Development discussion of WireGuard
 help / color / mirror / Atom feed
* Nested Wireguard tunnels not working on Android and Windows
@ 2021-02-25 17:48 i iordanov
  2021-02-27 17:16 ` Frank Carmickle
  2021-03-04  8:56 ` Matthias Urlichs
  0 siblings, 2 replies; 8+ messages in thread
From: i iordanov @ 2021-02-25 17:48 UTC (permalink / raw)
  To: wireguard

Hello!

In order to allow traffic to assist devices that cannot reach each
other directly, I am setting up wireguard tunnels through a server
with a public IP (40.30.40.30 in the example below).

For reasons of privacy, I'd like for the server to not be able to
decrypt my traffic. As a result, I would like for one encapsulating
Wireguard tunnel (subnet 10.1.2.0/24) to be peered through the server,
while a second nested Wireguard tunnel (subnet 10.1.3.0/24) to be
established through the first tunnel, peered only at the two devices
(Android and Linux in this case) that need to communicate.

An attempt was made to use a single Wireguard interface. Doing it this
way works between two Linux machines and even between Linux and Mac OS
X, but does not work between a Pixel 3a XL running Android 11 with the
GoBackend Wireguard implementation and my Linux laptop. I also tried
the same config on Windows 10 to no avail.

The config on the Android device, obtained with toWgQuickString():
======================================
    [Interface]
    Address = 10.1.2.5/24, 10.1.3.5/24
    ListenPort = 46847
    MTU = 1200
    PrivateKey = PRIVATE_KEY

    [Peer]
    AllowedIPs = 10.1.2.0/24
    Endpoint = 40.30.40.30:10000
    PersistentKeepalive = 3600
    PublicKey = VF5dic+a+6MllssbV+ShVwEBRrX9gr4do2iNylWrPGs=

    [Peer]
    AllowedIPs = 10.1.3.1/32
    Endpoint = 10.1.2.1:51555
    PersistentKeepalive = 3600
    PublicKey = 0Awdb451Z4+3Gezm7UlbRquC1kcF52r68J9wG1x/zUE=
======================================

The 10.1.2.0/24 subnet is the one that is "visible" to the public
server. The 10.1.3.0/24 subnet is the one that is private to the two
devices.

The devices can actually reach each other with netcat over UDP at
10.1.2.5:46847 and 10.1.2.1:51555 respectively. So the "encapsulating"
tunnel is working, and iperf3 were used to test it over UDP and TCP
successfully.

The "nested" tunnel does not get established.

The following permutations of the above config have the commented problems:

# Only 10.1.2.0/24 works, 10.1.3.0/24 does not.
    Address = 10.1.2.1/24, 10.1.3.1/24

# Only 10.1.2.0/24 works, 10.1.3.0/24 (as expected) does not.
    Address = 10.1.2.1/24

# Neither network works
    Address = 10.1.3.1/24, 10.1.2.1/24

This looks like a bug that is triggered when multiple addresses are
assigned to the interface.

Any suggestions on what to try are welcome.

Thanks!
iordan


-- 
The conscious mind has only one thread of execution.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Nested Wireguard tunnels not working on Android and Windows
  2021-02-25 17:48 Nested Wireguard tunnels not working on Android and Windows i iordanov
@ 2021-02-27 17:16 ` Frank Carmickle
  2021-02-28  0:53   ` Aaron Jones
  2021-03-04  8:56 ` Matthias Urlichs
  1 sibling, 1 reply; 8+ messages in thread
From: Frank Carmickle @ 2021-02-27 17:16 UTC (permalink / raw)
  To: i iordanov; +Cc: wireguard

Iordan,

It's not totally clear to me how you are trying to achieve this, however I'm pretty certain that you want to be creating a second interface that routes the traffic to the endpoint reachable inside the other tunnel, 

You say that it's possible to run a nested configuration on Linux and Macos with just a single interface each,. Have you done a packet capture to prove that that is in fact what is happening? That doesn't seem like how it would act given the design goals.

