From: Colin Williams <colin.williams.orcas@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: No mention of ip tables to setup VPN
Date: Fri, 1 Dec 2023 12:39:04 -0800 [thread overview]
Message-ID: <CAN8Z3GvdnCEzdMZ6W-jN0XLypGPJYNa+H0qRjXNk3AK-yuxMVw@mail.gmail.com> (raw)
I setup wireguard following the site. I did not create configuration
files. I just followed the example on
https://www.wireguard.com/quickstart/
I can ping between the hosts through wg via their interface IPs
10.0.0.1 / 10.0.0.2
One host I wish to use it as a VPN. Call it Host A
I set `net.ipv4.ip_forward = 1 on host A and checked it was set properly.
Then to setup the routing I follow the section `````Overriding The
Default Route```` in https://www.wireguard.com/netns/ on Host B
After adding routes by above, I can still ping each host via their ip
and am still connected to the other host via SSH . But I lose my
internet connection on Host B otherwise. I copied my wg command
outputs and config details below.
Does anyone know what I'm doing wrong?
In some examples I see folks using iptables like:
setting `iptables -t nat -A POSTROUTING -j MASQUERADE` on Host A .
If it's likely necessary, why don't I see a mention of this on the
documentation on wireguard.com ?
Some errors I see:
PING google.com (142.250.69.206) 56(84) bytes of data.
From XXX (10.0.0.2) icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
From XXX (10.0.0.2) icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Required key not available
From XXX (10.0.0.2) icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Required key not available
../../../lib/isc/netmgr/uverr2result.c:98:isc___nm_uverr2result():
unable to convert libuv error code in udp_send_cb
(../../../lib/isc/netmgr/udp.c:802) to isc_result: -126: Unknown
system error -126
;; communications error to 1.1.1.1#53: timed out
../../../lib/isc/netmgr/uverr2result.c:98:isc___nm_uverr2result():
unable to convert libuv error code in udp_send_cb
(../../../lib/isc/netmgr/udp.c:802) to isc_result: -126: Unknown
system error -126
^C[colin_williams@JT9M367J07 wg]$ ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Host A wg command output
interface: wg0
public key: 5ZXlotq43t3g3qz97ZkXeSu75+E6UchzO5hj4=
private key: (hidden)
listening port: XXXXX
peer: 5mjkoeRw2e0IbPa2rontt5AvO8oJgCVBlJgqVil+1T4=
endpoint: 203.45.131.16:33333
allowed ips: 10.0.0.2/32
latest handshake: 8 minutes, 4 seconds ago
transfer: 27.48 KiB received, 33.24 KiB sent
Host B wg command output
interface: wg0
public key: 5mjko3qg3g3qg35AvO8oJgCVBlJgqVil+1T4=
private key: (hidden)
listening port: 35052
peer: 5ZXlosrq6L+ZT+O5Bg1mz97ZkXeSu75+E6UchzO5hj4=
endpoint: 203.4.11.174:38101
allowed ips: 10.0.0.1/32
latest handshake: 9 minutes, 9 seconds ago
transfer: 26.73 KiB received, 30.51 KiB sent
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Routing table Host B before additions. Everything works from Host A &&
B at this point
default via 192.168.10.1 dev wlp1s0f0 proto dhcp src 192.168.10.177 metric 600
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.2
192.168.10.0/24 dev wlp1s0f0 proto kernel scope link src
192.168.10.177 metric 600
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Adding `````Overriding The Default Route```` from doc in
https://www.wireguard.com/netns/ on Host B
route.
After adding the route to HostB, I can no longer access most internet
resources from HostB. However, host B can still ping Host A and vice
versa via IP address.
The errors shown above for Host B are after I set the routing table.
Please excuse if the route table looks funny. I think I am having
trouble pasting from my laptop.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.00.0.0.0128.0.0.0U 0 0 0 wg0
default _gateway 0.0.0.0UG 600 0 0 wlp1
10.0.0.00.0.0.0255.255.255.0 U 0 0 0 wg0
128.0.0.00.0.0.0128.0.0.0U 0 0 0 wg0
192.168.10.00.0.0.0255.255.255.0 U 600 0 0 wlp1
203.45.131.16:33333 _gateway 255.255.255.255 UGH 0 0 0 wlp1
reply other threads:[~2023-12-20 5:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAN8Z3GvdnCEzdMZ6W-jN0XLypGPJYNa+H0qRjXNk3AK-yuxMVw@mail.gmail.com \
--to=colin.williams.orcas@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).