Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

the command "wg show" displays my interface but nothing goes through the tunnel #174

Open
Maxence-v opened this issue Feb 20, 2023 · 5 comments
Open

the command "wg show" displays my interface but nothing goes through the tunnel #174

Maxence-v opened this issue Feb 20, 2023 · 5 comments

Comments

@Maxence-v
Copy link

Maxence-v commented Feb 20, 2023
edited

My setup is : Oracle VPS to act as the server, and I wan't to use my synology NAS as the client with docker.

When I curl ifconfig.co, inside the wireguard docker container on my synology, I see the public IP of my router, on which my NAS is connected. Instead of the public IP of my oracle VPS.

My Oracle wireguard server config (wg0.conf) generated by wireguard docker:

[Interface]
Address = 10.26.26.1
ListenPort = 51820
PrivateKey = PrivKeyServer
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

[Peer]
# peer1
PublicKey = peer1PublicKey
PresharedKey = peer1PresharedKey
AllowedIPs = 10.26.26.3/32

My synology client config wg0.conf:

[Interface]
Address = 10.26.26.3
PrivateKey = PrivKeyClient
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING \
-o eth0 -j MASQUERADE; sleep 5; ip route add 10.26.26.0/24 dev wg0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = peer1PublicKey
PresharedKey = peer1PresharedKey
Endpoint = OracleVPSPublicIP:56000
AllowedIPs = 10.0.1.2/32

ip route output inside synology wireguard container:

default via 172.20.0.1 dev eth0
10.0.1.2 dev wg0 scope link
10.26.26.0/24 dev wg0 proto kernel scope link src 10.26.26.3
172.20.0.0/16 dev eth0 proto kernel scope link src 172.20.0.2
@spcqike
Copy link

spcqike commented Feb 21, 2023
edited

If you want to route all traffic through wg interface you need to use 0.0.0.0/0 as allowed IP on this device.

Anyway the allowedip in your diskstation config is wrong and doesn’t match the vpn IP of your oracle vps.

And the allowedip for the peer of your diskstation in the vps config is also wrong.

@Maxence-v
Copy link
Author

Maxence-v commented Feb 21, 2023
edited

Thanks for your answer.

When I try : 0.0.0.0/0
Then docker restart wireguard, wireguard logs:

[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: setting key "net.ipv4.conf.all.src_valid_mark", ignoring: Read-only file system
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

I don't get why my AllowedIPs of the client are wrong

  • AllowedIPs = 10.26.26.2/32 is actually 10.26.26.3/32: in my conf, my bad
  • AllowedIPs = 10.0.1.2/32, here the goal was to replace 0.0.0.0/0 with a subnet I wont use.

@Maxence-v
Copy link
Author

As stated here: #59 (comment)

I found the solution.

Hello everyone! I know this issue was open for a long time but I just found the solution today.

AllowedIPs 0.0.0.0/0 doesn't work

So you have to put AllowedIPs: 0.0.0.0/1, 128.0.0.0/1, the only problem is that you also send the traffic to the Public IP of your Wireguard Endpoint Sever...

The only solution I found was to add this at the end of your PostUp rule :

; sleep 5; ip route add Endpoint_IP_of_wireguard_server/32 via 172.20.0.1 dev eth0

To get this ip : 172.20.0.1, Use this command line ip a
For me the inet of eth0 is : 172.20.0.2/16 so it gives us 172.20.0.1(the default gateway)

eth0@if300: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:14:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.20.0.2/16 brd 172.20.255.255 scope global eth0

The sleep 5 might not be needed I need to test that.

It looks like that in my client config on Synology:

[Interface]
Address = 10.0.0.2
PrivateKey = priv_key
ListenPort = 51820
DNS = 8.8.8.8
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sleep 5; ip route add Endpoint_IP_of_wireguard_server/32 via 172.20.0.1 dev eth0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = pub_key
PresharedKey = preshared_key
Endpoint = Endpoint_IP_of_wireguard_server:port_wireguard_server
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1

@dmillerzx
Copy link

Is AllowedIPs: 0.0.0.0/1, 128.0.0.0/1 a full tunnel like 0.0.0.0/0? If so is there any way to not use the full tunnel setup. Anything else I use for Allowed IPs doesn't allow traffic to pass until the peer pings the server.

@dmillerzx
Copy link

Looks adding PersistentKeepalive = 25 will allow the user to use other AllowIP blocks to avoid a full tunnel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmillerzx @Maxence-v @spcqike