From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: steven@honson.id.au Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id be92f662 for ; Sat, 8 Sep 2018 10:21:35 +0000 (UTC) Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 998afe14 for ; Sat, 8 Sep 2018 10:21:34 +0000 (UTC) Received: by mail-pl1-x634.google.com with SMTP id g23-v6so7650695plq.9 for ; Sat, 08 Sep 2018 03:22:02 -0700 (PDT) Return-Path: From: Steven Honson Message-Id: <5BAF300B-A97A-4F41-A6FB-282FB4C2BC00@honson.id.au> Content-Type: multipart/alternative; boundary="Apple-Mail=_F581FCEF-DB9C-4290-B9BB-774BD4CD367F" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Routing only to latest peer in the config list seems to work Date: Sat, 8 Sep 2018 20:21:55 +1000 In-Reply-To: <018301d4474f$1565ab40$403101c0$@mailbox.org> To: danny.korpan@mailbox.org References: <006501d43f6b$eb516e60$c1f44b20$@mailbox.org> <018301d4474f$1565ab40$403101c0$@mailbox.org> Cc: wireguard@lists.zx2c4.com List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --Apple-Mail=_F581FCEF-DB9C-4290-B9BB-774BD4CD367F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Danny, Have you also changed the mask for each of the peers on your central = node to /32? If not you=E2=80=99ll need to do this, as leaving them as = /24 still effectively makes them all the same route. Ie 192.168.50.1/24 = and 192.168.50.2/24 are both the same still. The =E2=80=9CAllowedIPs" on = the central node to be 192.168.50.1/32, 192.168.50.2/32 etc in your = example. You can leave the =E2=80=9CAddress=E2=80=9D IPs with a /24 mask. Are you able to share an updated copy of your configs? Cheers, Steven > On 8 Sep 2018, at 6:36 pm, danny.korpan@mailbox.org wrote: >=20 > Hi, > =20 > I=E2=80=99ve changed the AllowedIPs so that everyone has it=E2=80=99s = own dedicated IP. Still the same problem. No routing. > =20 > Kind Regards, > Danny > =20 > Von: Ryan Whelan =20 > Gesendet: Donnerstag, 6. September 2018 19:14 > An: danny.korpan@mailbox.org > Cc: WireGuard mailing list > Betreff: Re: Routing only to latest peer in the config list seems to = work > =20 > You're using the same AllowedIPs for multiple peers. > =20 > On Thu, Sep 6, 2018 at 12:15 PM > wrote: > Hi, >=20 > I have the problem with my wireguard server, that only the latest user > "peer" from the server config can route/ping to the internal wireguard > server IP or the clients in the network behind the wireguard server = upon > successful connection. All peers can connect to the server, but only = the > latest in the list last can ping other servers. > I can't locate the error in the configs... does anybody have an idea? >=20 > My wireguard server and client version is using = 0.0.20180809-wg1~xenial with > Ubuntu 18.04.1 >=20 > wg0.conf > [Interface] > Address =3D 192.168.50.1/24 > PostUp =3D iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > POSTROUTING -o eth0 -j MASQUERADE > PostDown =3D iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > POSTROUTING -o eth0 -j MASQUERADE > ListenPort =3D 51820 > PrivateKey =3D XXX >=20 > [Peer] > #User 1 > PublicKey =3D XXX > PresharedKey =3D XXX > AllowedIPs =3D 192.168.50.0/24 >=20 > [Peer] > #User 2 > PublicKey =3D XXX > PresharedKey =3D XXX > #AllowedIPs =3D 192.168.50.0/24 >=20 > [Peer] > #User 3 > PublicKey =3D XXX > PresharedKey =3D XXX > AllowedIPs =3D 192.168.50.0/24 >=20 > [Peer] > #User 4 > PublicKey =3D XXX > PresharedKey =3D XXX > AllowedIPs =3D 192.168.50.0/24 >=20 >=20 >=20 > client.config > [Interface] > PrivateKey =3D XXX > DNS =3D 192.168.178.1 > Address =3D 192.168.50.2/24 >=20 > [Peer] > PublicKey =3D XXX > PresharedKey =3D XXX > AllowedIPs =3D 192.168.50.0/24 , = 190.168.178.0/24 > Endpoint =3D my.remote.server:51820 > PersistentKeepalive =3D 25 >=20 > My sysctl.conf includes > net.ipv4.conf.all.proxy_arp =3D 1 > net.ipv4.ip_forward =3D 1 >=20 > Does anybody have an idea? >=20 >=20 > Kind Regards, > Danny >=20 > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard = ______________________= _________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard --Apple-Mail=_F581FCEF-DB9C-4290-B9BB-774BD4CD367F Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi = Danny,

