From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: adriankoooo@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 336ab93b for ; Sun, 25 Mar 2018 09:08:21 +0000 (UTC) Received: from mail-it0-f53.google.com (mail-it0-f53.google.com [209.85.214.53]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 887cdb5a for ; Sun, 25 Mar 2018 09:08:21 +0000 (UTC) Received: by mail-it0-f53.google.com with SMTP id m134-v6so2556482itb.3 for ; Sun, 25 Mar 2018 02:20:06 -0700 (PDT) MIME-Version: 1.0 From: =?UTF-8?B?QWRyacOhbiBNaWjDoWxrbw==?= Date: Sun, 25 Mar 2018 11:19:44 +0200 Message-ID: Subject: can't ping remote side IP range from WG instance To: wireguard@lists.zx2c4.com Content-Type: multipart/alternative; boundary="000000000000ab7922056839291c" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --000000000000ab7922056839291c Content-Type: text/plain; charset="UTF-8" A side (192.168.2.0/24): LEDE router 192.168.2.1 (static route to access remote side 192.168.1.0/24 pointing to 192.168.2.100) Pi Zero with Wireguard (192.168.2.100, WG: 192.168.5.2) Config: auto wg0 iface wg0 inet static pre-up ip link add dev wg0 type wireguard post-up wg setconf wg0 /etc/wireguard/wireguard.conf post-up ip link set dev wg0 up post-up ip route add 192.168.1.0/24 via 192.168.5.1 dev wg0 post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE address 192.168.5.2 netmask 255.255.255.0 B side (192.168.1.0/24): Unifi router 192.168.1.1 (static route to access remote side 192.168.2.0/24 pointing to 192.168.1.54) Ubuntu server with Wireguard (192.168.1.54, WG: 192.168.5.1) Config: iface wg0 inet static pre-up /sbin/ip link add dev wg0 type wireguard post-up /usr/bin/wg setconf wg0 /etc/wireguard/wg0.conf post-up /sbin/ip route add 192.168.2.0/24 via 192.168.5.2 dev wg0 post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE post-down /sbin/ip link del wg0 address 192.168.5.1 netmask 255.255.255.0 --- Everything is working great, except that on the "Pi Zero with Wireguard" I can't access/ping remote devices in the 192.168.1.0/24 range, only the remote server 192.168.1.54. From any other machine in the same "A side" I am able to access devices in the 192.168.1.0/24 range, just from the Pi Zero itself not. What I am missing here? pi@raspberrypizero:~ $ ping 192.168.1.54 PING 192.168.1.54 (192.168.1.54) 56(84) bytes of data. 64 bytes from 192.168.1.54: icmp_seq=1 ttl=64 time=48.6 ms 64 bytes from 192.168.1.54: icmp_seq=2 ttl=64 time=134 ms^C --- 192.168.1.54 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 48.671/91.554/134.437/42.883 ms pi@raspberrypizero:~ $ ping 192.168.1.100 PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data. ^C --- 192.168.1.100 ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 5188ms pi@raspberrypizero:~ $ traceroute 192.168.1.100 traceroute to 192.168.1.100 (192.168.1.100), 30 hops max, 60 byte packets 1 192.168.5.1 (192.168.5.1) 42.279 ms 43.834 ms 44.678 ms 2 * * * 3 * * * 4 * * * --- B side is working great, I am able to ping everything, even from the Ubuntu server. Regards, Adrian --000000000000ab7922056839291c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

A side (192.168.2.0= /24):

LEDE router 192.168.2.1 (static route to= access remote side 192.168.1.0/24 po= inting to 192.168.2.100)

Pi Zero with Wireguard (1= 92.168.2.100, WG: 192.168.5.2)

Config:

<= br>

auto wg0

iface wg0 inet static

=C2=A0 pre= -up ip link add dev wg0 type wireguard

=C2=A0 post-up wg setconf = wg0 /etc/wireguard/wireguard.conf

=C2=A0 post-up ip link set dev = wg0 up

=C2=A0 post-up ip route add 192.168.1.0/24 via 192.168.5.1 dev wg0

=C2=A0 post-up ipt= ables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

=C2=A0 address = 192.168.5.2

=C2=A0 netmask 255.255.255.0

B side (192.168.1.0/24):

