From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: adriankoooo@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 24181cb2 for ; Mon, 12 Mar 2018 11:13:05 +0000 (UTC) Received: from mail-it0-f42.google.com (mail-it0-f42.google.com [209.85.214.42]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 70eb4401 for ; Mon, 12 Mar 2018 11:13:05 +0000 (UTC) Received: by mail-it0-f42.google.com with SMTP id u66so10689543ith.1 for ; Mon, 12 Mar 2018 04:23:12 -0700 (PDT) MIME-Version: 1.0 From: =?UTF-8?B?QWRyacOhbiBNaWjDoWxrbw==?= Date: Mon, 12 Mar 2018 12:22:48 +0100 Message-ID: Subject: Wireguard behind NAT To: wireguard@lists.zx2c4.com Content-Type: multipart/alternative; boundary="001a113729c0dc444e0567355db2" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --001a113729c0dc444e0567355db2 Content-Type: text/plain; charset="UTF-8" Is there any way to connect to Wireguard behind a Carrier-grade NAT? I have a backup LTE connection, without proper public ip + I have a home server with Wireguard. SIDE_A = LTE connection, without public IP, NAT SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org) SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org) SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, no public ip) Best regards, Adrian --001a113729c0dc444e0567355db2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Is there any way to connect to Wireguard behind a Carrier-= grade NAT? I have a backup LTE connection, without proper public ip + I hav= e a home server with Wireguard.

SIDE_A =3D LTE connectio= n, without public IP, NAT
SIDE_A_SERVER =3D WIREGUARD (connecting= to sideb.dyndns.org)
SIDE_B =3D VDSL with public ip + ddns (sideb.dyndns.org)
SIDE_B_SERVER =3D WIREGUARD (ca= nnot connect to SIDE_A, no public ip)

Best regards= ,
Adrian
--001a113729c0dc444e0567355db2-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 707f133c for ; Sat, 14 Apr 2018 01:51:59 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 7ef259c1 for ; Sat, 14 Apr 2018 01:51:59 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 9b584ede for ; Sat, 14 Apr 2018 01:43:07 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 3c6d1eb7 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Sat, 14 Apr 2018 01:43:07 +0000 (UTC) Received: by mail-ot0-f182.google.com with SMTP id m22-v6so11849231otf.8 for ; Fri, 13 Apr 2018 19:06:12 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: From: "Jason A. Donenfeld" Date: Sat, 14 Apr 2018 04:06:11 +0200 Message-ID: Subject: Re: Wireguard behind NAT To: =?UTF-8?B?QWRyacOhbiBNaWjDoWxrbw==?= Content-Type: text/plain; charset="UTF-8" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , If you can have SIDE_A connect to SIDE_B and enable persistent-keepalive, that should take care of things mostly. If you can't do that for whatever reason, there are hole punching tricks like [1] and [2]. [1] https://git.zx2c4.com/WireGuard/tree/contrib/examples/nat-hole-punching [2] https://github.com/manuels/wireguard-p2p From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: adriankoooo@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id aee24d6f for ; Mon, 3 Sep 2018 10:14:35 +0000 (UTC) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 5a8f0bfc for ; Mon, 3 Sep 2018 10:14:35 +0000 (UTC) Received: by mail-io0-x233.google.com with SMTP id y12-v6so31466ioj.13 for ; Mon, 03 Sep 2018 03:28:59 -0700 (PDT) MIME-Version: 1.0 From: =?UTF-8?B?QWRyacOhbiBNaWjDoWxrbw==?= Date: Mon, 3 Sep 2018 12:28:48 +0200 Message-ID: Subject: Wireguard behind NAT To: "wireguard@lists.zx2c4.com" Content-Type: multipart/alternative; boundary="0000000000005bce910574f502fe" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --0000000000005bce910574f502fe Content-Type: text/plain; charset="UTF-8" Is there any way to connect to Wireguard behind a Carrier-grade NAT? On SIDE_A I have a backup LTE connection, without proper public ip, only dynamic ip and I server with Wireguard. SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org) SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org) SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public ip on SIDE_A) I heard of Wireguard-P2P, but it's not running on headless server, because one of their component requires x11. Best regards, Adrian --0000000000005bce910574f502fe Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Is there any way to connect to Wireguard behind a Carrier-grade= NAT?=C2=A0

