* Can't seem to split tunnel using tables the way I can in OpenVPN @ 2017-05-24 23:04 Text Editor 2017-05-25 17:13 ` Bzzzz 0 siblings, 1 reply; 10+ messages in thread From: Text Editor @ 2017-05-24 23:04 UTC (permalink / raw) To: wireguard [-- Attachment #1: Type: text/plain, Size: 661 bytes --] Trying to replicate my OpenVPN routing setup, tunnel is split to go to /24 subnet inside OpenVPN without the default traffic going through it. However, it is setup to use a gateway in OpenVPN to reach the internet when packets go through the interface Copying this setup over to Wireguard seems to break - I can ping the endpoints inside the Wireguard VPN, but trying to reach the internet via the internet seems to not work Configuration files on the Server side: https://pastebin.com/raw/TJvKazSL Configuration files on the Server side: https://pastebin.com/raw/2t760WvY This same concept works on OpenVPN without issue, not sure what is happening [-- Attachment #2: Type: text/html, Size: 881 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can't seem to split tunnel using tables the way I can in OpenVPN 2017-05-24 23:04 Can't seem to split tunnel using tables the way I can in OpenVPN Text Editor @ 2017-05-25 17:13 ` Bzzzz 2017-05-25 17:58 ` Kalin KOZHUHAROV 0 siblings, 1 reply; 10+ messages in thread From: Bzzzz @ 2017-05-25 17:13 UTC (permalink / raw) To: wireguard On Wed, 24 May 2017 19:04:38 -0400 Text Editor <texteditor.si@gmail.com> wrote: > Trying to replicate my OpenVPN routing setup, tunnel is split to go > to /24 subnet inside OpenVPN without the default traffic going through > it. Hi Text Editor, =E2=80=A6 > I can ping the > endpoints inside the Wireguard VPN, So your WG VPN is acting good, giving you access your server from another place than your LAN, ie: through a phone tethering or from a friend's connection. Your setup seems overly complicated, as touching network I/F confs isn't a requirement, neither w/ OVPN or WG. ie: for the server, I took a copy of /etc/init.d/rmnologin (because it was the last one to be enabled into /etc/rc2.d and I want my VPN to be the last one to be activated), then I modified it, testing and using the presence of 'wg-quick' that is far more usable than modifying the network I/F confs or manually use 'wg' instead; on clients, scripts are manual, but also use 'wg-quick'. A quick run of chkconfig and the links are created in the right places, starting your VPN server at boot and allowing to start/stop it manually. I won't say it is the best way to do that, but it has the advantage not to scatter configurations in all the server corners. > but trying to reach the internet > via the internet seems to not work >=20 >=20 >=20 > Configuration files on the Server side: >=20 > https://pastebin.com/raw/TJvKazSL IIRC, using 0.0.0.0 means _all_ traffic is routed through the VPN; IMHO, your server setup should otherwise use something like: [Peer] =E2=80=A6 192.168.2.0/24 (/24 IF you intend to use WG to unite 2 LAN; for a roadwarrior, it might be better to restrict more stricly to it's IP, eg: 192.168.2.253/32) > Configuration files on the Server side: >=20 > https://pastebin.com/raw/2t760WvY >=20 >=20 > This same concept works on OpenVPN without issue, not sure what is > happening AFAIK, given you formerly authorize packets forward (either indefinitely into /etc/syctl.conf or temporarily by: echo 1 >/proc/sys/net/ipv4/ip_forward), the only iptables rules you need (into the server conf file) are: PostUp =3D iptables -t nat -I POSTROUTING -s <VPN IP segment>/24 -o eth0 -j MASQUERADE PostDown =3D iptables -t nat -D POSTROUTING -s <VPN IP segment>/24 -o eth0 -j MASQUERADE remember that any kind of testing on packets, ie: established, related, etc) can be a huge loss of time (it has to be computed for _each_ packet), hence, a loss of throughput in your VPN. And BTW, it is much more dangerous to reveal your keys on the Ternet than your endpoint IP address=E2=80=A6 Jean-Yves ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can't seem to split tunnel using tables the way I can in OpenVPN 2017-05-25 17:13 ` Bzzzz @ 2017-05-25 17:58 ` Kalin KOZHUHAROV 2017-05-25 18:11 ` Bzzzz 0 siblings, 1 reply; 10+ messages in thread From: Kalin KOZHUHAROV @ 2017-05-25 17:58 UTC (permalink / raw) To: Bzzzz; +Cc: WireGuard mailing list On Thu, May 25, 2017 at 7:13 PM, Bzzzz <lazyvirus@gmx.com> wrote: > And BTW, it is much more dangerous to reveal your keys on the Ternet > than your endpoint IP address=E2=80=A6 > That just made my day, LoL! I could not help posting it on twitter: https://twitter.com/thinrope/status/867801802724569088 Kalin. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can't seem to split tunnel using tables the way I can in OpenVPN 2017-05-25 17:58 ` Kalin KOZHUHAROV @ 2017-05-25 18:11 ` Bzzzz 2017-05-25 19:14 ` Kalin KOZHUHAROV 0 siblings, 1 reply; 10+ messages in thread From: Bzzzz @ 2017-05-25 18:11 UTC (permalink / raw) To: Kalin KOZHUHAROV; +Cc: WireGuard mailing list On Thu, 25 May 2017 19:58:19 +0200 Kalin KOZHUHAROV <me.kalin@gmail.com> wrote: > On Thu, May 25, 2017 at 7:13 PM, Bzzzz <lazyvirus@gmx.com> wrote: > > And BTW, it is much more dangerous to reveal your keys on the Ternet > > than your endpoint IP address=E2=80=A6 > > >=20 > That just made my day, LoL! I could not help posting it on twitter: > https://twitter.com/thinrope/status/867801802724569088 >=20 > Kalin. I'm not sure about the way I should take it=E2=80=A6 When I wrote these lines, I was especially thinking to an old and now abandoned security project of mine that was a spider digging all possible information from mostly MLs: IP addresses, account names, e-mail addresses, keys of course, pet names, kids names, etc; running in parallel of another spider that used this information to "dig" the web, the results were "quite interesting"=E2=80=A6 Jean-Yves ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can't seem to split tunnel using tables the way I can in OpenVPN 2017-05-25 18:11 ` Bzzzz @ 2017-05-25 19:14 ` Kalin KOZHUHAROV 2017-05-25 19:28 ` Bzzzz 0 siblings, 1 reply; 10+ messages in thread From: Kalin KOZHUHAROV @ 2017-05-25 19:14 UTC (permalink / raw) To: Bzzzz; +Cc: WireGuard mailing list Hello Jean-Yves, I apologize for the misunderstanding, I completely agree with your advice! I guess the adding of "LoL" at the end didn't make that clearer, I just re-read my tweet. Thinking about it, I was re-editing it quite a few times to make it fit the length restriction and the end result was not clear, when taken out of context. "FAIL" for me, sorry. Kalin. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can't seem to split tunnel using tables the way I can in OpenVPN 2017-05-25 19:14 ` Kalin KOZHUHAROV @ 2017-05-25 19:28 ` Bzzzz 2017-05-25 19:32 ` David Woodhouse 0 siblings, 1 reply; 10+ messages in thread From: Bzzzz @ 2017-05-25 19:28 UTC (permalink / raw) To: Kalin KOZHUHAROV; +Cc: WireGuard mailing list On Thu, 25 May 2017 21:14:26 +0200 Kalin KOZHUHAROV <me.kalin@gmail.com> wrote: Whoops, back in the loop ! (strange behavior of this ML: when you answer to the ML, it answers only to the sender :/) > Hello Jean-Yves, > > I apologize for the misunderstanding, I completely agree with your > advice! There's no need to apologize: this is not sooo grave ;-) I just wasn't sure about the meaning as it could be interpreted any way. > I guess the adding of "LoL" at the end didn't make that clearer, I > just re-read my tweet. > Thinking about it, I was re-editing it quite a few times to make it > fit the length restriction and the end result was not clear, when > taken out of context. "FAIL" for me, sorry. For your penance, you'll recite 3 times the whole 1970 Unix code forward AND backward, then you'll copy the wg-quick man 10 times with a plume and in Gothic ! Jean-Yves ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can't seem to split tunnel using tables the way I can in OpenVPN 2017-05-25 19:28 ` Bzzzz @ 2017-05-25 19:32 ` David Woodhouse 2017-05-25 19:45 ` Bzzzz 0 siblings, 1 reply; 10+ messages in thread From: David Woodhouse @ 2017-05-25 19:32 UTC (permalink / raw) To: Bzzzz, Kalin KOZHUHAROV; +Cc: WireGuard mailing list [-- Attachment #1: Type: text/plain, Size: 521 bytes --] On Thu, 2017-05-25 at 21:28 +0200, Bzzzz wrote: > > (strange behavior of this ML: when you answer to the ML, it answers only > to the sender :/) Why do you think that's strange? Your mail client will have two 'reply' buttons — one for a private reply, and another for