Unifi router 192.168.1.1 (static route to acce= ss remote side 192.168.2.0/24 pointin= g to 192.168.1.54)

Ubuntu server with Wireguard (1= 92.168.1.54, WG: 192.168.5.1)

Config:

iface wg0 inet static

=C2=A0 pre-up /sbin/ip link ad= d dev wg0 type wireguard

=C2=A0 post-up /usr/bin/wg setconf wg0 /= etc/wireguard/wg0.conf

=C2=A0 post-up /sbin/ip route add 192.168.2.0/24 via 192.168.5.2 dev wg0

=C2=A0 post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

=C2=A0 post-down /sbin/ip link del wg0

=C2=A0 address 192= .168.5.1

=C2=A0 netmask 255.255.255.0

--= -

Everything is working great, except that on the = "Pi Zero with Wireguard" I can't access/ping remote devices i= n the 192.168.1.0/24 range, only the = remote server 192.168.1.54. From any other machine in the same "A side= " I am able to access devices in the 192.168.1.0/24 range, just from the Pi Zero itself not.

What I am missing here?

= pi@raspberrypizero:~ $ ping 192.168.1.54

PING 192.168.1.54 (192.1= 68.1.54) 56(84) bytes of data.

64 bytes from 192.168.1.54: icmp_seq=3D1 ttl=3D64 time=3D48.6 ms

64 bytes from 192.168.1.54: icmp_seq= =3D2 ttl=3D64 time=3D134 ms^C

--- 192.168.1.54 ping statistics --= -

2 packets transmitted, 2 received, 0% packet loss, time 1002ms<= /div>

rtt min/avg/max/mdev =3D 48.671/91.554/134.437/42.883 ms

pi@raspberrypizero:~ $ ping 192.168.1.100

PING 192.168.1.100 (1= 92.168.1.100) 56(84) bytes of data.

--- 192.168.1.10= 0 ping statistics ---

6 packets transmitted, 0 received, 100% pac= ket loss, time 5188ms

pi@raspberrypizero:~ $ trace= route 192.168.1.100

traceroute to 192.168.1.100 (192.168.1.100), = 30 hops max, 60 byte packets

=C2=A01 =C2=A0192.168.5.1 (192.168.5= .1) =C2=A042.279 ms =C2=A043.834 ms =C2=A044.678 ms

=C2=A02 =C2= =A0* * *

=C2=A03 =C2=A0* * *

=C2=A04 =C2=A0* * *

<= div>

---

B side is wo= rking great, I am able to ping everything, even from the Ubuntu server.

