* How to detect the IP CAM on LAN from WG tunnel ?
@ 2024-06-20 14:52 Nohk Two
2024-06-21 9:18 ` Mark Lawrence
0 siblings, 1 reply; 4+ messages in thread
From: Nohk Two @ 2024-06-20 14:52 UTC (permalink / raw)
To: WireGuard mailing list
Hi,
This seems a common question but I don't know how do you solve this problem.
My machine has an ethernet interface: eth0
It's network is 192.168.100.1/24
I created a wireguard interface thru eth0: wg0
It's network is 192.168.128.1/24
I have an IP CAM on the LAN: cam1
It's network is 192.168.100.21/24
This is physically on the same LAN as my machine's eth0.
My machine has a MASQUERADE iptable entry in the nat table:
iptables -t nat -A POSTROUTING -s 192.168.128.0/24 -o eth0 -j MASQUERADE
My phone uses the wireguard connect to my machine's wg0.
This wireguard configuration allow 192.168.100.0/24.
My phone's wireguard VPN IP address 192.168.128.10/24.
So my phone should be able to connect to my IP CAM without problem.
192.168.128.10(phone) source NAT as 192.168.100.1(eth0) then connect to 192.168.100.21(cam1)
192.168.100.21(cam1) reply to 192.168.100.1(eth0) then NAT rewrite to 192.168.128.10(phone)
However, the IP CAM's mobile App on my phone never remember the IP CAM's IP address and will always scan the network to find out the IP CAM. Then Failed if my phone uses the wireguard VPN.
Maybe the problem is that my phone and the IP CAM have different network, 192.168.128.0/24 vs 192.168.100.0/24.
How do you solve this problem ?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: How to detect the IP CAM on LAN from WG tunnel ?
2024-06-20 14:52 How to detect the IP CAM on LAN from WG tunnel ? Nohk Two
@ 2024-06-21 9:18 ` Mark Lawrence
2024-06-21 10:39 ` Nohk Two
0 siblings, 1 reply; 4+ messages in thread
From: Mark Lawrence @ 2024-06-21 9:18 UTC (permalink / raw)
To: Nohk Two; +Cc: WireGuard mailing list
>How do you solve this problem ?
Iterative fact checking, from the lowest levels of the network stack
to the highest.
- Are the devices actually connected where you think they are?
- With the tunnel disconnected, does your phone connect to the
camera?
- Is your Wireguard tunnel set up properly?
- Can your phone ping the wg0 address with the tunnel active?
- Can your phone ping other .100 devices with the tunnel
active?
- Does your eth0/wg0 machine have IP forwarding enabled?
- sysctl net.ipv4.ip_forward=1
- What does packet tracing show?
- I.e. `ngrep -d wg0 .\* icmp` or the tcpdump equivalent, also
against eth0 for the wireguard UDP port.
- Does the mobile App actually support remote (routed) cameras or
just on the local network?
--
Mark Lawrence
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: How to detect the IP CAM on LAN from WG tunnel ?
2024-06-21 9:18 ` Mark Lawrence
@ 2024-06-21 10:39 ` Nohk Two
2024-06-21 10:47 ` Tomcsanyi, Domonkos
0 siblings, 1 reply; 4+ messages in thread
From: Nohk Two @ 2024-06-21 10:39 UTC (permalink / raw)
To: Mark Lawrence; +Cc: WireGuard mailing list
On 2024/6/21 17:18, Mark Lawrence wrote:
>> How do you solve this problem ?
>
> Iterative fact checking, from the lowest levels of the network stack to the highest.
>
> - Are the devices actually connected where you think they are?
> - With the tunnel disconnected, does your phone connect to the camera?
I use wireguard VPN while my phone is using mobile data (4G LTE). With the tunnel disconnected my phone can't connect to the camera since it scanned and cannot find the camera.
> - Is your Wireguard tunnel set up properly?
> - Can your phone ping the wg0 address with the tunnel active?
> - Can your phone ping other .100 devices with the tunnel active?
I don't know how to ping from my phone. But the phone, with the wireguard tunnel connected, can visit my LAN website which is in the network 192.168.100.0/24.
> - Does your eth0/wg0 machine have IP forwarding enabled?
> - sysctl net.ipv4.ip_forward=1
Yes.
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
> - What does packet tracing show?
> - I.e. `ngrep -d wg0 .\* icmp` or the tcpdump equivalent, also against eth0 for the wireguard UDP port.
I use `ngrep -d wg0 .\* icmp`, but nothing dump. However while I open my phone's browser to visit my LAN site, it did dump something.
> - Does the mobile App actually support remote (routed) cameras or just on the local network?
>
This is the point I said in my original mail that I think my phone and the camera are in different networks. I believe this App is for LAN network.
For this scenario, are there solutions ?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: How to detect the IP CAM on LAN from WG tunnel ?
2024-06-21 10:39 ` Nohk Two
@ 2024-06-21 10:47 ` Tomcsanyi, Domonkos
0 siblings, 0 replies; 4+ messages in thread
From: Tomcsanyi, Domonkos @ 2024-06-21 10:47 UTC (permalink / raw)
To: Nohk Two; +Cc: Mark Lawrence, WireGuard mailing list
In case the camera app uses something below IP, eg ARP to discover you don’t have a chance, since it will never cross the wireguard tunnel.
You should try to capture somehow what the app is doing, and then work from that. Either they do not accept the Wireguard routes or they are using non-IP discovery that does not get routed through wg.
Good luck!
Domi
> 21.06.2024 dátummal, 12:42 időpontban Nohk Two <nohktwo@gmail.com> írta:
>
> On 2024/6/21 17:18, Mark Lawrence wrote:
>>> How do you solve this problem ?
>> Iterative fact checking, from the lowest levels of the network stack to the highest.
>> - Are the devices actually connected where you think they are?
>> - With the tunnel disconnected, does your phone connect to the camera?
> I use wireguard VPN while my phone is using mobile data (4G LTE). With the tunnel disconnected my phone can't connect to the camera since it scanned and cannot find the camera.
>
>> - Is your Wireguard tunnel set up properly?
>> - Can your phone ping the wg0 address with the tunnel active?
>> - Can your phone ping other .100 devices with the tunnel active?
> I don't know how to ping from my phone. But the phone, with the wireguard tunnel connected, can visit my LAN website which is in the network 192.168.100.0/24.
>
>> - Does your eth0/wg0 machine have IP forwarding enabled?
>> - sysctl net.ipv4.ip_forward=1
> Yes.
> $ sysctl net.ipv4.ip_forward
> net.ipv4.ip_forward = 1
>
>> - What does packet tracing show?
>> - I.e. `ngrep -d wg0 .\* icmp` or the tcpdump equivalent, also against eth0 for the wireguard UDP port.
> I use `ngrep -d wg0 .\* icmp`, but nothing dump. However while I open my phone's browser to visit my LAN site, it did dump something.
>
>> - Does the mobile App actually support remote (routed) cameras or just on the local network?
> This is the point I said in my original mail that I think my phone and the camera are in different networks. I believe this App is for LAN network.
>
> For this scenario, are there solutions ?
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-06-21 10:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-20 14:52 How to detect the IP CAM on LAN from WG tunnel ? Nohk Two
2024-06-21 9:18 ` Mark Lawrence
2024-06-21 10:39 ` Nohk Two
2024-06-21 10:47 ` Tomcsanyi, Domonkos
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).