Hey, all. I'm relatively new to WireGuard, and have a RasPi at my house doing firewall duty. Installed WG on it, and on a VPS, and am trying to get the VPS to access hosts on my home subnet. So: VPS <-192.168.50.0/24-> RasPi <--> [192.168.10.0/24] And, clearly, I'm doing something wrong. ----------------------------------------------------------- RasPi server/firewall: [Interface] Address = 192.168.50.1/24 SaveConfig = false ListenPort = 51820 PrivateKey = XXX [Peer] PublicKey = XXX AllowedIPs = 192.168.50.11/32 VPS: [Interface] Address = 192.168.50.11/24 PrivateKey = XXX [Peer] PublicKey = XXX Endpoint = vpn.foo.bar:51820 AllowedIPs = 192.168.50.0/24,192.168.10.0/24 ----------------------------------------------------------- The client connects just fine, and it can talk to the server's VPN IP (192.168.50.1) as well as its internal interface (192.168.10.1). Likewise, the server can talk to 192.168.50.11. But nothing gets inside to other 192.168.10.x hosts. I do have forwarding set up for "all": root@prouter:/proc# cat /proc/sys/net/ipv4/conf/all/forwarding 1 Note that the config files have gone through several permutations as I tried to figure this out, so there may be some dumb stuff, but totally open to suggestions right now. I'm kinda stumped. Note that a tcpdump on the RasPi shows the ping requests coming in, but not being forwarded to the internal interface, so I assume I'm just missing Something Dumb(tm) in WG land. Thanks! -Ken
On Sat, 23 Jan 2021 11:52:56 -0500
Ken D'Ambrosio <ken@jots.org> wrote:
> Hey, all. I'm relatively new to WireGuard, and have a RasPi at my house
> doing firewall duty. Installed WG on it, and on a VPS, and am trying to
> get the VPS to access hosts on my home subnet. So:
>
> VPS <-192.168.50.0/24-> RasPi <--> [192.168.10.0/24]
>
> And, clearly, I'm doing something wrong.
>
> -----------------------------------------------------------
> RasPi server/firewall:
> [Interface]
> Address = 192.168.50.1/24
> SaveConfig = false
> ListenPort = 51820
> PrivateKey = XXX
> [Peer]
> PublicKey = XXX
> AllowedIPs = 192.168.50.11/32
>
> VPS:
> [Interface]
> Address = 192.168.50.11/24
> PrivateKey = XXX
> [Peer]
> PublicKey = XXX
> Endpoint = vpn.foo.bar:51820
> AllowedIPs = 192.168.50.0/24,192.168.10.0/24
> -----------------------------------------------------------
>
> The client connects just fine, and it can talk to the server's VPN IP
> (192.168.50.1) as well as its internal interface (192.168.10.1).
> Likewise, the server can talk to 192.168.50.11. But nothing gets inside
> to other 192.168.10.x hosts. I do have forwarding set up for "all":
>
> root@prouter:/proc# cat /proc/sys/net/ipv4/conf/all/forwarding
> 1
>
> Note that the config files have gone through several permutations as I
> tried to figure this out, so there may be some dumb stuff, but totally
> open to suggestions right now. I'm kinda stumped. Note that a tcpdump
> on the RasPi shows the ping requests coming in, but not being forwarded
> to the internal interface, so I assume I'm just missing Something
> Dumb(tm) in WG land.
Did you allow forwarding in RPi's firewall? Post "iptables-save" from it.
--
With respect,
Roman
Am 2021-01-23 17:52, schrieb Ken D'Ambrosio:
> The client connects just fine, and it can talk to the server's VPN IP
> (192.168.50.1) as well as its internal interface (192.168.10.1).
> Likewise, the server can talk to 192.168.50.11. But nothing gets
> inside to other 192.168.10.x hosts. I do have forwarding set up for
> "all":
Are the clients in the 192.168.10.0/24 net configured to send the anwser
packets for 192.168.50.0/24 to the raspberry (eg is the raspberry the
default gateway for 192.168.50.0/24)?