Regards,

Adrian

--000000000000ab7922056839291c-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: me.kalin@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id e530ca94 for ; Sun, 25 Mar 2018 19:44:03 +0000 (UTC) Received: from mail-ot0-f181.google.com (mail-ot0-f181.google.com [74.125.82.181]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 80222583 for ; Sun, 25 Mar 2018 19:44:03 +0000 (UTC) Received: by mail-ot0-f181.google.com with SMTP id h8-v6so18463642oti.6 for ; Sun, 25 Mar 2018 12:55:50 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: From: Kalin KOZHUHAROV Date: Sun, 25 Mar 2018 21:55:29 +0200 Message-ID: Subject: Re: can't ping remote side IP range from WG instance To: =?UTF-8?B?QWRyacOhbiBNaWjDoWxrbw==?= Content-Type: text/plain; charset="UTF-8" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , I am really not sure, but let me have a stab: On Sun, Mar 25, 2018 at 11:19 AM, Adri=C3=A1n Mih=C3=A1lko wrote: > auto wg0 > iface wg0 inet static > pre-up ip link add dev wg0 type wireguard > post-up wg setconf wg0 /etc/wireguard/wireguard.conf > post-up ip link set dev wg0 up > post-up ip route add 192.168.1.0/24 via 192.168.5.1 dev wg0 > post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > * I guess that should be post-up iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE Please try to use generic OS commands to describe the situation whenever possible (avoiding or in addition to LEDE-specific config). e.g. `ip addr` `ip route` `wg` * Any other iptables rules? Try disabling all FW first. (also on Ubuntu ser= ver) * Any bridging (often the case in LEDE)? * run tcpdump/tshark to see what is going on > Everything is working great, What exactly is working? > except that on the "Pi Zero with Wireguard" I can't access/ping remote de= vices in the 192.168.1.0/24 range, only the remote server 192.168.1.54. > From any other machine in the same "A side" I am able to access devices i= n the 192.168.1.0/24 range, just from the Pi Zero itself not. > So the difference here is (looking from inside Pi0), "other machine" traverses the FORWARD chain, while "Pi Zero with Wireguard" traverses OUTPUT (then reply via INPUT). I guess fixing the MASQUEARADE line will do it (on both sides). Being able to ping only the router of a remote net means that it doesn't route the echo-request: * due to FW policy * due to "bad src address" (e.g. if you somehow manage to ping from 1.1.1.1 (via many tunnels) to 2.2.2.2 and 2.2.2.2 cannot directly reach 1.1.1.1) {I am guessing Pi0 sends ping from wg0/192.168.5.2 to Ubuntu wg0/192.168.5.1, forwarded to 192.168.1.100, it has no route to 192.168.5.2, so sends it to 192.168.1.1 as default... asymmetric route blocking?) * on 192.168.1.100, run tshark to see if you even get an echo-request packet when you try to ping it. * What is the route to 192.168.5.2 on 192.168.1.100? (on 192.168.1.100 run `ip route get 192.168.5.2`) And before doing any of the above, sit down and draw a map, with colorful pens for wired and WG connections. It does help, trust me. Kalin. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: adriankoooo@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 686a1099 for ; Sun, 25 Mar 2018 21:21:49 +0000 (UTC) Received: from mail-wm0-f43.google.com (mail-wm0-f43.google.com [74.125.82.43]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 40c57910 for ; Sun, 25 Mar 2018 21:21:48 +0000 (UTC) Received: by mail-wm0-f43.google.com with SMTP id t6so11999283wmt.5 for ; Sun, 25 Mar 2018 14:33:36 -0700 (PDT) Return-Path: Received: from macbook-pro.localdomain (90-64-42-231.dynamic.orange.sk. [90.64.42.231]) by smtp.gmail.com with ESMTPSA id v53sm15999392wrc.45.2018.03.25.14.33.35 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 25 Mar 2018 14:33:35 -0700 (PDT) From: =?utf-8?Q?Adri=C3=A1n_Mih=C3=A1lko?= Content-Type: multipart/alternative; boundary="Apple-Mail=_C0FBF642-D593-4766-B945-834B0BE66C5A" Mime-Version: 1.0 (Mac OS X Mail 11.2 $3445.5.20$) Subject: Re: can't ping remote side IP range from WG instance Date: Sun, 25 Mar 2018 23:33:33 +0200 References: To: wireguard@lists.zx2c4.com In-Reply-To: Message-Id: List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --Apple-Mail=_C0FBF642-D593-4766-B945-834B0BE66C5A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Ah. The solution was trivial. On B side, Ubuntu server: post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE On my server eth0 doesn't exist it has another name: ens160. Now it's working. > On 25 Mar 2018, at 11:19, Adri=C3=A1n Mih=C3=A1lko = wrote: >=20 > A side (192.168.2.0/24 ): >=20 > LEDE router 192.168.2.1 (static route to access remote side = 192.168.1.0/24 pointing to 192.168.2.100) >=20 > Pi Zero with Wireguard (192.168.2.100, WG: 192.168.5.2) >=20 > Config: >=20 > auto wg0 > iface wg0 inet static > pre-up ip link add dev wg0 type wireguard > post-up wg setconf wg0 /etc/wireguard/wireguard.conf > post-up ip link set dev wg0 up > post-up ip route add 192.168.1.0/24 via = 192.168.5.1 dev wg0 > post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > address 192.168.5.2 > netmask 255.255.255.0 >=20 >=20 > B side (192.168.1.0/24 ): >=20 > Unifi router 192.168.1.1 (static route to access remote side = 192.168.2.0/24 pointing to 192.168.1.54) >=20 > Ubuntu server with Wireguard (192.168.1.54, WG: 192.168.5.1) >=20 > Config: >=20 > iface wg0 inet static > pre-up /sbin/ip link add dev wg0 type wireguard > post-up /usr/bin/wg setconf wg0 /etc/wireguard/wg0.conf > post-up /sbin/ip route add 192.168.2.0/24 = via 192.168.5.2 dev wg0 > post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > post-down /sbin/ip link del wg0 > address 192.168.5.1 > netmask 255.255.255.0 >=20 > --- >=20 > Everything is working great, except that on the "Pi Zero with = Wireguard" I can't access/ping remote devices in the 192.168.1.0/24 = range, only the remote server 192.168.1.54. =46rom= any other machine in the same "A side" I am able to access devices in = the 192.168.1.0/24 range, just from the Pi Zero = itself not. >=20 > What I am missing here? >=20 >=20 > pi@raspberrypizero:~ $ ping 192.168.1.54 > PING 192.168.1.54 (192.168.1.54) 56(84) bytes of data. > 64 bytes from 192.168.1.54 : icmp_seq=3D1 ttl=3D64= time=3D48.6 ms > 64 bytes from 192.168.1.54 : icmp_seq=3D2 ttl=3D64= time=3D134 ms^C > --- 192.168.1.54 ping statistics --- > 2 packets transmitted, 2 received, 0% packet loss, time 1002ms > rtt min/avg/max/mdev =3D 48.671/91.554/134.437/42.883 ms > pi@raspberrypizero:~ $ ping 192.168.1.100 > PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data. > ^C > --- 192.168.1.100 ping statistics --- > 6 packets transmitted, 0 received, 100% packet loss, time 5188ms >=20 > pi@raspberrypizero:~ $ traceroute 192.168.1.100 > traceroute to 192.168.1.100 (192.168.1.100), 30 hops max, 60 byte = packets > 1 192.168.5.1 (192.168.5.1) 42.279 ms 43.834 ms 44.678 ms > 2 * * * > 3 * * * > 4 * * * >=20 >=20 > --- >=20 > B side is working great, I am able to ping everything, even from the = Ubuntu server. >=20 >=20 > Regards, > Adrian --Apple-Mail=_C0FBF642-D593-4766-B945-834B0BE66C5A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Ah. = The solution was trivial.

