Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WG up and running - but unable to SSH into server while connected. Why? #139

Open
wiffleman opened this issue Mar 28, 2022 · 3 comments
Open

WG up and running - but unable to SSH into server while connected. Why? #139

wiffleman opened this issue Mar 28, 2022 · 3 comments

Comments

@wiffleman
Copy link

Description
Have WG installed, running - able to connect to my server VPN etc. Even though this works and my "public IP" is now my home IP, when I'm remote I'm unable to SSH into my Synology.

Is this surprising / a known limitation?

Steps to reproduce

$ ssh user@nas
$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.2/16 dev wg0
[#] ip link set mtu 1270 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
$ sudo wg show
interface: wg0
  public key: <redacted>
  private key: (hidden)
  listening port: 25565
  fwmark: 0xca6c

Expected behavior
A clear and concise description of what you expected to happen.

Synology NAS model
E.g. DS218j

wg0.conf

Content of wg0.conf goes here. Remember to redact Private keys!

If there are multiple peers, include their configuration too.
@runfalk
Copy link
Owner

runfalk commented Mar 28, 2022

It's not expected. Is it just SSH or all services? Is the SSH client computer also on the same VPN?

You didn't paste your wireguard config as requested by the template so I can't really help you debug anything.

@wiffleman
Copy link
Author

wiffleman commented Mar 28, 2022
edited

Hey - sorry about that. Posted in a rush and was a bit blind to the support docs.

Someone on a reddit forum suggested that this might be because on my in-law's network, if their subnet mask is also 192.168.x.x, I could be running into issues with the local LAN vs. my VPN lan. Is there some known way to override this so I can browse my local lan?

When connected with my current WG config, I cannot access SSH via Terminal nor can I access any local services via subnet IP:port in browser ie. 192.168.1.152:9000 (my local address for Portainer, for example).

Here's the wg0.conf of my WG setup:
Server
[Interface]
PrivateKey =
Address = 10.8.0.1/24
ListenPort = 51820
PostUp = iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
PostDown =

Client: MBP1 ()
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.8.0.2/32

Client: iPhone ()
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.8.0.4/32

Client: MBP2 ()
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.8.0.3/32

Edit:
Tunnel Configurations from "MBP2" which I was trying to access from yesterday:
[Interface]
PrivateKey =
Address = 10.8.0.3/24
DNS = 1.1.1.1

[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint =
PersistentKeepalive = 0

@fabiov64
Copy link

In the tunnel configuration for MBP2 the address should be 10.8.0.3/32 not 10.8.0.3/24 because it’s a single IP address, not a subnet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@runfalk @wiffleman @fabiov64