From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=3.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C6F7BC10F00 for ; Wed, 6 Mar 2019 18:23:08 +0000 (UTC) Received: from krantz.zx2c4.com (krantz.zx2c4.com [192.95.5.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2DE7920684 for ; Wed, 6 Mar 2019 18:23:07 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iFMiiVg7" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2DE7920684 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=wireguard-bounces@lists.zx2c4.com Received: from krantz.zx2c4.com (localhost [IPv6:::1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 9d12a159; Wed, 6 Mar 2019 18:12:26 +0000 (UTC) Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id d0b84597 for ; Wed, 6 Mar 2019 18:12:24 +0000 (UTC) Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 4b2c5d6e for ; Wed, 6 Mar 2019 18:12:24 +0000 (UTC) Received: by mail-qk1-x734.google.com with SMTP id c2so7390059qkb.3 for ; Wed, 06 Mar 2019 10:22:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mR4SewpgSvGFZUw8eRMPmwL2O/nyUJUSHlUyG6/uD9k=; b=iFMiiVg7GfMPmyx7EFx+7u9sTiItK6iHYeZ8Tkx1noEc9l2CeguXlnC4R58PowYjwh Z29dANvnd18VEw8gTLBU9fSZAtD0F2KzlCzlLMOsCWA/RiJ4zf/646QGXxErEAwPjFN6 /c+FDYgYPeG+0bClsgUwkfuV5fBvgvzj6JB1V/+KhSF4a5ST2ffA/yIu5NINnWsOJF1g h4uTYPQ+zm/nMsPp2OPDzAsyJc9AdsUYQ7mTdDWAps+g2fBmy4ESiRS2mWD9E1I3h2sM W9NyHEWLwCjsZ0kaI5iIYubB5rsA+HDgsKFfr2cBvWXuD7fdzvrhawzOsFzb5OYB1AS/ djXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mR4SewpgSvGFZUw8eRMPmwL2O/nyUJUSHlUyG6/uD9k=; b=V7QhnlAlgCz+eaJD175p5bVQxgDcI3LVn7thzSKtRkkAo0f9w1bENsTL/dEUpoJ+41 ZraTZitwQJUDsmwcx0tKYuHQYTQdqYWEOy97Isyga72LeOBpaXY5pvEtqZumhJSs3q5j CAwAa2u0tAxgCFwdSjVjOlIzPFk4pbKN/wQyhPN+Wv5ZSAqLNkOn+KC5S8p+G5kqMUNh 8NeXE/o/e8FoPqneBFWrhSHRa9ejjxaFhb7xpKPFbw4rolNVyTpv59hvarcHdDWVTJg2 CmeaN4EPAuyERwO9//A1lTq/i9pYGsgbgxfw/qaZOMA7+d2Eba8JdPO35qrSa/+bcayL K/lQ== X-Gm-Message-State: APjAAAVRh9m7p26ttMo7/E8C+C2TgEsDFX46QEn/Yd1spoYlPZEVwit9 dll6FRgiXvcoqfBjvr3OKrucfHbHaddjPg41mgKcsuli X-Google-Smtp-Source: APXvYqyv6w3B02CDrr6Kmo+QIbpCJ6NaABlmwUFe4Et9rIEH8UA5J3CTP70Y8p5ATx3HT+Mq97nG6KS1J+3N3frHBhI= X-Received: by 2002:a37:4e0f:: with SMTP id c15mr6935156qkb.267.1551896573423; Wed, 06 Mar 2019 10:22:53 -0800 (PST) MIME-Version: 1.0 References: <3053f293b7e9a34a733c2b5b314e2d8a620682db.camel@airmail.cc> In-Reply-To: From: Arpit Gupta Date: Wed, 6 Mar 2019 10:22:42 -0800 Message-ID: Subject: Re: cant connect to wireguard when router connected to a vpn service To: XRP Cc: wireguard@lists.zx2c4.com X-BeenThere: wireguard@lists.zx2c4.com X-Mailman-Version: 2.1.15 Precedence: list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============8236506094999296925==" Errors-To: wireguard-bounces@lists.zx2c4.com Sender: "WireGuard" --===============8236506094999296925== Content-Type: multipart/alternative; boundary="000000000000fcb4e005837113c7" --000000000000fcb4e005837113c7 Content-Type: text/plain; charset="UTF-8" Actually false alarm :(. Can only get it to work if i add a policy rule in my router vpn client to send all traffic from host running wireguard through the WAN and thus skipping VPN which is not ideal as when i am routing all traffic through wireguard ideally i want it to use the vpn tunnel on my router. -- Arpit On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta wrote: > Got it working :). > > Did not need to change any client or server settings. However needed to > add another policy rule in my vpn client. Rule states > > Source: wireguard server > destination: 192.168.100.0/24 (so any of my wireguard clients) > interface: WAN > > So this way wireguard traffic does not go through the VPN. > -- > Arpit > > > On Wed, Mar 6, 2019 at 7:59 AM Arpit Gupta wrote: > >> Tried changing the allowed ip's to what was suggested and it did not >> work. Same behavior as before. Also my configs were working as expected >> before i had my router connected to a vpn service. >> >> It required me to add the following route policy for my vpn client on my >> router >> >> Source IP: 192.168.1.0/24, Destination: 0.0.0.0 will go throuh the VPN. >> So if it matters if i connected to wireguard using the ip address of the >> ISP vs the IP address of the VPN? >> >> >> -- >> Arpit >> >> >> On Wed, Mar 6, 2019 at 1:18 AM XRP wrote: >> >>> On Wed, 2019-03-06 at 08:40 +0000, Arpit Gupta wrote: >>> > On my server my conf is >>> > >>> > [Interface] >>> > Address = 192.168.100.1/32 >>> > PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o >>> > %i -j >>> > ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >>> > PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD >>> > -o %i >>> > -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >>> > ListenPort = 54930 >>> > PrivateKey = xxxxx >>> > >>> > [Peer] >>> > PublicKey = xxxx >>> > AllowedIPs = 192.168.100.2/32 >>> > >>> > >>> > on my client my config is >>> > >>> > [Interface] >>> > Address = 192.168.100.2 >>> > PrivateKey = xxxxx >>> > ListenPort = 21841 >>> > DNS = 192.168.1.63 >>> > >>> > [Peer] >>> > PublicKey = xxxx >>> > Endpoint = ddns:xxx >>> > AllowedIPs = 192.168.1.0/24 >>> > >>> > # This is for if you're behind a NAT and >>> > # want the connection to be kept alive. >>> > PersistentKeepalive = 25 >>> >>> Try changing AllowedIPs in the client config to: >>> AllowedIPs = 192.168.100.1/32,192.168.1.0/24 >>> >>> Also, if you want to masquerade the traffic to the internet you need to >>> add 0.0.0.0./0 to the client or change the destination IP to the server >>> node via a NAT rule, otherwise it's going to be rejected because the IP >>> packet doesn't have an AllowedIP address, I think. (The source needs to >>> match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is >>> that's why you couldn't complete the handshake. >>> >>> --000000000000fcb4e005837113c7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Actually false alarm :(.