On B side, Ubuntu server:

post-up iptables -t nat -A POSTROUTING = -o eth0 -j MASQUERADE

On my server eth0 doesn't exist it has another name: = ens160.

Now = it's working.

On 25 Mar 2018, at 11:19, = Adri=C3=A1n Mih=C3=A1lko <adriankoooo@gmail.com> wrote:

A side (192.168.2.0/24):

LEDE router 192.168.2.1 (static route = to access remote side 192.168.1.0/24 pointing to 192.168.2.100)

Pi Zero with Wireguard = (192.168.2.100, WG: 192.168.5.2)

Config:

auto wg0
iface wg0 = inet static
pre-up ip link add dev wg0 type = wireguard
post-up wg setconf wg0 = /etc/wireguard/wireguard.conf
post-up ip = link set dev wg0 up
post-up ip route add 192.168.1.0/24 via = 192.168.5.1 dev wg0
post-up iptables -t nat = -A POSTROUTING -o eth0 -j MASQUERADE
address = 192.168.5.2
netmask 255.255.255.0

B side (192.168.1.0/24):

Unifi router 192.168.1.1 (static route = to access remote side 192.168.2.0/24 pointing to 192.168.1.54)

Ubuntu server with = Wireguard (192.168.1.54, WG: 192.168.5.1)

