Gateway for Wireguard VPN

Development discussion of WireGuard
 help / color / mirror / Atom feed

* Gateway for Wireguard VPN
@ 2017-11-21  0:09 Germano Massullo
  2017-11-21  0:41 ` Jason A. Donenfeld
  0 siblings, 1 reply; 4+ messages in thread
From: Germano Massullo @ 2017-11-21  0:09 UTC (permalink / raw)
  To: wireguard

I am experiencing some troubles in configuring Wireguard to communicate t=
o an host that is behind a NAT. Here my use case:

Host A: my computer under ISP NAT
Host B server with public static IP address, that is also a gatway for a =
"natted" LAN,
Host C: machine running on such LAN

I do want to allow host A to communicate with C, but I cannot manage to d=
o that. It can only ping host B
I attach some config files, if you have an idea, please let me know.
Thank you for your time

=3D=3D=3D Host A (Fedora 26) =3D=3D=3D
# cat /etc/wireguard/wg0.conf=20
[Interface]
Address =3D 10.1.0.21/24
PrivateKey =3D *censored*

[Peer]
PublicKey =3D *censored*
Endpoint =3D vpn.foo.xx:51820  # vpn.foo.xx is Host B
AllowedIPs =3D 10.1.0.2/32

[Peer]
PublicKey =3D *censored*   # host C
Endpoint =3D vpn.foo.xx:51820
AllowedIPs =3D 10.1.0.22/32


=3D=3D=3D Host B (vpn.foo.xx) (CentOS 7) =3D=3D=3D
ip forwarding active: net.ipv4.ip_forward =3D 1
# cat wg0.conf=20
[Interface]
Address =3D 10.1.0.2/24
ListenPort =3D 51820
PrivateKey =3D *censored*

[Peer]
PublicKey =3D *censored*
AllowedIPs =3D 10.1.0.21/32

[Peer]
PublicKey =3D *censored*
AllowedIPs =3D 10.1.0.22/32


=3D=3D=3D Host C (CentOS 7) =3D=3D=3D

# cat wg0.conf=20
[Interface]
Address =3D 10.1.0.22/24
ListenPort =3D 51820
PrivateKey =3D *censored*

[Peer]
PublicKey =3D *censored*
Endpoint =3D 192.168.1.1:51820
AllowedIPs =3D 10.1.0.2/32

[Peer]
PublicKey =3D *censored*
AllowedIPs =3D 10.1.0.21/32

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Gateway for Wireguard VPN
  2017-11-21  0:09 Gateway for Wireguard VPN Germano Massullo
@ 2017-11-21  0:41 ` Jason A. Donenfeld
  2017-11-21  9:35   ` Germano Massullo
  0 siblings, 1 reply; 4+ messages in thread
From: Jason A. Donenfeld @ 2017-11-21  0:41 UTC (permalink / raw)
  To: Germano Massullo; +Cc: WireGuard mailing list

If you want A and C to communicate through B as a trusted intermediary
for A and C's IPs, then your configs actually need to be:

=== Host A (Fedora 26) ===
# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.1.0.21/24
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
Endpoint = vpn.foo.xx:51820  # vpn.foo.xx is Host B
AllowedIPs = 10.1.0.2/32, 10.1.0.22/32


=== Host B (vpn.foo.xx) (CentOS 7) ===
ip forwarding active: net.ipv4.ip_forward = 1
# cat wg0.conf
[Interface]
Address = 10.1.0.2/24
ListenPort = 51820
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
AllowedIPs = 10.1.0.21/32

[Peer]
PublicKey = *censored*
AllowedIPs = 10.1.0.22/32


=== Host C (CentOS 7) ===

# cat wg0.conf
[Interface]
Address = 10.1.0.22/24
ListenPort = 51820
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
Endpoint = 192.168.1.1:51820
AllowedIPs = 10.1.0.2/32, 10.1.0.21/32


Alternatively, since you're likely going to be doing this for many
peers, you might be best off with this config instead:

=== Host A (Fedora 26) ===
# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.1.0.21/24
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
Endpoint = vpn.foo.xx:51820  # vpn.foo.xx is Host B
AllowedIPs = 10.1.0.0/24


=== Host B (vpn.foo.xx) (CentOS 7) ===
ip forwarding active: net.ipv4.ip_forward = 1
# cat wg0.conf
[Interface]
Address = 10.1.0.2/24
ListenPort = 51820
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
AllowedIPs = 10.1.0.21/32

[Peer]
PublicKey = *censored*
AllowedIPs = 10.1.0.22/32


=== Host C (CentOS 7) ===

# cat wg0.conf
[Interface]
Address = 10.1.0.22/24
ListenPort = 51820
PrivateKey = *censored*

[Peer]
PublicKey = *censored*
Endpoint = 192.168.1.1:51820
AllowedIPs = 10.1.0.0/24

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Gateway for Wireguard VPN
  2017-11-21  0:41 ` Jason A. Donenfeld
@ 2017-11-21  9:35   ` Germano Massullo
  2017-11-21 18:12     ` Germano Massullo
  0 siblings, 1 reply; 4+ messages in thread
From: Germano Massullo @ 2017-11-21  9:35 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list

Thank you very much Jason, your help has been precious!!

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Gateway for Wireguard VPN
  2017-11-21  9:35   ` Germano Massullo
@ 2017-11-21 18:12     ` Germano Massullo
  0 siblings, 0 replies; 4+ messages in thread
From: Germano Massullo @ 2017-11-21 18:12 UTC (permalink / raw)
  To: WireGuard mailing list

For who has a Firewalld based Linux distribution like Fedora/RHEL/CentOS:

=== Host B (VPN gateway) ===
When system creates interface wg0, it is not attached to any firewall
zone, so it falls into default zone, that blocks everything except for
ICMP packets. Therefore if you simply run ping among hosts (example from
A to C) everything works, but as soon you try to use a service, it will
not work.
You can solve with
# firewall-cmd --zone=trusted --add-interface=wg0 --permanent
# firewall-cmd --reload

Now from host A you can correctly run
$ ssh user@10.1.0.22
that is the server running on host C

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-11-21 18:07 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-21  0:09 Gateway for Wireguard VPN Germano Massullo
2017-11-21  0:41 ` Jason A. Donenfeld
2017-11-21  9:35   ` Germano Massullo
2017-11-21 18:12     ` Germano Massullo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).