[WireGuard] Unable to configure routing

[WireGuard] Unable to configure routing

[Vladimir Matveev]

Hello,

I wanted to try Wireguard so I decided to test it on my laptop to
route all connections through my VPS. I have set up it on the VPS with
the following config file:

[Interface]
PrivateKey = <server private key>
ListenPort = 41414

[Peer]
PublicKey = <client public key>
AllowedIPs = 10.9.0.0/24

On my laptop I have the following file:

[Interface]
PrivateKey = <client private key>

[Peer]
PublicKey = <server public key>
Endpoint = <VPS public IP>:41414
AllowedIPs = 10.9.0.0/24


I configured a wg0 interface both on the server (10.9.0.1) and on the
client (10.9.0.2) and also configured the firewall on the VPS to pass
UDP packets for the 41414 port through, as well as masquerading for
packets coming from 10.9.0.0/24.

Afterwards I was able to reach the laptop from the server and vice
versa using their wg0 addresses just fine. However, I wasn't able to
route any connections through the VPS from the laptop.

On the server, as I have said already, I have set up masquerading for
10.9.0.0/24. On the client I've added a route like this:

ip r add 178.63.151.224 via 10.9.0.1 dev wg0

Then, when I try to ping 178.63.151.224, I get errors like this:

% LANG=C ping 178.63.151.224
PING 178.63.151.224 (178.63.151.224) 56(84) bytes of data.
>From 10.9.0.2 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
>From 10.9.0.2 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Required key not available
>From 10.9.0.2 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Required key not available
^C
--- 178.63.151.224 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2000m

Naturally, no other connection to this host gets through. Also, it
seems that in this case no packets even reach the server, I can see it
in the tcpdump -i wg0 output on the VPS. If I try to ping 10.9.0.1
from the laptop, I get correct responses and I also see them in the
tcpdump output, and I'm able to connect to the server itself just
fine.

I tried configuring the route without "via 10.9.0.1", like it is
described in the documentation (although I don't understand how it
should find the correct gateway address in such configuration), but to
no avail - the errors are exactly the same.

What am I doing wrong here?

uname -a on the laptop:

Linux hostname 4.6.5-2-ck #1 SMP PREEMPT Wed Jul 27 18:33:05 EDT 2016
x86_64 GNU/Linux

uname -a on the VPS:

Linux hostname 4.6.4-1-ARCH #1 SMP PREEMPT Mon Jul 11 19:12:32 CEST
2016 x86_64 GNU/Linux

Both computers are running Archlinux, with Wireguard 0.0.20160722
built via DKMS.

Thanks.

Best regards,
Vladimir

Re: [WireGuard] Unable to configure routing

[Vladimir Matveev]

Oh, I think that I have found what I was doing wrong. I have set the
allowed IPs for the server peer on my laptop to 10.9.0.0/24 instead of
0.0.0.0/0, and therefore all packets intended for other hosts (i.e.
for routing) were dropped by Wireguard immediately. Changing allowed
IPs setting to 0.0.0.0/0 immediately helped, and routing now works.

Best regards,
Vladimir

2016-08-06 15:36 GMT+03:00 Vladimir Matveev <vladimir.matweev@gmail.com>:
> Hello,
>
> I wanted to try Wireguard so I decided to test it on my laptop to
> route all connections through my VPS. I have set up it on the VPS with
> the following config file:
>
> [Interface]
> PrivateKey = <server private key>
> ListenPort = 41414
>
> [Peer]
> PublicKey = <client public key>
> AllowedIPs = 10.9.0.0/24
>
> On my laptop I have the following file:
>
> [Interface]
> PrivateKey = <client private key>
>
> [Peer]
> PublicKey = <server public key>
> Endpoint = <VPS public IP>:41414
> AllowedIPs = 10.9.0.0/24
>
>
> I configured a wg0 interface both on the server (10.9.0.1) and on the
> client (10.9.0.2) and also configured the firewall on the VPS to pass
> UDP packets for the 41414 port through, as well as masquerading for
> packets coming from 10.9.0.0/24.
>
> Afterwards I was able to reach the laptop from the server and vice
> versa using their wg0 addresses just fine. However, I wasn't able to
> route any connections through the VPS from the laptop.
>
> On the server, as I have said already, I have set up masquerading for
> 10.9.0.0/24. On the client I've added a route like this:
>
> ip r add 178.63.151.224 via 10.9.0.1 dev wg0
>
> Then, when I try to ping 178.63.151.224, I get errors like this:
>
> % LANG=C ping 178.63.151.224
> PING 178.63.151.224 (178.63.151.224) 56(84) bytes of data.
> From 10.9.0.2 icmp_seq=1 Destination Host Unreachable
> ping: sendmsg: Required key not available
> From 10.9.0.2 icmp_seq=2 Destination Host Unreachable
> ping: sendmsg: Required key not available
> From 10.9.0.2 icmp_seq=3 Destination Host Unreachable
> ping: sendmsg: Required key not available
> ^C
> --- 178.63.151.224 ping statistics ---
> 3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2000m
>
> Naturally, no other connection to this host gets through. Also, it
> seems that in this case no packets even reach the server, I can see it
> in the tcpdump -i wg0 output on the VPS. If I try to ping 10.9.0.1
> from the laptop, I get correct responses and I also see them in the
> tcpdump output, and I'm able to connect to the server itself just
> fine.
>
> I tried configuring the route without "via 10.9.0.1", like it is
> described in the documentation (although I don't understand how it
> should find the correct gateway address in such configuration), but to
> no avail - the errors are exactly the same.
>
> What am I doing wrong here?
>
> uname -a on the laptop:
>
> Linux hostname 4.6.5-2-ck #1 SMP PREEMPT Wed Jul 27 18:33:05 EDT 2016
> x86_64 GNU/Linux
>
> uname -a on the VPS:
>
> Linux hostname 4.6.4-1-ARCH #1 SMP PREEMPT Mon Jul 11 19:12:32 CEST
> 2016 x86_64 GNU/Linux
>
> Both computers are running Archlinux, with Wireguard 0.0.20160722
> built via DKMS.
>
> Thanks.
>
> Best regards,
> Vladimir