Config:

iface wg0 inet static
pre-up /sbin/ip link add dev wg0 type = wireguard
post-up /usr/bin/wg setconf wg0 = /etc/wireguard/wg0.conf
post-up /sbin/ip = route add 192.168.2.0/24 = via 192.168.5.2 dev wg0
post-up iptables -t = nat -A POSTROUTING -o eth0 -j MASQUERADE
= post-down /sbin/ip link del wg0
address = 192.168.5.1
netmask 255.255.255.0

---

Everything is working = great, except that on the "Pi Zero with Wireguard" I can't access/ping = remote devices in the 192.168.1.0/24 range, only the remote server = 192.168.1.54. =46rom any other machine in the same "A side" I am able to = access devices in the 192.168.1.0/24 range, just from the Pi Zero itself = not.

What I am = missing here?

pi@raspberrypizero:~ $ = ping 192.168.1.54
PING 192.168.1.54 (192.168.1.54) = 56(84) bytes of data.
64 bytes from 192.168.1.54: icmp_seq=3D1 = ttl=3D64 time=3D48.6 ms
64 bytes from 192.168.1.54: icmp_seq=3D2 = ttl=3D64 time=3D134 ms^C
--- 192.168.1.54 ping = statistics ---
2 packets transmitted, 2 received, = 0% packet loss, time 1002ms
rtt min/avg/max/mdev =3D = 48.671/91.554/134.437/42.883 ms
pi@raspberrypizero:~ = $ ping 192.168.1.100
PING 192.168.1.100 = (192.168.1.100) 56(84) bytes of data.
^C
--- 192.168.1.100 ping statistics ---
6 = packets transmitted, 0 received, 100% packet loss, time 5188ms

pi@raspberrypizero:~ $ = traceroute 192.168.1.100
traceroute to = 192.168.1.100 (192.168.1.100), 30 hops max, 60 byte packets
1 192.168.5.1 (192.168.5.1) 42.279 ms = 43.834 ms 44.678 ms
2 * * = *
3 * * *
4 = * * *

---

B side is working great, I am able to = ping everything, even from the Ubuntu server.

Regards,
Adrian

= --Apple-Mail=_C0FBF642-D593-4766-B945-834B0BE66C5A-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: eric@ericlight.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 3d435523 for ; Sun, 25 Mar 2018 23:47:32 +0000 (UTC) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id cb3825a9 for ; Sun, 25 Mar 2018 23:47:32 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 8CFBB20DB2 for ; Sun, 25 Mar 2018 19:59:20 -0400 (EDT) Message-Id: <1522022360.1403275.1315648448.5DA33E52@webmail.messagingengine.com> From: Eric Light To: wireguard@lists.zx2c4.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_----------=_152202236014032750" Date: Mon, 26 Mar 2018 12:59:20 +1300 References:

