Access subnet behind server.

Access subnet behind server.

[Ken D'Ambrosio]

Hey, all.  I'm relatively new to WireGuard, and have a RasPi at my house 
doing firewall duty.  Installed WG on it, and on a VPS, and am trying to 
get the VPS to access hosts on my home subnet.  So:

VPS <-192.168.50.0/24-> RasPi <--> [192.168.10.0/24]

And, clearly, I'm doing something wrong.

-----------------------------------------------------------
RasPi server/firewall:
[Interface]
Address = 192.168.50.1/24
SaveConfig = false
ListenPort = 51820
PrivateKey = XXX
[Peer]
PublicKey = XXX
AllowedIPs = 192.168.50.11/32

VPS:
[Interface]
Address = 192.168.50.11/24
PrivateKey = XXX
[Peer]
PublicKey = XXX
Endpoint = vpn.foo.bar:51820
AllowedIPs = 192.168.50.0/24,192.168.10.0/24
-----------------------------------------------------------

The client connects just fine, and it can talk to the server's VPN IP 
(192.168.50.1) as well as its internal interface (192.168.10.1).  
Likewise, the server can talk to 192.168.50.11.  But nothing gets inside 
to other 192.168.10.x hosts.  I do have forwarding set up for "all":

root@prouter:/proc# cat /proc/sys/net/ipv4/conf/all/forwarding
1

Note that the config files have gone through several permutations as I 
tried to figure this out, so there may be some dumb stuff, but totally 
open to suggestions right now.  I'm kinda stumped.  Note that a tcpdump 
on the RasPi shows the ping requests coming in, but not being forwarded 
to the internal interface, so I assume I'm just missing Something 
Dumb(tm) in WG land.

Thanks!

-Ken

Re: Access subnet behind server.

[Roman Mamedov]

On Sat, 23 Jan 2021 11:52:56 -0500
Ken D'Ambrosio <ken@jots.org> wrote:

> Hey, all.  I'm relatively new to WireGuard, and have a RasPi at my house 
> doing firewall duty.  Installed WG on it, and on a VPS, and am trying to 
> get the VPS to access hosts on my home subnet.  So:
> 
> VPS <-192.168.50.0/24-> RasPi <--> [192.168.10.0/24]
> 
> And, clearly, I'm doing something wrong.
> 
> -----------------------------------------------------------
> RasPi server/firewall:
> [Interface]
> Address = 192.168.50.1/24
> SaveConfig = false
> ListenPort = 51820
> PrivateKey = XXX
> [Peer]
> PublicKey = XXX
> AllowedIPs = 192.168.50.11/32
> 
> VPS:
> [Interface]
> Address = 192.168.50.11/24
> PrivateKey = XXX
> [Peer]
> PublicKey = XXX
> Endpoint = vpn.foo.bar:51820
> AllowedIPs = 192.168.50.0/24,192.168.10.0/24
> -----------------------------------------------------------
> 
> The client connects just fine, and it can talk to the server's VPN IP 
> (192.168.50.1) as well as its internal interface (192.168.10.1).  
> Likewise, the server can talk to 192.168.50.11.  But nothing gets inside 
> to other 192.168.10.x hosts.  I do have forwarding set up for "all":
> 
> root@prouter:/proc# cat /proc/sys/net/ipv4/conf/all/forwarding
> 1
> 
> Note that the config files have gone through several permutations as I 
> tried to figure this out, so there may be some dumb stuff, but totally 
> open to suggestions right now.  I'm kinda stumped.  Note that a tcpdump 
> on the RasPi shows the ping requests coming in, but not being forwarded 
> to the internal interface, so I assume I'm just missing Something 
> Dumb(tm) in WG land.

Did you allow forwarding in RPi's firewall? Post "iptables-save" from it.


-- 
With respect,
Roman

Re: Access subnet behind server.

[ml-wireguard]

Am 2021-01-23 17:52, schrieb Ken D'Ambrosio:
> The client connects just fine, and it can talk to the server's VPN IP 
> (192.168.50.1) as well as its internal interface (192.168.10.1).  
> Likewise, the server can talk to 192.168.50.11.  But nothing gets 
> inside to other 192.168.10.x hosts.  I do have forwarding set up for 
> "all":

Are the clients in the 192.168.10.0/24 net configured to send the anwser 
packets for 192.168.50.0/24 to the raspberry (eg is the raspberry the 
default gateway for 192.168.50.0/24)?