So i have a local pc that i want to connect to a remote network via wireguard. I cannot open ports in the remote network, so i added a server that sits in between.
I can ping the server over vpn from both the Laptop and from the entry point to the remote Network.
I can ping the Laptop and the entry point from the server
I cannot ping the entry point from the Laptop.
I cannot ping the the remote network from the Laptop.
Configs:
Server
[Interface]
Address = 10.5.0.1/24
ListenPort = 1194
PrivateKey = <PrivateKey>
[Peer]
PublicKey = <PublicKey>
AllowedIPs = 10.5.0.2/32,192.168.1.200/16
[Peer] # Laptop
PublicKey = <PublicKey>
AllowedIPs = 10.5.0.200/32
Laptop:
[Interface]
PrivateKey = <PrivateKey>
Address = 10.5.0.200/32
[Peer]
PublicKey = <PublicKey>
Endpoint = <ServerIP>:1194
AllowedIPs = 10.5.0.0/16,192.168.0.0/16
PersistentKeepalive = 15
Entry point to remote network:
[Interface]
PrivateKey = <PrivateKey>
Address = 10.5.0.2/32
[Peer]
PublicKey = <PublicKey>
Endpoint = <ServerIP>:1194
AllowedIPs = 10.5.0.0/16
PersistentKeepalive = 15
I also i set sysctl -w net.ipv4.ip_forward=1 on both the server as well as on the entry point
The solution was adding
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT;
to the server's [Interface]
and adding
PostUp = iptables -t nat -A POSTROUTING -o eno2 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eno2 -j MASQUERADE
to the entry point's [Interface]
Related
I'm a total newbie with Wireguard so please be patient with me.
I'm trying to get a peer-to-peer connection between a Windows 10 machine and a Linux (Debian) machine through a Wireguard VPN, which I'm hosting on a separate Linux server. My current setup allows me to remotely connect from an external network to my Wireguard server as a peer and access the internet through it.
However, I cannot ping my server from a peer, my peers from the server or peers from other peers. I've been following this guide. And my server-side configuration (wg0.conf) looks like this:
[Interface]
## Private IP address for the wg0 interface ##
Address = 10.0.0.1/24
## VPN server listening port ##
ListenPort = 51820
## VPN server private key ##
PrivateKey = <snip>
[Peer]
## Client public key ##
PublicKey = <snip>
## Client IP address ##
AllowedIPs = 10.0.0.3/32
[Peer]
## Client public key ##
PublicKey = <snip>
## Client IP address ##
AllowedIPs = 10.0.0.4/32
My Windows 10 peer configuration:
[Interface]
PrivateKey = <snip>
Address = 10.0.0.3/24
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = <snip>
AllowedIPs = 10.0.0.1/24
Endpoint = <My server's WAN address>:51820
And my Debian peer configuration:
[Interface]
PrivateKey = <snip>
Address = 10.0.0.4/24
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = <snip>
AllowedIPs = 10.0.0.1/24
Endpoint = <My server's WAN address>:51820
I have forwarded the port in question on my server's network for both outbound and inbound traffic. I have also tried additional firewall rules on my server:
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
With no effect. In this case "ens3" being my network interface's name on my server's network.
Running wg show on my server gives me:
interface: wg0
public key: <server's pub key>
private key: (hidden)
listening port: 51820
peer: <WIN10 peer pub key>
allowed ips: 10.0.0.3/32
peer: <DEB11 peer pub key>
allowed ips: 10.0.0.4/32
And pinging any of the network members fails with a 100% packet loss.
I've obviously omitted my keys and public WAN addresses from these snippets.
I have a piVPN running on a RPI B, in side my home, port forwarded from my home router p, with following config,
Server - wg0
[Interface]
PrivateKey = XXXX
Address = 10.6.0.1/24
MTU = 1500
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
FwMark = 0xca6c
### begin Client ###
[Peer]
PublicKey = XXXX
PresharedKey = XXXX
AllowedIPs = 0.0.0.0, ::0:0
PersistentKeepalive = 30
### end Client ###
and Client conf
[Interface]
PrivateKey = XXXX
ListenPort = 51820
Address = 10.6.0.2/24
MTU = 1500
[Peer]
PublicKey = XXXX
PresharedKey = XXXX
AllowedIPs = 10.6.0.2/32
Endpoint = DDNS_NAME:51820
PersistentKeepalive = 25
I can see that the server sees a handshake on initial connect, however post which I can't ping, nslookup or connect to a share on the LAN side.
My Question:
Do I need to setup a port forwarding on client side as well
I only want o access server resources (split tunnelling),
Any help would be greatly appreciated.
My Home router has another set of WIreguard sitting on top of it, with some rules for PostUp/PostDown.
Hence, I was able to fix the problem by updating the configuration of wire guard by removing the PostUp/PostDown rules on the Home router's WireGuard Configuration.
iptables could be a pain in the neck if not done rightly, watch out for those for any one who is coming at this post.
phew!