Subject: Re: can't ping remote side IP range from WG instance In-Reply-To: List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , This is a multi-part message in MIME format. --_----------=_152202236014032750 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Hi Adri=C3=A1n, Sounds like you're doing something similar to what I've been playing with. I chatted with Jason about it a bit, and he sorted me out with a better solution - perhaps it'll work for you too: Instead of spinning up a Masquerade rule in iptables, have you tried just making sure that ProxyARP is enabled on the B side Ubuntu server? Try removing the masquerade from iptables, and run this instead: echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp You may also need to enable IP forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward If you want to make it permanent, add this to your /etc/sysctl.conf (again on the B side Ubuntu): net.ipv4.conf.all.proxy_arp =3D 1 net.ipv4.conf.all.forwarding =3D 1 You might be able to use net.ipv4.conf.*wg0 *instead, I've just used .all as an example Let me know if that helps :) E -------------------------------------------- Q: Why is this email five sentences or less? A: http://five.sentenc.es On Mon, 26 Mar 2018, at 10:33, Adri=C3=A1n Mih=C3=A1lko wrote: > Ah. The solution was trivial. >=20 > On B side, Ubuntu server: >=20 > post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >=20 > On my server eth0 doesn't exist it has another name: ens160. >=20 > Now it's working. >=20 >=20 >> On 25 Mar 2018, at 11:19, Adri=C3=A1n Mih=C3=A1lko >> wrote:>>=20 >> A side (192.168.2.0/24): >>=20 >> LEDE router 192.168.2.1 (static route to access remote side >> 192.168.1.0/24 pointing to 192.168.2.100)>>=20 >> Pi Zero with Wireguard (192.168.2.100, WG: 192.168.5.2) >>=20 >> Config: >>=20 >> auto wg0 >> iface wg0 inet static >> pre-up ip link add dev wg0 type wireguard >> post-up wg setconf wg0 /etc/wireguard/wireguard.conf >> post-up ip link set dev wg0 up >> post-up ip route add 192.168.1.0/24 via 192.168.5.1 dev wg0 >> post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >> address 192.168.5.2 >> netmask 255.255.255.0 >>=20 >>=20 >> B side (192.168.1.0/24): >>=20 >> Unifi router 192.168.1.1 (static route to access remote side >> 192.168.2.0/24 pointing to 192.168.1.54)>>=20 >> Ubuntu server with Wireguard (192.168.1.54, WG: 192.168.5.1) >>=20 >> Config: >>=20 >> iface wg0 inet static >> pre-up /sbin/ip link add dev wg0 type wireguard >> post-up /usr/bin/wg setconf wg0 /etc/wireguard/wg0.conf >> post-up /sbin/ip route add 192.168.2.0/24 via 192.168.5.2 dev wg0 >> post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >> post-down /sbin/ip link del wg0 >> address 192.168.5.1 >> netmask 255.255.255.0 >>=20 >> --- >>=20 >> Everything is working great, except that on the "Pi Zero with >> Wireguard" I can't access/ping remote devices in the 192.168.1.0/24 >> range, only the remote server 192.168.1.54. From any other machine in >> the same "A side" I am able to access devices in the 192.168.1.0/24 >> range, just from the Pi Zero itself not.>>=20 >> What I am missing here? >>=20 >>=20 >> pi@raspberrypizero:~ $ ping 192.168.1.54 >> PING 192.168.1.54 (192.168.1.54) 56(84) bytes of data. >> 64 bytes from 192.168.1.54[1]: icmp_seq=3D1 ttl=3D64 time=3D48.6 ms >> 64 bytes from 192.168.1.54[2]: icmp_seq=3D2 ttl=3D64 time=3D134 ms^C >> --- 192.168.1.54 ping statistics --- >> 2 packets transmitted, 2 received, 0% packet loss, time 1002ms >> rtt min/avg/max/mdev =3D 48.671/91.554/134.437/42.883 ms >> pi@raspberrypizero:~ $ ping 192.168.1.100 >> PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data. >> ^C >> --- 192.168.1.100 ping statistics --- >> 6 packets transmitted, 0 received, 100% packet loss, time 5188ms >>=20 >> pi@raspberrypizero:~ $ traceroute 192.168.1.100 >> traceroute to 192.168.1.100 (192.168.1.100), 30 hops max, 60 byte >> packets>> 1 192.168.5.1 (192.168.5.1) 42.279 ms 43.834 ms 44.678 ms >> 2 * * * >> 3 * * * >> 4 * * * >>=20 >>=20 >> --- >>=20 >> B side is working great, I am able to ping everything, even from the >> Ubuntu server.>>=20 >>=20 >> Regards, >> Adrian > _________________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard Links: 1. http://192.168.1.54/ 2. http://192.168.1.54/ --_----------=_152202236014032750 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="utf-8"

Hi Adri=C3=A1n,

Sounds like you're doing something similar to what I've been playing w= ith. I chatted with Jason about it a bit, and he sorted me out with a= better solution - perhaps it'll work for you too:

Instead of spinning up a Masquerade rule in iptables, have you tried j= ust making sure that ProxyARP is enabled on the B side Ubuntu server? = Try removing the masquerade from iptables, and run this instead:

echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
<=
/pre>

You may also need to enable IP forwarding:



echo 1 > /proc/sys/net/ipv4/ip_forward


If you want to make it permanent, add this to your /etc/sysctl.conf (a=
gain on the B side Ubuntu):



net.ipv4.conf.all.proxy_arp =3D 1

net.ipv4.conf.all.forwarding =3D 1



You might be able to use net.ipv4.conf.wg0 instead, I've just u=
sed .all as an example 



Let me know if that helps  :)



E



--------------------------=
------------------

Q: Why is this email five sentences or less?

