From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: gzxmx94@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 312733c2 for ; Thu, 25 Jan 2018 10:19:27 +0000 (UTC) Received: from mail-wm0-f67.google.com (mail-wm0-f67.google.com [74.125.82.67]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id b111044a for ; Thu, 25 Jan 2018 10:19:27 +0000 (UTC) Received: by mail-wm0-f67.google.com with SMTP id f3so13933542wmc.1 for ; Thu, 25 Jan 2018 02:23:46 -0800 (PST) MIME-Version: 1.0 Sender: gzxmx94@gmail.com From: =?UTF-8?Q?Rafa=C5=82_Grasman?= Date: Thu, 25 Jan 2018 11:23:45 +0100 Message-ID: Subject: Bridging wg and normal interfaces? To: wireguard@lists.zx2c4.com Content-Type: multipart/alternative; boundary="f403045c2688c69a910563972cfa" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --f403045c2688c69a910563972cfa Content-Type: text/plain; charset="UTF-8" Hello, I would like to bridge my LAN and WireGuard interfaces so I can make a site-to-site VPN with the gateway/router being at the other site. But when using brctl to add wg0 to a bridge, the operation is not supported. This is the setup I am aiming for: Isolated VM virteth0 - preferably dhcp 172.16.0.2/24 from remote site (gateway 172.16.0.1/24) Switch VM - wg0 with 172.16.0.254/24 and eth0 with 192.168.1.254/24 (for internet access through gw 192.168.1.1/24) and virteth0 (manual, no ip, no dhcp), I want to bridge virteth0 and wg0. Remote machine with wg0 172.16.0.1/24 and a public ip on eth0 (e.g. 11.22.33.44/32) both virteth0's are connected together on the host machine. Is this somehow possible with wireguard? As for now the Switch VM isn't a switch, it acts as a router which does work but is not something I want (and forces me to have a different ip on virteth0 on SwitchVM than wg0 has, this forces me to make everything look like it came from SwitchVM instead of the real addresses, because both the remote machine and Switch VM have to act as routers, I want only 1 router in this setup - the remote machine). Thanks in advance for your time and help :) --f403045c2688c69a910563972cfa Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

I would like to bridge my LAN an= d WireGuard interfaces so I can make a site-to-site VPN with the gateway/ro= uter being at the other site.

But when using brctl= to add wg0 to a bridge, the operation is not supported.

This is the setup I am aiming for:

Isolated= VM virteth0 - preferably dhcp 172.16.0.2/= 24 from remote site (gateway 172.16.0.= 1/24)

Switch VM - wg0 with 172.16.0.254/24 and eth0 with 192.168.1.254/24 (for internet access through gw 192.168.1.1/24) and virteth0 (manual, no ip, no = dhcp), I want to bridge virteth0 and wg0.

Remote m= achine with wg0 172.16.0.1/24 and a pu= blic ip on eth0 (e.g. 11.22.33.44/32)=

both virteth0's are connected together on the= host machine.

Is this somehow possible with wireg= uard? As for now the Switch VM isn't a switch, it acts as a router whic= h does work but is not something I want (and forces me to have a different = ip on virteth0 on SwitchVM than wg0 has, this forces me to make everything = look like it came from SwitchVM instead of the real addresses, because both= the remote machine and Switch VM have to act as routers, I want only 1 rou= ter in this setup - the remote machine).

