From: Kalin KOZHUHAROV <me.kalin@gmail.com>
To: "Adrián Mihálko" <adriankoooo@gmail.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: can't ping remote side IP range from WG instance
Date: Sun, 25 Mar 2018 21:55:29 +0200 [thread overview]
Message-ID: <CAKXLc7esjS+7AnznSiQ+knHUn_Jkp1Q15iDuoc+k1m+_WeyLHg@mail.gmail.com> (raw)
In-Reply-To: <CA+Hw3eZtBT6mrALQBLznKxQ8bEnB2YTKr7UjJ=Q+G=iAV9Z+HQ@mail.gmail.com>
I am really not sure, but let me have a stab:
On Sun, Mar 25, 2018 at 11:19 AM, Adri=C3=A1n Mih=C3=A1lko <adriankoooo@gma=
il.com> wrote:
> auto wg0
> iface wg0 inet static
> pre-up ip link add dev wg0 type wireguard
> post-up wg setconf wg0 /etc/wireguard/wireguard.conf
> post-up ip link set dev wg0 up
> post-up ip route add 192.168.1.0/24 via 192.168.5.1 dev wg0
> post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
* I guess that should be
post-up iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
Please try to use generic OS commands to describe the situation
whenever possible (avoiding or in addition to LEDE-specific config).
e.g.
`ip addr`
`ip route`
`wg`
* Any other iptables rules? Try disabling all FW first. (also on Ubuntu ser=
ver)
* Any bridging (often the case in LEDE)?
* run tcpdump/tshark to see what is going on
> Everything is working great,
What exactly is working?
> except that on the "Pi Zero with Wireguard" I can't access/ping remote de=
vices in the 192.168.1.0/24 range, only the remote server 192.168.1.54.
> From any other machine in the same "A side" I am able to access devices i=
n the 192.168.1.0/24 range, just from the Pi Zero itself not.
>
So the difference here is (looking from inside Pi0), "other machine"
traverses the FORWARD chain, while "Pi Zero with Wireguard" traverses
OUTPUT (then reply via INPUT).
I guess fixing the MASQUEARADE line will do it (on both sides).
Being able to ping only the router of a remote net means that it
doesn't route the echo-request:
* due to FW policy
* due to "bad src address" (e.g. if you somehow manage to ping from
1.1.1.1 (via many tunnels) to 2.2.2.2 and 2.2.2.2 cannot directly
reach 1.1.1.1)
{I am guessing Pi0 sends ping from wg0/192.168.5.2 to Ubuntu
wg0/192.168.5.1, forwarded to 192.168.1.100, it has no route to
192.168.5.2, so sends it to 192.168.1.1 as default... asymmetric route
blocking?)
* on 192.168.1.100, run tshark to see if you even get an echo-request
packet when you try to ping it.
* What is the route to 192.168.5.2 on 192.168.1.100? (on 192.168.1.100
run `ip route get 192.168.5.2`)
And before doing any of the above, sit down and draw a map, with
colorful pens for wired and WG connections. It does help, trust me.
Kalin.
next prev parent reply other threads:[~2018-03-25 19:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-25 9:19 Adrián Mihálko
2018-03-25 19:55 ` Kalin KOZHUHAROV [this message]
2018-03-25 21:33 ` Adrián Mihálko
2018-03-25 23:59 ` Eric Light
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKXLc7esjS+7AnznSiQ+knHUn_Jkp1Q15iDuoc+k1m+_WeyLHg@mail.gmail.com \
--to=me.kalin@gmail.com \
--cc=adriankoooo@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).