On SIDE_A I have a backup LTE connection, without = proper public ip, only dynamic ip and I server with Wireguard.=C2=A0
<= div style=3D"color:rgb(49,49,49);word-spacing:1px" dir=3D"auto">
<= div style=3D"font-size:1rem;color:rgb(49,49,49);word-spacing:1px" dir=3D"au= to">SIDE_A =3D mobile LTE connection, without public IP, behind carrier gra= de NAT=C2=A0
SIDE_A_SERVER =3D WIREGUARD (connecting to=C2=A0sideb.dyndns.org)=C2=A0

SIDE_B =3D VDSL with public ip + ddn= s (sideb.dyndns.org)=C2=A0
SIDE_B_SERVER =3D WIREGUARD (= cannot connect to SIDE_A, because no public ip on SIDE_A)=C2=A0

I heard of Wireg= uard-P2P, but it's not running on headless server, because one of their= component requires x11.=C2=A0


Best regards,=C2=A0
Adri= an
--0000000000005bce910574f502fe-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: olemd@glemt.net Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id fdd902f8 for ; Mon, 3 Sep 2018 10:29:01 +0000 (UTC) Received: from gjen.glemt.net (2001:ba8:1f1:f2fe::2 [IPv6:2001:ba8:1f1:f2fe::2]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 90a6a183 for ; Mon, 3 Sep 2018 10:29:01 +0000 (UTC) Received: from [2a00:14d8:4098:dead:e2d5:5eff:fe29:d33b] by gjen.glemt.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.91) (envelope-from ) id 1fwmKL-0001bo-KP for wireguard@lists.zx2c4.com; Mon, 03 Sep 2018 12:43:25 +0200 Subject: Re: Wireguard behind NAT To: wireguard@lists.zx2c4.com References: From: Ole-Morten Duesund Message-ID: <429987c9-26e4-edb7-4d31-c8e611615670@glemt.net> Date: Mon, 3 Sep 2018 12:43:19 +0200 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On 9/3/18 12:28 PM, Adrián Mihálko wrote: > Is there any way to connect to Wireguard behind a Carrier-grade NAT? > > On SIDE_A I have a backup LTE connection, without proper public ip, only > dynamic ip and I server with Wireguard. > > SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT > SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org > ) > > SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org > ) > SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public > ip on SIDE_A) > > I heard of Wireguard-P2P, but it's not running on headless server, > because one of their component requires x11. This is pretty much the same as I have - and while SIDE_B_SERVER won't be able to establish connection to SIDE_A_SERVER, SIDE_A_SERVER should have no problems establishing a connection to SIDE_B_SERVER. Adding a "PersistentKeepalive = 5" to your config on SIDE_A_SERVER should keep the connection up. - OM From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: rm@romanrm.net Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id fa2c4450 for ; Mon, 3 Sep 2018 10:41:26 +0000 (UTC) Received: from len.romanrm.net (len.romanrm.net [IPv6:2001:41d0:1:8055::1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 1ef9f63d for ; Mon, 3 Sep 2018 10:41:26 +0000 (UTC) Date: Mon, 3 Sep 2018 15:55:49 +0500 From: Roman Mamedov To: Ole-Morten Duesund Subject: Re: Wireguard behind NAT Message-ID: <20180903155549.0677bf87@natsu> In-Reply-To: <429987c9-26e4-edb7-4d31-c8e611615670@glemt.net> References: <429987c9-26e4-edb7-4d31-c8e611615670@glemt.