Thanks in= advance for your time and help :)
--f403045c2688c69a910563972cfa-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 9cf71266 for ; Thu, 25 Jan 2018 11:03:55 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 5f455163 for ; Thu, 25 Jan 2018 11:03:54 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 7ab5daf9 for ; Thu, 25 Jan 2018 10:55:03 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id b2fe1ce9 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Thu, 25 Jan 2018 10:55:03 +0000 (UTC) Received: by mail-oi0-f42.google.com with SMTP id m83so4962097oik.8 for ; Thu, 25 Jan 2018 03:08:14 -0800 (PST) MIME-Version: 1.0 In-Reply-To: References: From: "Jason A. Donenfeld" Date: Thu, 25 Jan 2018 12:08:13 +0100 Message-ID: Subject: Re: Bridging wg and normal interfaces? To: =?UTF-8?Q?Rafa=C5=82_Grasman?= Content-Type: text/plain; charset="UTF-8" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , WireGuard is layer 3, not layer 2, so bridging is not what you want. Instead, do ordinary IP routing between different subnets. As you appear to already have different subnets, this shouldn't be a problem. If you'd like to overlap within the same subnet, there's always proxy arp, but I'd caution against that approach. Lots of people run into this confusion about layer 2 vs layer 3. We can probably walk you through getting things rolling for your particular setup in #wireguard on Freenode, if you have IRC. Jason From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: matthias@urlichs.de Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 0b8ce039 for ; Thu, 25 Jan 2018 19:41:06 +0000 (UTC) Received: from netz.smurf.noris.de (mail.smurf.noris.de [213.95.149.21]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 3a80d58c for ; Thu, 25 Jan 2018 19:41:06 +0000 (UTC) Received: from [2001:780:107:0:1278:d2ff:fea3:d4a6] by mail.vm.smurf.noris.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1eenS0-000Hu0-6S for wireguard@lists.zx2c4.com; Thu, 25 Jan 2018 20:44:44 +0100 Subject: Re: Bridging wg and normal interfaces? To: wireguard@lists.zx2c4.com References: From: Matthias Urlichs Message-ID: Date: Thu, 25 Jan 2018 20:44:43 +0100 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On 25.01.2018 12:08, Jason A. Donenfeld wrote: > WireGuard is layer 3, not layer 2, so bridging is not what you want. Though if you *do* want (or need) bridging, l2tp is your friend. See for example https://remote-lab.net/linux-l2tp-ethernet-pseudowires How to change this example to go through wireguard is left as an exercise for the esteemed reader. ;-) -- -- Matthias Urlichs From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: gzxmx94@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 2fe4852b for ; Sat, 27 Jan 2018 13:19:39 +0000 (UTC) Received: from mail-wm0-f67.google.com (mail-wm0-f67.google.com [74.125.82.67]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id def74d42 for ; Sat, 27 Jan 2018 13:19:38 +0000 (UTC) Received: by mail-wm0-f67.google.com with SMTP id r78so25925660wme.0 for ; Sat, 27 Jan 2018 05:24:14 -0800 (PST) MIME-Version: 1.0 Sender: gzxmx94@gmail.com In-Reply-To: References: From: =?UTF-8?Q?Rafa=C5=82_Grasman?= Date: Sat, 27 Jan 2018 14:24:13 +0100 Message-ID: Subject: Fwd: Bridging wg and normal interfaces? To: wireguard@lists.zx2c4.com Content-Type: multipart/alternative; boundary="94eb2c1a1a00d4db170563c1ed17" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --94eb2c1a1a00d4db170563c1ed17 Content-Type: text/plain; charset="UTF-8" Ah alright thanks for the info, I finally figured out everything by myself though I still have one small problem. For reference, here's everything I have done: Isolated VM's DHCP: 172.16.1.0/16 Switch wg0: 172.16.0.2/30 Switch ens3: 172.16.1.1/16 Switch ens2: 192.168.2.xx/24 gw 192.168.2.254/24 Router wg0: 172.16.0.1/30 Router eth0: 35.224.54.65/32 # both machines echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable apt update apt-get install -y linux-headers-$(uname -r) wireguard # both machines /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.all.proxy_arp = 1 # post up (ens3 of switch) and (eth0 of router) run (wg-quick up wg0) ####isc-dhcp-server (on switch ens3): option domain-name "pcr"; option domain-name-servers 8.8.8.8, 8.8.4.4; default-lease-time 600; max-lease-time 7200; ddns-update-style none; authoritative; subnet 172.16.0.0 netmask 255.255.0.0 { range 172.16.1.2 172.16.255.253; option routers 172.16.0.1; } ############### lan vm /etc/wireguard/wg0.conf [Interface] PrivateKey = ************* ListenPort = 12345 Address = 172.16.0.2/30 PostUp = ip route add 172.16.0.1/32 via 172.16.0.2 dev wg0 ; route del default gw 192.168.2.254 ; ip route add 192.168.2.254 dev ens2 ; route add default gw 172.16.0.1 dev wg0 ; ip route add 35.224.54.65 via 192.168.2.254 ; iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT ; iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT [Peer] PublicKey = ************* Endpoint = 35.224.54.65:12345 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 1 ############### google vm /etc/wireguard/wg0.conf [Interface] PrivateKey = ************* ListenPort = 12345 Address = 172.16.0.1/30 PostUp = ip route add 172.16.0.2/32 via 172.16.0.1 dev wg0 ; ip route add 172.16.0.0/16 via 172.16.0.2 dev wg0 ; iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT ; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ; iptables -A FORWARD -i wg0 -j ACCEPT [Peer] PublicKey = ************* AllowedIPs = 0.0.0.0/0 Now the problem I face: whenever I run 'wg-quick up wg0' on a Google Cloud Engine VM, I can't SSH to it anymore from the WAN side, but the weird thing is, from the 'switch' I can ping the router just fine, they have a connection, I can even SSH (sometimes not). Now what's weird is, when I do all configuration steps with commands (ip .. wg set .. blabla), and make it with those commands just like the config, everything works fine. so I have a script that just does the commands.. but wg-quick should work, everything is the same. Yet this happens.. anything I can do to debug this behaviour? On 25 January 2018 at 12:08, Jason A. Donenfeld wrote: > WireGuard is layer 3, not layer 2, so bridging is not what you want. > > Instead, do ordinary IP routing between different subnets. As you > appear to already have different subnets, this shouldn't be a problem. > > If you'd like to overlap within the same subnet, there's always proxy > arp, but I'd caution against that approach. > > Lots of people run into this confusion about layer 2 vs layer 3. We > can probably walk you through getting things rolling for your > particular setup in #wireguard on Freenode, if you have IRC. > > Jason > --94eb2c1a1a00d4db170563c1ed17 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Ah alright tha= nks for the info, I finally figured out everything by myself though I still= have one small problem.