--FC

On Feb 25, 2021, at 12:48 PM, i iordanov <iiordanov@gmail.com> wrote:
> 
> Hello!
> 
> In order to allow traffic to assist devices that cannot reach each
> other directly, I am setting up wireguard tunnels through a server
> with a public IP (40.30.40.30 in the example below).
> 
> For reasons of privacy, I'd like for the server to not be able to
> decrypt my traffic. As a result, I would like for one encapsulating
> Wireguard tunnel (subnet 10.1.2.0/24) to be peered through the server,
> while a second nested Wireguard tunnel (subnet 10.1.3.0/24) to be
> established through the first tunnel, peered only at the two devices
> (Android and Linux in this case) that need to communicate.
> 
> An attempt was made to use a single Wireguard interface. Doing it this
> way works between two Linux machines and even between Linux and Mac OS
> X, but does not work between a Pixel 3a XL running Android 11 with the
> GoBackend Wireguard implementation and my Linux laptop. I also tried
> the same config on Windows 10 to no avail.
> 
> The config on the Android device, obtained with toWgQuickString():
> ======================================
>    [Interface]
>    Address = 10.1.2.5/24, 10.1.3.5/24
>    ListenPort = 46847
>    MTU = 1200
>    PrivateKey = PRIVATE_KEY
> 
>    [Peer]
>    AllowedIPs = 10.1.2.0/24
>    Endpoint = 40.30.40.30:10000
>    PersistentKeepalive = 3600
>    PublicKey = VF5dic+a+6MllssbV+ShVwEBRrX9gr4do2iNylWrPGs=
> 
>    [Peer]
>    AllowedIPs = 10.1.3.1/32
>    Endpoint = 10.1.2.1:51555
>    PersistentKeepalive = 3600
>    PublicKey = 0Awdb451Z4+3Gezm7UlbRquC1kcF52r68J9wG1x/zUE=
> ======================================
> 
> The 10.1.2.0/24 subnet is the one that is "visible" to the public
> server. The 10.1.3.0/24 subnet is the one that is private to the two
> devices.
> 
> The devices can actually reach each other with netcat over UDP at
> 10.1.2.5:46847 and 10.1.2.1:51555 respectively. So the "encapsulating"
> tunnel is working, and iperf3 were used to test it over UDP and TCP
> successfully.
> 
> The "nested" tunnel does not get established.
> 
> The following permutations of the above config have the commented problems:
> 
> # Only 10.1.2.0/24 works, 10.1.3.0/24 does not.
>    Address = 10.1.2.1/24, 10.1.3.1/24
> 
> # Only 10.1.2.0/24 works, 10.1.3.0/24 (as expected) does not.
>    Address = 10.1.2.1/24
> 
> # Neither network works
>    Address = 10.1.3.1/24, 10.1.2.1/24
> 
> This looks like a bug that is triggered when multiple addresses are
> assigned to the interface.
> 
> Any suggestions on what to try are welcome.
> 
> Thanks!
> iordan
> 
> 
> -- 
> The conscious mind has only one thread of execution.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Nested Wireguard tunnels not working on Android and Windows
  2021-02-27 17:16 ` Frank Carmickle
@ 2021-02-28  0:53   ` Aaron Jones
  2021-03-01  6:07     ` i iordanov
  0 siblings, 1 reply; 8+ messages in thread
From: Aaron Jones @ 2021-02-28  0:53 UTC (permalink / raw)
  To: WireGuard mailing list


[-- Attachment #1.1: Type: text/plain, Size: 467 bytes --]

On 27/02/2021 17:16, Frank Carmickle wrote:
> Iordan,
>
> You say that it's possible to run a nested configuration on
> Linux and Macos with just a single interface each. Have you
> done a packet capture to prove that that is in fact what is
> happening? That doesn't seem like how it would act given the
> design goals.

Nesting (Using one of Peer A's AllowedIPs as Peer B's Endpoint) does
work within the same WireGuard interface, at least on Linux.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Nested Wireguard tunnels not working on Android and Windows
  2021-02-28  0:53   ` Aaron Jones
@ 2021-03-01  6:07     ` i iordanov
  2021-03-01 14:44       ` Frank Carmickle
  0 siblings, 1 reply; 8+ messages in thread
From: i iordanov @ 2021-03-01  6:07 UTC (permalink / raw)
  To: Aaron Jones; +Cc: WireGuard mailing list

Hi Aaron, Frank,

Thanks for your replies. For some reason, gmail had decided Frank's
original reply was spam, I apologize for missing it. The first message
in response to mine I received was Aaron's. Frank, after retrieving
your message, yes you understanding is correct.

Yes, I have done packet capture and indeed, the setup works correctly
on Linux and Mac, whereas it does not work under Android and Windows.
What can I do to help diagnose, debug and/or resolve this issue?

Cheers and thanks!
iordan


On Sun, Feb 28, 2021 at 5:17 PM Aaron Jones <me@aaronmdjones.net> wrote:
>
> On 27/02/2021 17:16, Frank Carmickle wrote:
> > Iordan,
> >
> > You say that it's possible to run a nested configuration on
> > Linux and Macos with just a single interface each. Have you
> > done a packet capture to prove that that is in fact what is
> > happening? That doesn't seem like how it would act given the
> > design goals.
>
> Nesting (Using one of Peer A's AllowedIPs as Peer B's Endpoint) does
> work within the same WireGuard interface, at least on Linux.
>
>


--
The conscious mind has only one thread of execution.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Nested Wireguard tunnels not working on Android and Windows
  2021-03-01  6:07     ` i iordanov
@ 2021-03-01 14:44       ` Frank Carmickle
  2021-03-01 20:09         ` i iordanov
  0 siblings, 1 reply; 8+ messages in thread
From: Frank Carmickle @ 2021-03-01 14:44 UTC (permalink / raw)
  To: i iordanov; +Cc: Aaron Jones, WireGuard mailing list

Iordan,

> On Mar 1, 2021, at 1:07 AM, i iordanov <iiordanov@gmail.com> wrote:
> 
> Hi Aaron, Frank,
> 
> Thanks for your replies. For some reason, gmail had decided Frank's
> original reply was spam, I apologize for missing it. The first message
> in response to mine I received was Aaron's. Frank, after retrieving
> your message, yes you understanding is correct.
> 
> Yes, I have done packet capture and indeed, the setup works correctly
> on Linux and Mac, whereas it does not work under Android and Windows.

