I was dedicated ipsec user for almost 2 decades and never bothered with routing questions, because kernel does this (somehow) according security associations. I've never seen interfaces too for the same reason 
I read about wireguard and thought to try it and maybe learn something new.
The setup is simple:
10.0.80.0/24 <-> 10.10.1.0/24 <-> 0.0.0.0/0
10.10.1.0/24 is running FreeBSD 13.1-RC1. I created tunnel rather fast, set necessary firewall settings - everything was like a charm. I assigned 10.10.1.2 to client, 10.10.1.1 to server.
I've also put named as recursive DNS server.
The setup is working - I can access DNS server, I can access Internet, the speed is even slightly better that with ipsec. And wireguard needs much less settings compared to ipsec.
I connected second network to the server, subnet 10.1.80.0/24, assigned 10.10.1.3 to the client.
The next step is to allow traffic flow between 10.0.80.0/24 and 10.1.80.0/24. Here I'm scratching my head: ipsec can do this without any additional settings. To simplify my tests, I logged to the server and tried
I've tried
So, basically, I need to tell that 10.0.80.0/24 lives behind 10.10.1.2/32, right ?
I've tried
Are more steps needed to be able to ping 10.0.80.0/24 from 10.10.1.1 ?
I read about wireguard and thought to try it and maybe learn something new.
The setup is simple:
10.0.80.0/24 <-> 10.10.1.0/24 <-> 0.0.0.0/0
10.10.1.0/24 is running FreeBSD 13.1-RC1. I created tunnel rather fast, set necessary firewall settings - everything was like a charm. I assigned 10.10.1.2 to client, 10.10.1.1 to server.
Code:
wg0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1420
options=80000<LINKSTATE>
inet 10.10.1.1 netmask 0xffffffff broadcast 10.10.1.1
groups: tun
nd6 options=109<PERFORMNUD,IFDISABLED,NO_DAD>
Opened by PID 800I've also put named as recursive DNS server.
The setup is working - I can access DNS server, I can access Internet, the speed is even slightly better that with ipsec. And wireguard needs much less settings compared to ipsec.
I connected second network to the server, subnet 10.1.80.0/24, assigned 10.10.1.3 to the client.
The next step is to allow traffic flow between 10.0.80.0/24 and 10.1.80.0/24. Here I'm scratching my head: ipsec can do this without any additional settings. To simplify my tests, I logged to the server and tried
ping -S 10.10.1.1 10.0.80.1 - It failed.I've tried
ping -S 10.10.1.1 10.10.1.2 - it works.So, basically, I need to tell that 10.0.80.0/24 lives behind 10.10.1.2/32, right ?
I've tried
route add 10.0.80.0/24 10.10.1.2 with absolutely zero result.
Code:
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default xxxxxxxxxx UGS vtnet0
xxxxxxxxxx link#1 U vtnet0
ext-01 link#1 UHS lo0
10.0.80.0/24 10.10.1.2 UGS wg0
10.10.1.0/24 link#3 US wg0
10.10.1.1 link#3 UH lo0
localhost link#2 UH lo0Are more steps needed to be able to ping 10.0.80.0/24 from 10.10.1.1 ?