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Cc: wireguard@lists.zx2c4.com List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Mon, 3 Sep 2018 12:43:19 +0200 Ole-Morten Duesund wrote: > Adding a "PersistentKeepalive = 5" to your config on SIDE_A_SERVER > should keep the connection up. Do you encounter any difference between 5, 25 and 55, only 5 works for you? If not, setting it to such a low interval seems wasteful, especially on LTE/mobile with possibly metered bandwidth and battery concerns. -- With respect, Roman From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: olemd@glemt.net Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 71d3fed5 for ; Mon, 3 Sep 2018 10:44:45 +0000 (UTC) Received: from gjen.glemt.net (2001:ba8:1f1:f2fe::2 [IPv6:2001:ba8:1f1:f2fe::2]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 50213e2c for ; Mon, 3 Sep 2018 10:44:45 +0000 (UTC) Received: from [2a00:14d8:4098:dead:e2d5:5eff:fe29:d33b] by gjen.glemt.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.91) (envelope-from ) id 1fwmZZ-0001e9-Hz for wireguard@lists.zx2c4.com; Mon, 03 Sep 2018 12:59:09 +0200 Subject: Re: Wireguard behind NAT Cc: wireguard@lists.zx2c4.com References: <429987c9-26e4-edb7-4d31-c8e611615670@glemt.net> <20180903155549.0677bf87@natsu> From: Ole-Morten Duesund Message-ID: <6a239fff-ef31-b528-4633-098c0a8a8e8b@glemt.net> Date: Mon, 3 Sep 2018 12:59:03 +0200 MIME-Version: 1.0 In-Reply-To: <20180903155549.0677bf87@natsu> Content-Type: text/plain; charset=utf-8; format=flowed List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On 9/3/18 12:55 PM, Roman Mamedov wrote: > On Mon, 3 Sep 2018 12:43:19 +0200 > Ole-Morten Duesund wrote: > >> Adding a "PersistentKeepalive = 5" to your config on SIDE_A_SERVER >> should keep the connection up. > > Do you encounter any difference between 5, 25 and 55, only 5 works for you? If > not, setting it to such a low interval seems wasteful, especially on > LTE/mobile with possibly metered bandwidth and battery concerns. "It works for me?" It's a balance between how long you're willing to wait for a possibly idle link if you need to connect from SIDE_B to SIDE_A. It's tunable and you should probably test what's acceptable to you. - OM From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: adriankoooo@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id a60b07dd for ; Sun, 2 Sep 2018 19:37:16 +0000 (UTC) Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id b462beff for ; Sun, 2 Sep 2018 19:37:16 +0000 (UTC) Received: by mail-io0-x232.google.com with SMTP id v14-v6so14350766iob.4 for ; Sun, 02 Sep 2018 12:51:36 -0700 (PDT) MIME-Version: 1.0 From: =?UTF-8?B?QWRyacOhbiBNaWjDoWxrbw==?= Date: Sun, 2 Sep 2018 21:51:24 +0200 Message-ID: Subject: Wireguard behind NAT To: wireguard@lists.zx2c4.com Content-Type: multipart/alternative; boundary="0000000000009127a20574e8c038" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --0000000000009127a20574e8c038 Content-Type: text/plain; charset="UTF-8" Is there any way to connect to Wireguard behind a Carrier-grade NAT? On SIDE_A I have a backup LTE connection, without proper public ip, only dynamic ip and I server with Wireguard. SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org) SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org) SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public ip on SIDE_A) Best regards, Adrian --0000000000009127a20574e8c038 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Is there any way to connect to Wireguard behind a Carrier-= grade NAT?=C2=A0

