Development discussion of WireGuard
 help / color / mirror / Atom feed
From: Szymon Nowak <szymonn841@gmail.com>
To: Max Schulze <max.schulze@online.de>
Cc: wireguard@lists.zx2c4.com
Subject: Re: wireguard-windows: possibly wrong selection of outgoing IP Address?
Date: Tue, 7 Jun 2022 09:08:13 +0200	[thread overview]
Message-ID: <CA+hy6duTcA38PMWRj6L2U_jwBDnNkFjojGBL-ot-9oJ-BwiHtw@mail.gmail.com> (raw)
In-Reply-To: <4bb8fade-487e-2301-65d0-dea41624682f@online.de>

Hi To do this on the windows server, you need to run NAT on the WG interface
https://openvpn.net/cloud-docs/enabling-routing-nat-on-windows-server-2016/

On Sun, Jun 5, 2022 at 10:23 PM Max Schulze <max.schulze@online.de> wrote:
>
> I am running out of ideas to debug this specific issue.
>
> I am trying to circumvent a double-NAT scenario. I have
>
> wg_serv (10.253.2.9) <->  wg-relais (10.253.2.2) <-> wg_peer ( 10.253.2.3)
>
> wg_serv has an endpoint set for wg-relais, and creates the connection ok (handshake completes, ping works).
> wg_peer has an endpoint that points to wg-relais, which should tunnel the connection as-is to wg_serv on the established connection ( iptables SNAT/DNAT ).
>
> If wg_serv is a linux box, with the exact same config file, everything works. if wg_serv is a windows box, it seems that there are no outgoing packets, but incoming is ok.
>
> First, see that the handshake packet is received (via 10.253.2.2:60026):
>
> 2022-06-05 20:30:17.140946: [TUN] [wireguard] Keypair 536 created for peer 1
>
> 2022-06-05 20:30:22.085949: [TUN] [wireguard] Handshake for peer 1 (10.253.2.2:60026) did not complete after 5 seconds, retrying (try 2)
>
> 2022-06-05 20:30:22.265787: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026)
>
> 2022-06-05 20:30:22.265787: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026)
>
> 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 536 destroyed for peer 1
>
> 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 537 created for peer 1
>
> 2022-06-05 20:30:27.147962: [TUN] [wireguard] Sending keepalive packet to peer 2 (185.230.xxx.yyy:51849)
>
> 2022-06-05 20:30:27.626543: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026)
>
> 2022-06-05 20:30:27.626543: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026)
>
>
>
>
> However, it seems that wireguard sends the outgoing packet with the wrong ip (192.168.99.101) instead of 10.253.2.9 to 10.253.2.2:60026 ?
>
>
>
>     Protocol    Local Port      Local Address   Remote Port Remote Address      Received Bytes  Sent Bytes  Rec Pkt Sent Packets
>
> wireguard.exe   UDP IPv4    51850   192.168.99.101  51849       185.230.xxx.yyy     81.976          8.584   417     216
>
> wireguard.exe   UDP IPv4    51850   10.253.2.9      60026       10.253.2.2          55.648                  376
>
> wireguard.exe   UDP IPv4    51850   192.168.99.101  60026       10.253.2.2                          37.848          398
>
>
> What can I do?
> Can I make the wireguard log more verbose to show IP Paket src/Destination?
>
> Is it possible to also log the src IP of the "handshake response packet"?
>
> Best,
> Max
>
>
> wg_serv config:
>
> [Interface]
>
> PrivateKey = SFhFHVb__2c=
>
> ListenPort = 51850
>
> Address = 10.253.2.9/24
>
>
>
> [Peer]
>
> # wg-vpn-relais
>
> PublicKey = 3A5__wo=
>
> AllowedIPs = 10.253.2.2/30
>
> Endpoint = 185.230.xxx.yyy:51849
>
> PersistentKeepalive = 20
>
>
>
> [Peer]
>
> # peer via vpn relais
>
> PublicKey = FTBC__cqghg=
>
> AllowedIPs = 10.253.2.3/32
>
> PersistentKeepalive = 20
>
>
>
> wg output:
>
> peer: 3A5__o=
>
>   endpoint: 185.230.xxx.yyy:51849
>
>   allowed ips: 10.253.2.0/30
>
>   latest handshake: 1 minute, 55 seconds ago
>
>   transfer: 145.71 KiB received, 29.74 KiB sent
>
>   persistent keepalive: every 20 seconds
>
>
>
> peer: FTB__hg=
>
>   endpoint: 10.253.2.2:60026
>
>   allowed ips: 10.253.2.3/32
>
>   transfer: 89.46 KiB received, 60.67 KiB sent
>
>   persistent keepalive: every 20 seconds
>
>
>
>
>
> PS C:\Windows\system32> Get-NetIPInterface | select ifIndex,InterfaceAlias,AddressFamily,ConnectionState,Forwarding,weakhostreceive,weakhostsend | Sort-Object -Property IfIndex | Format-Table
>
> >>
>
>
>
> ifIndex InterfaceAlias              AddressFamily ConnectionState Forwarding WeakHostReceive WeakHostSend
>
> ------- --------------              ------------- --------------- ---------- --------------- ------------
>
>       1 Loopback Pseudo-Interface 1          IPv4       Connected   Disabled        Disabled     Disabled
>
>       1 Loopback Pseudo-Interface 1          IPv6       Connected   Disabled        Disabled     Disabled
>
>       4 LAN-Verbindung* 11                   IPv6       Connected   Disabled        Disabled     Disabled
>
>       4 LAN-Verbindung* 11                   IPv4       Connected   Disabled        Disabled     Disabled
>
>       8 WLAN                                 IPv4    Disconnected   Disabled        Disabled     Disabled
>
>       8 WLAN                                 IPv6    Disconnected   Disabled        Disabled     Disabled
>
>      12 Ethernet                             IPv6       Connected   Disabled        Disabled     Disabled
>
>      12 Ethernet                             IPv4       Connected   Disabled        Disabled     Disabled
>
>      16 LAN-Verbindung* 2                    IPv6    Disconnected   Disabled        Disabled     Disabled
>
>      16 LAN-Verbindung* 2                    IPv4    Disconnected   Disabled        Disabled     Disabled
>
>      17 LAN-Verbindung* 1                    IPv6    Disconnected   Disabled        Disabled     Disabled
>
>      17 LAN-Verbindung* 1                    IPv4    Disconnected   Disabled        Disabled     Disabled
>
>      53 wireguard                            IPv6       Connected   Disabled        Disabled     Disabled
>
>      53 wireguard                            IPv4       Connected   Disabled        Disabled     Disabled
>
> wg_relais debug state:
>
> wg-vpn-relais # conntrack -L | grep 10.253
>
> udp      17 28 src=178.101.114.260 dst=185.230.xxx.yyy sport=60026 dport=51850 [UNREPLIED] src=10.253.2.9 dst=10.253.2.2 sport=51850 dport=60026 mark=0 use=1
>

  reply	other threads:[~2022-06-07  7:08 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-05 20:21 Max Schulze
2022-06-07  7:08 ` Szymon Nowak [this message]
2022-06-07  8:43   ` Max Schulze

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA+hy6duTcA38PMWRj6L2U_jwBDnNkFjojGBL-ot-9oJ-BwiHtw@mail.gmail.com \
    --to=szymonn841@gmail.com \
    --cc=max.schulze@online.de \
    --cc=wireguard@lists.zx2c4.com \
    --subject='Re: wireguard-windows: possibly wrong selection of outgoing IP Address?' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).