Have you also = changed the mask for each of the peers on your central node to /32? If = not you=E2=80=99ll need to do this, as leaving them as /24 still = effectively makes them all the same route. Ie 192.168.50.1/24 and = 192.168.50.2/24 are both the same still. The =E2=80=9CAllowedIPs" on the = central node to be 192.168.50.1/32, 192.168.50.2/32 etc in your = example.

You can leave the = =E2=80=9CAddress=E2=80=9D IPs with a /24 mask.

Are you able to share an updated copy of your = configs?

Cheers,
Steven

On 8 Sep = 2018, at 6:36 pm, danny.korpan@mailbox.org wrote:

Hi,
 
I=E2=80=99ve changed the = AllowedIPs so that everyone has it=E2=80=99s own dedicated IP. Still the = same problem. No routing.
 
Kind Regards,
Danny
 
Von: Ryan= Whelan <rcwhelan@gmail.com> 
Gesendet: Donnerstag, 6. September = 2018 19:14
An: danny.korpan@mailbox.org
Cc: WireGuard mailing list = <wireguard@lists.zx2c4.com>
Betreff: Re: Routing only to latest = peer in the config list seems to work
 
You're using the same AllowedIPs for = multiple peers.
 
On Thu, Sep 6, 2018 at = 12:15 PM <danny.korpan@mailbox.org> wrote:
Hi,

I have the problem with my wireguard server, that only the = latest user
"peer" from the server config can route/ping = to the internal wireguard
server IP or the clients in the = network behind the wireguard server upon
successful = connection. All peers can connect to the server, but only the
latest in the list last can ping other servers.
I= can't locate the error in the configs... does anybody have an idea?

My wireguard server and client version is = using 0.0.20180809-wg1~xenial with
Ubuntu 18.04.1

wg0.conf
[Interface]
Address =3D 192.168.50.1/24
PostUp =3D iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t = nat -A
POSTROUTING -o eth0 -j MASQUERADE
PostDown =3D iptables -D FORWARD -i wg0 -j ACCEPT; iptables = -t nat -D
POSTROUTING -o eth0 -j MASQUERADE
ListenPort =3D 51820
PrivateKey =3D XXX

[Peer]
#User 1
PublicKey =3D XXX
PresharedKey =3D XXX
AllowedIPs =3D 192.168.50.0/24

[Peer]
#User 2
PublicKey =3D XXX
PresharedKey =3D XXX
#AllowedIPs =3D 192.168.50.0/24

[Peer]
#User 3
PublicKey =3D XXX
PresharedKey =3D XXX
AllowedIPs =3D 192.168.50.0/24

[Peer]
#User 4
PublicKey =3D XXX
PresharedKey =3D XXX
AllowedIPs =3D 192.168.50.0/24



client.config
[Interface]
PrivateKey =3D XXX
DNS = =3D 192.168.178.1
Address =3D 192.168.50.2/24

[Peer]
PublicKey =3D XXX
PresharedKey =3D XXX
AllowedIPs =3D 192.168.50.0/24, 190.168.178.0/24
Endpoint =3D my.remote.server:51820
PersistentKeepalive =3D 25

My = sysctl.conf includes
net.ipv4.conf.all.proxy_arp =3D 1
net.ipv4.ip_forward =3D 1

Does = anybody have an idea?


Kind = Regards,
Danny

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

= --Apple-Mail=_F581FCEF-DB9C-4290-B9BB-774BD4CD367F--