For reference, here's every= thing I have done:

<begin>

Isolated VM's DHCP: 172.16.1.0/16

Switch wg0: 172.16.0.2/30
Swi= tch ens3: 172.16.1.1/16<= /a>

Rout= er wg0: 172.16.0.1/30

# both machines
e= cho "deb h= ttp://deb.debian.org/debian/ unstable main" > /etc/apt/sources.= list.d/unstable-wireguard.list
printf 'Package: *\nPin: = release a=3Dunstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/= limit-unstable
apt update
apt-get install -y linux= -headers-$(uname -r) wireguard

# both machines /et= c/sysctl.conf
net.ipv4.ip_forward=3D1
net.ipv4.conf.all= .proxy_arp =3D 1

# post up (ens3 of switch) and (e= th0 of router) run (wg-quick up wg0)

####isc-dhcp-= server (on switch ens3):
option domain-name "pcr";
option domain-name-servers 8.8.8.8, 8.8.4.4;

default-lease-time 600;
max-lease-time 7200;

ddns-update-style none;

authoritative;
=

subnet 172.16.0.0 netmask 255.255.0.0 {
=C2= =A0 range 172.16.1.2 172.16.255.253;
=C2=A0 option routers 172.16= .0.1;
}

############### lan vm /etc/wire= guard/wg0.conf
[Interface]
PrivateKey =3D *************=
ListenPort =3D 12345
Address =3D 172.16.0.2/30
PostUp =3D ip rou= te add 172.16.0.1/32= via 172.16.0.2 dev wg0 ; route del default gw 192.168.2.254 ; ip route add= 192.168.2.254 dev ens2 ; route add default gw 172.16.0.1 dev wg0 ; ip rout= e add 35.224.54.65 via 192.168.2.254 ; iptables -A FORWARD -i ens3 -o wg0 -= j ACCEPT ; iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT

[Peer]
PublicKey =3D *************
Endpoint =3D <= a href=3D"http://35.224.54.65:12345" target=3D"_blank">35.224.54.65:12345
AllowedIPs =3D = 0.0.0.0/0
PersistentKeepalive =3D 1

=
############### google vm /etc/wireguard/wg0.conf
= [Interface]
PrivateKey =3D *************
ListenPort =3D= 12345
Address =3D 172.16.0.1/30
PostUp =3D ip route add 172.16.0.2/32 via 172.16.0.1 dev wg0 ;= ip route add 172.16.0.0= /16 via 172.16.0.2 dev wg0 ; iptables -A INPUT -i eth0 -p tcp -m tcp --= dport 22 -j ACCEPT ; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ;= iptables -A FORWARD -i wg0 -j ACCEPT

[Peer]
=
PublicKey =3D *************
AllowedIPs =3D 0.0.0.0/0

= <end>

Now the problem I face: whenever I run= 'wg-quick up wg0' on a Google Cloud Engine VM, I can't SSH to = it anymore from the WAN side, but the weird thing is, from the 'switch&= #39; I can ping the router just fine, they have a connection, I can even SS= H (sometimes not).

Now what's weird is, when I= do all configuration steps with commands (ip .. wg set .. blabla), and mak= e it with those commands just like the config, everything works fine. so I = have a script that just does the commands.. but wg-quick should work, every= thing is the same. Yet this happens.. anything I can do to debug this behav= iour?

On 25 January 2018 at 12:08, Jason = A. Donenfeld <Jason@zx2c4.com> wrote:
WireGuard is layer 3, not layer 2, so bridging is not what you wa= nt.

Instead, do ordinary IP routing between different subnets. As you
appear to already have different subnets, this shouldn't be a problem.<= br>
If you'd like to overlap within the same subnet, there's always pro= xy
arp, but I'd caution against that approach.

Lots of people run into this confusion about layer 2 vs layer 3. We
can probably walk you through getting things rolling for your
particular setup in #wireguard on Freenode, if you have IRC.

Jason


--94eb2c1a1a00d4db170563c1ed17--