I have a openVPN server setup on a AWS instance and I would like to use it to route traffic from my home client (client1, 192.168.0.0/24) to a client(client2, 10.81.0.0/16) on a machine on a second network through the openVPN server. I want to route the connections from client1 to client2's network so that I can connect to several devices in client2's network. However I dont have control over the gateway in client2's network so I can't add a route back to the vpn.
As far as I can tell I have the openVPN configuration setup in that once client1 and client2 are connected I can access client2 from client1, the routes are also setup so that if I ping a machine on client2's network the traffic is routed through the vpn but no response happens as client2's network devices do not know how to route the vpn ips back to client2.
I am assuming that I need to setup nat masqurading at client2 but I am unsure how to properly handle this as I am not that familiar with iptables.
tried on client2:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
server.conf
port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
route 10.81.0.0 255.255.0.0
push "route 10.81.0.0 255.255.0.0"
dh none
ecdh-curve prime256v1
... encryption info ...
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
ccd/client2
iroute 10.81.0.0 255.255.0.0
For anyone with a similar issue, I found this https://arashmilani.com/post?id=53 that helped me solve the issue.
For me I needed to add the following instead of what I tried.
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eno2 -o tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno2 -j MASQUERADE
tun0 is the tunnel interface from the VPN and eno2 is the interface for client2's network. 10.8.0.0/24 is the default subnet for the VPN subnet.
The forwarding was the big issue, also the masquerade is based on the ip address range of the VPN on the output interface.
I'm trying to set my Raspberry Pi to a separate box with Wi-Fi access. I would be very happy if I could get a small box which can be access by any device with Wi-Fi capabilities with ssh, vncviewer.
I used the manual (http://raspberry-at-home.com/hotspot-wifi-access-point/) and at the end I got Raspberry Pi Wi-Fi Hotspot.
I can find it, connect ... but that's all. When I'm trying to connect with ssh or vncviewer no results. I can't even ping (it "hangs").
'ip neigh' gives the response REACHABLE.
My goal is to have a Raspberry box which can be the Wi-Fi hotspot and accessable with ssh and vncviewer without any additional network.
If somebody knows how-to reach this dream, help please! Any help will be highly appreciated!
Best regards
Vilis.
Please find below current settings:
interfaces:
auto lo
auto wlan0
iface lo inet loopback
allow-hotplug wlan0
iface wlan0 inet static
address 192.168.0.100
netmask 255.255.255.0
up iptables-restore < /etc/iptables/ipv4.nat
hostapd.conf
# Basic configuration
interface=wlan0
ssid=VK-wifi
channel=1
#bridge=br0
# WPA and WPA2 configuration
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=<SECRET PASS>
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
# Hardware configuration
driver=rtl871xdrv
ieee80211n=1
hw_mode=g
device_name=RTL8192CU
manufacturer=Realtek
iptable rules:
# Generated by iptables-save v1.4.14 on Mon Apr 6 17:04:48 2015
*nat
:PREROUTING ACCEPT [58:4242]
:INPUT ACCEPT [58:4242]
:OUTPUT ACCEPT [85:6230]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Apr 6 17:04:48 2015
# Generated by iptables-save v1.4.14 on Mon Apr 6 17:04:48 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -f -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -j ACCEPT
-A OUTPUT -p tcp -j ACCEPT
COMMIT
# Completed on Mon Apr 6 17:04:48 2015
I succeeded doing what you wanted to do
interfaces
auto lo
iface lo inet loopback
auto eth0
allow-hotplug eth0
iface eth0 inet manual
iface wlan0 inet static
address 10.0.0.1
netmask 255.255.255.0
broadcast 255.0.0.0
hostapd.conf
interface=wlan0
driver=nl80211
ssid=pi
channel=1
Install dnsmasq. It will give IPs to all devices that connect with your pi so you can communicate via ssh.
/etc/dnsmasq.conf
interface=wlan0
dhcp-range=10.0.0.10,10.0.0.250,12h
no-resolv
I have a Debian VPS with 2 IP addresses : example 1.1.1.1 and 2.2.2.2
I've already setup a PPTP service and a L2TP service that work great.
When a VPN client connect to the VPS (IP 1.1.1.1) : his public IP address is 1.1.1.1
But the issue is that when a VPN client connect to the VPS (IP 2.2.2.2) : his public IP address is still 1.1.1.1 instead of 2.2.2.2
How can I fix this ?
Thanks !
assuming you have multiple pptpd listening on 1.1.1.1 and 2.2.2.2 with different configurations for their subnets and also the interfaces are actually up (eth0, eth0:1 etc.)
i.e.
for 1.1.1.1 you could use a config like this (lets call it config1)
option /etc/ppp/pptpd-options
logwtmp
localip 192.168.30.1
remoteip 192.168.30.2-100
and for 2.2.2.2 (lets call it config2)
option /etc/ppp/pptpd-options
logwtmp
localip 192.168.50.1
remoteip 192.168.50.2-100
then listen on both ip's like this
pptpd --listen 1.1.1.1 --conf config1
pptpd --listen 2.2.2.2 --conf config2
you would then use iptables rules like this
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o eth0 -j SNAT --to-source 2.2.2.2