From: i iordanov <iiordanov@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: Nested Wireguard tunnels not working on Android and Windows
Date: Thu, 25 Feb 2021 12:48:45 -0500 [thread overview]
Message-ID: <CAMS0tn2Pq65UAVWqjV6mNd1hGqvUxVhVgmR3s2h+kh=XF8jyKA@mail.gmail.com> (raw)
Hello!
In order to allow traffic to assist devices that cannot reach each
other directly, I am setting up wireguard tunnels through a server
with a public IP (40.30.40.30 in the example below).
For reasons of privacy, I'd like for the server to not be able to
decrypt my traffic. As a result, I would like for one encapsulating
Wireguard tunnel (subnet 10.1.2.0/24) to be peered through the server,
while a second nested Wireguard tunnel (subnet 10.1.3.0/24) to be
established through the first tunnel, peered only at the two devices
(Android and Linux in this case) that need to communicate.
An attempt was made to use a single Wireguard interface. Doing it this
way works between two Linux machines and even between Linux and Mac OS
X, but does not work between a Pixel 3a XL running Android 11 with the
GoBackend Wireguard implementation and my Linux laptop. I also tried
the same config on Windows 10 to no avail.
The config on the Android device, obtained with toWgQuickString():
======================================
[Interface]
Address = 10.1.2.5/24, 10.1.3.5/24
ListenPort = 46847
MTU = 1200
PrivateKey = PRIVATE_KEY
[Peer]
AllowedIPs = 10.1.2.0/24
Endpoint = 40.30.40.30:10000
PersistentKeepalive = 3600
PublicKey = VF5dic+a+6MllssbV+ShVwEBRrX9gr4do2iNylWrPGs=
[Peer]
AllowedIPs = 10.1.3.1/32
Endpoint = 10.1.2.1:51555
PersistentKeepalive = 3600
PublicKey = 0Awdb451Z4+3Gezm7UlbRquC1kcF52r68J9wG1x/zUE=
======================================
The 10.1.2.0/24 subnet is the one that is "visible" to the public
server. The 10.1.3.0/24 subnet is the one that is private to the two
devices.
The devices can actually reach each other with netcat over UDP at
10.1.2.5:46847 and 10.1.2.1:51555 respectively. So the "encapsulating"
tunnel is working, and iperf3 were used to test it over UDP and TCP
successfully.
The "nested" tunnel does not get established.
The following permutations of the above config have the commented problems:
# Only 10.1.2.0/24 works, 10.1.3.0/24 does not.
Address = 10.1.2.1/24, 10.1.3.1/24
# Only 10.1.2.0/24 works, 10.1.3.0/24 (as expected) does not.
Address = 10.1.2.1/24
# Neither network works
Address = 10.1.3.1/24, 10.1.2.1/24
This looks like a bug that is triggered when multiple addresses are
assigned to the interface.
Any suggestions on what to try are welcome.
Thanks!
iordan
--
The conscious mind has only one thread of execution.
next reply other threads:[~2021-02-27 11:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 17:48 i iordanov [this message]
2021-02-27 17:16 ` Frank Carmickle
2021-02-28 0:53 ` Aaron Jones
2021-03-01 6:07 ` i iordanov
2021-03-01 14:44 ` Frank Carmickle
2021-03-01 20:09 ` i iordanov
2021-03-02 14:31 ` mikma.wg
2021-03-04 8:56 ` Matthias Urlichs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMS0tn2Pq65UAVWqjV6mNd1hGqvUxVhVgmR3s2h+kh=XF8jyKA@mail.gmail.com' \
--to=iiordanov@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).