Can only get i= t to work if i add a policy rule in my router vpn client to send all traffi= c from host running wireguard through the WAN and thus skipping VPN which i= s not ideal as when i am routing all traffic through wireguard ideally i wa= nt it to use the vpn tunnel on my router.


--
Arpit

=

On Wed, Mar 6, 2019 at 8:20 AM Arpit Gupta <g.arpit@gmail.com> wrote:
Got it working :).
Did not need to change any client or server settings. However = needed to add another policy rule in my vpn client. Rule states
<= br>
Source: wireguard server
destination: 192.168.100.0/24 (so any of my= wireguard clients)
interface: WAN

So th= is way wireguard traffic does not go through the VPN.=C2=A0
--
Arpit


=
On Wed, Ma= r 6, 2019 at 7:59 AM Arpit Gupta <g.arpit@gmail.com> wrote:
Tried changing the allow= ed ip's to what was suggested and it did not work. Same behavior as bef= ore. Also my configs were working as expected before i had my router connec= ted to a vpn service.

It required me to add the followin= g route policy for my vpn client on my router



<= div class=3D"gmail_quote">
On Wed, Mar= 6, 2019 at 1:18 AM XRP <xrp@airmail.cc> wrote:
On Wed, 2019-03-06 at 08:40 +0000, Ar= pit Gupta wrote:
> On my server my conf is
>
> [Interface]
> Address =3D 192.168.100.1/32
> PostUp =3D iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o=
> %i -j
> ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> PostDown =3D iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD<= br> > -o %i
> -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
> ListenPort =3D 54930
> PrivateKey =3D xxxxx
>
> [Peer]
> PublicKey =3D xxxx
> AllowedIPs =3D 192.168.100.2/32
>
>
> on my client my config is
>
> [Interface]
> Address =3D 192.168.100.2
> PrivateKey =3D xxxxx
> ListenPort =3D 21841
> DNS =3D 192.168.1.63
>
> [Peer]
> PublicKey =3D xxxx
> Endpoint =3D ddns:xxx
> AllowedIPs =3D 192.168.1.0/24
>
> # This is for if you're behind a NAT and
> # want the connection to be kept alive.
> PersistentKeepalive =3D 25

Try changing AllowedIPs in the client config to:
AllowedIPs =3D 192.168.100.1/32,192.168.1.0/24

Also, if you want to masquerade the traffic to the internet you need to
add 0.0.0.0./0 to the client or change the destination IP to the server
node via a NAT rule, otherwise it's going to be rejected because the IP=
packet doesn't have an AllowedIP address, I think. (The source needs to=
match, so either 192.168.100.1/32 or 192.168.1.0/24). My guess is
that's why you couldn't complete the handshake.

--000000000000fcb4e005837113c7-- --===============8236506094999296925== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard --===============8236506094999296925==--