On SIDE_A I have a backup LTE connectio= n, without proper public ip, only dynamic ip and I server with Wireguard.= =C2=A0

SIDE_A =3D mobile LTE connection, without p= ublic IP, behind carrier grade NAT=C2=A0
SIDE_A_SERVER =3D WIREGU= ARD (connecting to sideb.dyndns.org= )=C2=A0

SIDE_B =3D VDSL with public ip + ddns (sideb.dyndns.org)=C2=A0
SIDE= _B_SERVER =3D WIREGUARD (cannot connect to SIDE_A, because no public ip on = SIDE_A)=C2=A0


Best regards,=C2=A0
Adrian
--0000000000009127a20574e8c038-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id a517c147 for ; Fri, 7 Sep 2018 03:39:43 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 7bc8cafe for ; Fri, 7 Sep 2018 03:39:43 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 25916477 for ; Fri, 7 Sep 2018 03:23:54 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id be7ab297 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Fri, 7 Sep 2018 03:23:54 +0000 (UTC) Received: by mail-oi0-f42.google.com with SMTP id c190-v6so24740131oig.6 for ; Thu, 06 Sep 2018 20:40:02 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "Jason A. Donenfeld" Date: Thu, 6 Sep 2018 21:39:50 -0600 Message-ID: Subject: Re: Wireguard behind NAT To: =?UTF-8?B?QWRyacOhbiBNaWjDoWxrbw==?= Content-Type: text/plain; charset="UTF-8" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , https://git.zx2c4.com/WireGuard/tree/contrib/examples/nat-hole-punching From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: steven@honson.id.au Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 96544aa2 for ; Fri, 7 Sep 2018 15:17:38 +0000 (UTC) Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 5226d139 for ; Fri, 7 Sep 2018 15:17:37 +0000 (UTC) Received: by mail-pg1-x52a.google.com with SMTP id 2-v6so7164827pgo.4 for ; Fri, 07 Sep 2018 08:17:59 -0700 (PDT) Return-Path: From: Steven Honson Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_8E7621C3-B81F-460A-ACA0-C89C56F332A8" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Wireguard behind NAT Date: Sat, 8 Sep 2018 01:17:54 +1000 In-Reply-To: To: =?utf-8?Q?Adri=C3=A1n_Mih=C3=A1lko?= References: Cc: wireguard@lists.zx2c4.com List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --Apple-Mail=_8E7621C3-B81F-460A-ACA0-C89C56F332A8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Adrian, As SIDE_B has a public IP address, the example you give should work = fine. In this case, SIDE_A will establish a connection with SIDE_B which = effectively punches a NAT hole for return traffic from SIDE_B to SIDE_A. When configuring the SIDE_A peer on SIDE_B, just leave EndPoint unset. Inversely, when configuring the SIDE_B peer on SIDE_A, use the dynamic = DNS name (and the port that SIDE_B is listening on). The NAT Hole Punching example Jason provided is more applicable to = situations where both WireGuard peers are NATed. In your example it = sounds like this is only the case for SIDE_A. Cheers, Steven > On 3 Sep 2018, at 5:51 am, Adri=C3=A1n Mih=C3=A1lko = wrote: >=20 > Is there any way to connect to Wireguard behind a Carrier-grade NAT?=20= >=20 > On SIDE_A I have a backup LTE connection, without proper public ip, = only dynamic ip and I server with Wireguard.=20 >=20 > SIDE_A =3D mobile LTE connection, without public IP, behind carrier = grade NAT=20 > SIDE_A_SERVER =3D WIREGUARD (connecting to sideb.dyndns.org = )=20 >=20 > SIDE_B =3D VDSL with public ip + ddns (sideb.dyndns.org = )=20 > SIDE_B_SERVER =3D WIREGUARD (cannot connect to SIDE_A, because no = public ip on SIDE_A)=20 >=20 >=20 > Best regards,=20 > Adrian > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard --Apple-Mail=_8E7621C3-B81F-460A-ACA0-C89C56F332A8 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi = Adrian,

As SIDE_B = has a public IP address, the example you give should work fine. In this = case, SIDE_A will establish a connection with SIDE_B which effectively = punches a NAT hole for return traffic from SIDE_B to SIDE_A.

When configuring the = SIDE_A peer on SIDE_B, just leave EndPoint unset.
Inversely, when configuring the SIDE_B = peer on SIDE_A, use the dynamic DNS name (and the port that SIDE_B is = listening on).

The NAT Hole Punching example Jason provided is more = applicable to situations where both WireGuard peers are NATed. In your = example it sounds like this is only the case for SIDE_A.

Cheers,
Steven

On 3 Sep = 2018, at 5:51 am, Adri=C3=A1n Mih=C3=A1lko <adriankoooo@gmail.com> wrote:

Is there any way to connect to Wireguard behind a = Carrier-grade NAT? 

On SIDE_A I have a backup LTE connection, without proper = public ip, only dynamic ip and I server with Wireguard. 

SIDE_A =3D mobile LTE = connection, without public IP, behind carrier grade NAT 
SIDE_A_SERVER =3D WIREGUARD (connecting to sideb.dyndns.org

SIDE_B =3D VDSL with public ip + ddns = (sideb.dyndns.org
SIDE_B_SERVER = =3D WIREGUARD (cannot connect to SIDE_A, because no public ip on = SIDE_A) 


Best = regards, 
Adrian
_______________________________________________
WireGuard = mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

= --Apple-Mail=_8E7621C3-B81F-460A-ACA0-C89C56F332A8--