A: http://five.sentenc.es








On Mon, 26 Mar 2018, at 10:33, Adri=C3=A1n Mih=C3=A1lko wrote:

Ah. The solution was trivial.



On B side, Ubuntu server:



post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE



On my server eth0 doesn't exist it has another name: ens160.



Now it's working.





On 25 Mar 2018, at 11:19, Adri=C3=
=A1n Mih=C3=A1lko <adriankoooo@=
gmail.com> wrote:



A side (192.16=
8.2.0/24):



LEDE router 192.168.2.1 (static route to access remote side 192.168.1.0/24 pointing to 192.168.2.100)



Pi Zero with Wireguard (192.168.2.100, WG: 192.168.5.2)



Config:



auto wg0

iface wg0 inet static

  pre-up ip link add dev wg0 type wireguard

  post-up wg setconf wg0 /etc/wireguard/wireguard.conf

  post-up ip link set dev wg0 up

  post-up ip route add 192.168.=
1.0/24 via 192.168.5.1 dev wg0

  post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  address 192.168.5.2

  netmask 255.255.255.0





B side (192.168.1.0/24):



Unifi router 192.168.1.1 (static route to access remote side 192.168.2.0/24 pointing to 192.168.1.54)
=



Ubuntu server with Wireguard (192.168.1.54, WG: 192.168.5.1)



Config:



iface wg0 inet static

  pre-up /sbin/ip link add dev wg0 type wireguard

  post-up /usr/bin/wg setconf wg0 /etc/wireguard/wg0.conf

  post-up /sbin/ip route add 19=
2.168.2.0/24 via 192.168.5.2 dev wg0

  post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  post-down /sbin/ip link del wg0

  address 192.168.5.1

  netmask 255.255.255.0



---



Everything is working great, except that on the "Pi Zero with Wireguar=
d" I can't access/ping remote devices in the 192.168.1.0/24 range, only the remote server 192.168.1.54. From any=
 other machine in the same "A side" I am able to access devices in the 192.168.1.0/24 range, just from the Pi Ze=
ro itself not.



What I am missing here?





pi@raspberrypizero:~ $ ping 192.168.1.54

PING 192.168.1.54 (192.168.1.54) 56(84) bytes of data.

64 bytes from 192.168.1.54: icmp_=
seq=3D1 ttl=3D64 time=3D48.6 ms

64 bytes from 192.168.1.54: icmp_=
seq=3D2 ttl=3D64 time=3D134 ms^C

--- 192.168.1.54 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1002ms

rtt min/avg/max/mdev =3D 48.671/91.554/134.437/42.883 ms

pi@raspberrypizero:~ $ ping 192.168.1.100

PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.

^C

--- 192.168.1.100 ping statistics ---

6 packets transmitted, 0 received, 100% packet loss, time 5188ms



pi@raspberrypizero:~ $ traceroute 192.168.1.100

traceroute to 192.168.1.100 (192.168.1.100), 30 hops max, 60 byte pack=
ets

 1  192.168.5.1 (192.168.5.1)  42.279 ms  43.834 m=
s  44.678 ms

 2  * * *

 3  * * *

 4  * * *





---



B side is working great, I am able to ping everything, even from the U=
buntu server.





Regards,

Adrian





_______________________________________________

WireGuard mailing list

WireGuard@lists.zx2c4.com=


https:/=
/lists.zx2c4.com/mailman/listinfo/wireguard






--_----------=_152202236014032750--