Maybe it's a bug and not a feature? It seems to me that you would have no way of setting the MTU on the inner tunnel.

> What can I do to help diagnose, debug and/or resolve this issue?

Is there a reason why you can't try multiple interfaces?

--FC

> Cheers and thanks!
> iordan
> 
> 
> On Sun, Feb 28, 2021 at 5:17 PM Aaron Jones <me@aaronmdjones.net> wrote:
>> 
>> On 27/02/2021 17:16, Frank Carmickle wrote:
>>> Iordan,
>>> 
>>> You say that it's possible to run a nested configuration on
>>> Linux and Macos with just a single interface each. Have you
>>> done a packet capture to prove that that is in fact what is
>>> happening? That doesn't seem like how it would act given the
>>> design goals.
>> 
>> Nesting (Using one of Peer A's AllowedIPs as Peer B's Endpoint) does
>> work within the same WireGuard interface, at least on Linux.
>> 
>> 
> 
> 
> --
> The conscious mind has only one thread of execution.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Nested Wireguard tunnels not working on Android and Windows
  2021-03-01 14:44       ` Frank Carmickle
@ 2021-03-01 20:09         ` i iordanov
  2021-03-02 14:31           ` mikma.wg
  0 siblings, 1 reply; 8+ messages in thread
From: i iordanov @ 2021-03-01 20:09 UTC (permalink / raw)
  To: Frank Carmickle; +Cc: Aaron Jones, WireGuard mailing list

Hi Frank,

On Mon, Mar 1, 2021 at 9:42 AM Frank Carmickle <frank@carmickle.com> wrote:
> Maybe it's a bug and not a feature? It seems to me that you would have no way of setting the MTU on the inner tunnel.

That's true - other than inefficient packet fragmentation, is there
anything else that would be an issue?

> Is there a reason why you can't try multiple interfaces?

I cannot bring up more than a single interface on Android. I am not
sure about interface management on Windows with wg.exe, but
wireguard.exe certainly does not permit multiple interfaces to be
brought up.

Thanks!
iordan


-- 
The conscious mind has only one thread of execution.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Nested Wireguard tunnels not working on Android and Windows
  2021-03-01 20:09         ` i iordanov
@ 2021-03-02 14:31           ` mikma.wg
  0 siblings, 0 replies; 8+ messages in thread
From: mikma.wg @ 2021-03-02 14:31 UTC (permalink / raw)
  To: i iordanov, WireGuard mailing list

On 2021-03-01 21:09, i iordanov wrote:

> Hi Frank,
>
> On Mon, Mar 1, 2021 at 9:42 AM Frank Carmickle <frank@carmickle.com> wrote:
>> Maybe it's a bug and not a feature? It seems to me that you would have no way of setting the MTU on the inner tunnel.
> That's true - other than inefficient packet fragmentation, is there
> anything else that would be an issue?
It's possible to configure the MTU for each route on Linux. (Obviously 
you can't use the extremely simple wg-quick script for this.)
>
>> Is there a reason why you can't try multiple interfaces?
> I cannot bring up more than a single interface on Android. I am not
> sure about interface management on Windows with wg.exe, but
> wireguard.exe certainly does not permit multiple interfaces to be
> brought up.

The WireGuard app on Android also can't use a VPN address as the source 
of WireGuard packets. Only non-VPN addresses are supported.

Which means currently the WireGuard app on Android can't be used for 
nested tunnels.



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Nested Wireguard tunnels not working on Android and Windows
  2021-02-25 17:48 Nested Wireguard tunnels not working on Android and Windows i iordanov
  2021-02-27 17:16 ` Frank Carmickle
@ 2021-03-04  8:56 ` Matthias Urlichs
  1 sibling, 0 replies; 8+ messages in thread
From: Matthias Urlichs @ 2021-03-04  8:56 UTC (permalink / raw)
  To: wireguard


[-- Attachment #1.1: Type: text/plain, Size: 434 bytes --]

On 25.02.21 18:48, i iordanov wrote:
> The "nested" tunnel does not get established.

That's a generic problem. Usually you want to ensure that encrypted 
packets don't themselves go through the tunnel. This is difficult if not 
impossible on Android unless you rooted your device.

Also, you would need a per-route MTU. Linux can do that, but again you 
don't have the privileges on Android.

-- 
-- Matthias Urlichs



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2021-03-07 15:46 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-25 17:48 Nested Wireguard tunnels not working on Android and Windows i iordanov
2021-02-27 17:16 ` Frank Carmickle
2021-02-28  0:53   ` Aaron Jones
2021-03-01  6:07     ` i iordanov
2021-03-01 14:44       ` Frank Carmickle
2021-03-01 20:09         ` i iordanov
2021-03-02 14:31           ` mikma.wg
2021-03-04  8:56 ` Matthias Urlichs

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).