* Access subnet behind server.
@ 2021-01-23 16:52 Ken D'Ambrosio
2021-01-24 16:33 ` Roman Mamedov
2021-01-24 17:37 ` ml-wireguard
0 siblings, 2 replies; 3+ messages in thread
From: Ken D'Ambrosio @ 2021-01-23 16:52 UTC (permalink / raw)
To: wireguard
Hey, all. I'm relatively new to WireGuard, and have a RasPi at my house
doing firewall duty. Installed WG on it, and on a VPS, and am trying to
get the VPS to access hosts on my home subnet. So:
VPS <-192.168.50.0/24-> RasPi <--> [192.168.10.0/24]
And, clearly, I'm doing something wrong.
-----------------------------------------------------------
RasPi server/firewall:
[Interface]
Address = 192.168.50.1/24
SaveConfig = false
ListenPort = 51820
PrivateKey = XXX
[Peer]
PublicKey = XXX
AllowedIPs = 192.168.50.11/32
VPS:
[Interface]
Address = 192.168.50.11/24
PrivateKey = XXX
[Peer]
PublicKey = XXX
Endpoint = vpn.foo.bar:51820
AllowedIPs = 192.168.50.0/24,192.168.10.0/24
-----------------------------------------------------------
The client connects just fine, and it can talk to the server's VPN IP
(192.168.50.1) as well as its internal interface (192.168.10.1).
Likewise, the server can talk to 192.168.50.11. But nothing gets inside
to other 192.168.10.x hosts. I do have forwarding set up for "all":
root@prouter:/proc# cat /proc/sys/net/ipv4/conf/all/forwarding
1
Note that the config files have gone through several permutations as I
tried to figure this out, so there may be some dumb stuff, but totally
open to suggestions right now. I'm kinda stumped. Note that a tcpdump
on the RasPi shows the ping requests coming in, but not being forwarded
to the internal interface, so I assume I'm just missing Something
Dumb(tm) in WG land.
Thanks!
-Ken
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Access subnet behind server.
2021-01-23 16:52 Access subnet behind server Ken D'Ambrosio
@ 2021-01-24 16:33 ` Roman Mamedov
2021-01-24 17:37 ` ml-wireguard
1 sibling, 0 replies; 3+ messages in thread
From: Roman Mamedov @ 2021-01-24 16:33 UTC (permalink / raw)
To: Ken D'Ambrosio; +Cc: wireguard
On Sat, 23 Jan 2021 11:52:56 -0500
Ken D'Ambrosio <ken@jots.org> wrote:
> Hey, all. I'm relatively new to WireGuard, and have a RasPi at my house
> doing firewall duty. Installed WG on it, and on a VPS, and am trying to
> get the VPS to access hosts on my home subnet. So:
>
> VPS <-192.168.50.0/24-> RasPi <--> [192.168.10.0/24]
>
> And, clearly, I'm doing something wrong.
>
> -----------------------------------------------------------
> RasPi server/firewall:
> [Interface]
> Address = 192.168.50.1/24
> SaveConfig = false
> ListenPort = 51820
> PrivateKey = XXX
> [Peer]
> PublicKey = XXX
> AllowedIPs = 192.168.50.11/32
>
> VPS:
> [Interface]
> Address = 192.168.50.11/24
> PrivateKey = XXX
> [Peer]
> PublicKey = XXX
> Endpoint = vpn.foo.bar:51820
> AllowedIPs = 192.168.50.0/24,192.168.10.0/24
> -----------------------------------------------------------
>
> The client connects just fine, and it can talk to the server's VPN IP
> (192.168.50.1) as well as its internal interface (192.168.10.1).
> Likewise, the server can talk to 192.168.50.11. But nothing gets inside
> to other 192.168.10.x hosts. I do have forwarding set up for "all":
>
> root@prouter:/proc# cat /proc/sys/net/ipv4/conf/all/forwarding
> 1
>
> Note that the config files have gone through several permutations as I
> tried to figure this out, so there may be some dumb stuff, but totally
> open to suggestions right now. I'm kinda stumped. Note that a tcpdump
> on the RasPi shows the ping requests coming in, but not being forwarded
> to the internal interface, so I assume I'm just missing Something
> Dumb(tm) in WG land.
Did you allow forwarding in RPi's firewall? Post "iptables-save" from it.
--
With respect,
Roman
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Access subnet behind server.
2021-01-23 16:52 Access subnet behind server Ken D'Ambrosio
2021-01-24 16:33 ` Roman Mamedov
@ 2021-01-24 17:37 ` ml-wireguard
1 sibling, 0 replies; 3+ messages in thread
From: ml-wireguard @ 2021-01-24 17:37 UTC (permalink / raw)
To: Ken D'Ambrosio; +Cc: wireguard
Am 2021-01-23 17:52, schrieb Ken D'Ambrosio:
> The client connects just fine, and it can talk to the server's VPN IP
> (192.168.50.1) as well as its internal interface (192.168.10.1).
> Likewise, the server can talk to 192.168.50.11. But nothing gets
> inside to other 192.168.10.x hosts. I do have forwarding set up for
> "all":
Are the clients in the 192.168.10.0/24 net configured to send the anwser
packets for 192.168.50.0/24 to the raspberry (eg is the raspberry the
default gateway for 192.168.50.0/24)?
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-01-24 17:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-23 16:52 Access subnet behind server Ken D'Ambrosio
2021-01-24 16:33 ` Roman Mamedov
2021-01-24 17:37 ` ml-wireguard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).