a public/group reply or "reply-all". If you ask it to send a private reply, you send a private reply. If you ask it to send a public reply, you send a public reply. What could be simpler? http://david.woodhou.se/reply-to-list.html [-- Attachment #2: smime.p7s --] [-- Type: application/x-pkcs7-signature, Size: 4938 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can't seem to split tunnel using tables the way I can in OpenVPN 2017-05-25 19:32 ` David Woodhouse @ 2017-05-25 19:45 ` Bzzzz 2017-05-25 19:50 ` David Woodhouse 0 siblings, 1 reply; 10+ messages in thread From: Bzzzz @ 2017-05-25 19:45 UTC (permalink / raw) To: David Woodhouse; +Cc: WireGuard mailing list On Thu, 25 May 2017 20:32:01 +0100 David Woodhouse <dwmw2@infradead.org> wrote: > Why do you think that's strange? Your mail client will have two 'reply' > buttons =E2=80=94 one for a private reply, and another for a public/group= reply > or "reply-all". I use claws-mail, it has 3 answers possibilities: all/sender/ML, the strange thing is: if I hit 'all', it answer=E2=80=A6 all (quite normal until here), but if I hit 'ML', it only answers to your e-mail address ! What is weird is the ML seems to be put in CC when it should stay the main receiver. I'm using Debian stable+backports, claws-mail is from backports, may be it has a bug, however answering every other ML has the right behavior. JY ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can't seem to split tunnel using tables the way I can in OpenVPN 2017-05-25 19:45 ` Bzzzz @ 2017-05-25 19:50 ` David Woodhouse 2017-05-25 20:03 ` Bzzzz 0 siblings, 1 reply; 10+ messages in thread From: David Woodhouse @ 2017-05-25 19:50 UTC (permalink / raw) To: Bzzzz; +Cc: WireGuard mailing list [-- Attachment #1: Type: text/plain, Size: 1005 bytes --] On Thu, 2017-05-25 at 21:45 +0200, Bzzzz wrote: > On Thu, 25 May 2017 20:32:01 +0100 > David Woodhouse <dwmw2@infradead.org> wrote: > > > Why do you think that's strange? Your mail client will have two > 'reply' > > buttons — one for a private reply, and another for a public/group > reply > > or "reply-all". > > I use claws-mail, it has 3 answers possibilities: all/sender/ML, > the strange thing is: > if I hit 'all', it answer… all (quite normal until here), > but if I hit 'ML', it only answers to your e-mail address ! > > What is weird is the ML seems to be put in CC when it should stay the > main receiver. > > I'm using Debian stable+backports, claws-mail is from backports, may > be it has a bug, however answering every other ML has the right > behavior. The list doesn't have the RFC2369 List-Post: header which would allow the 'Reply to List' option to work. But that's OK because I just explained to you why it's anti-social and shouldn't be used anyway. [-- Attachment #2: smime.p7s --] [-- Type: application/x-pkcs7-signature, Size: 4938 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Can't seem to split tunnel using tables the way I can in OpenVPN 2017-05-25 19:50 ` David Woodhouse @ 2017-05-25 20:03 ` Bzzzz 0 siblings, 0 replies; 10+ messages in thread From: Bzzzz @ 2017-05-25 20:03 UTC (permalink / raw) To: David Woodhouse; +Cc: WireGuard mailing list On Thu, 25 May 2017 20:50:14 +0100 David Woodhouse <dwmw2@infradead.org> wrote: > The list doesn't have the RFC2369 List-Post: header which would allow > the 'Reply to List' option to work. > > But that's OK because I just explained to you why it's anti-social and > shouldn't be used anyway. If I had time to lose, this could for sure leads to a looong (and, almost as surely, sterile) discussion, as it concerns only your own opinion and you're twisting arguments to reflect only it. I've no spare time to toy, so have a nice day/night and bye. JY ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2017-05-25 19:50 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-05-24 23:04 Can't seem to split tunnel using tables the way I can in OpenVPN Text Editor 2017-05-25 17:13 ` Bzzzz 2017-05-25 17:58 ` Kalin KOZHUHAROV 2017-05-25 18:11 ` Bzzzz 2017-05-25 19:14 ` Kalin KOZHUHAROV 2017-05-25 19:28 ` Bzzzz 2017-05-25 19:32 ` David Woodhouse 2017-05-25 19:45 ` Bzzzz 2017-05-25 19:50 ` David Woodhouse 2017-05-25 20:03 ` Bzzzz
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).