) : his public IP address is 1.1.1.1
But the issue is that when a VPN client connect to the VPS (IP 2.2.2.2) : his public IP address is still 1.1.1.1 instead of 2.2.2.2
How can I fix this ?
Thanks !
assuming you have multiple pptpd listening on 1.1.1.1 and 2.2.2.2 with different configurations for their subnets and also the interfaces are actually up (eth0, eth0:1 etc.)
i.e.
for 1.1.1.1 you could use a config like this (lets call it config1)
option /etc/ppp/pptpd-options
logwtmp
localip 192.168.30.1
remoteip 192.168.30.2-100
and for 2.2.2.2 (lets call it config2)
option /etc/ppp/pptpd-options
logwtmp
localip 192.168.50.1
remoteip 192.168.50.2-100
then listen on both ip's like this
pptpd --listen 1.1.1.1 --conf config1
pptpd --listen 2.2.2.2 --conf config2
you would then use iptables rules like this
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o eth0 -j SNAT --to-source 2.2.2.2