Wireguard and route specific internal ip

S

slimture

Hi!

I'm trying to get wireguard to connect from one internal IP on my freebsd-server but the traffic doesn't seem to go through the tunnel.

Code: 
cat wg0.conf
[Interface]
PrivateKey = Hidden
Address = 10.72.42.46/32
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = Hidden
AllowedIPs = 192.168.10.138/32
Endpoint = Hidden:51820
PersistentKeepalive = 15

service wireguard start

Code: 
[#] ifconfig wg create name wg0
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 10.72.42.46/32 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[+] Backgrounding route monitor

wg (connection with VPN-server is working)

Code: 
interface: wg0
  public key: OmmHunzHvRVdt49NmEIgAQWx13YuaGjvvJ8rRa10zzc=
  private key: (hidden)
  listening port: 57676

My /etc/rc.conf

Code: 
gateway_enable="YES"
wireguard_interfaces="wg0"
wireguard_enable="YES"

netstat -rn
Code: 
netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.10.1       UGS        igb0
10.72.42.46        link#3             UH          lo0
127.0.0.1          link#3             UH          lo0
192.168.10.0/24    link#1             U          igb0
192.168.10.134     link#3             UHS         lo0
192.168.10.138     link#3             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             link#3                        URS         lo0
::1                               link#3                        UHS         lo0
::ffff:0.0.0.0/96                 link#3                        URS         lo0
fe80::%lo0/10                     link#3                        URS         lo0


fe80::%lo0/64                     link#3                        U           lo0
fe80::1%lo0                       link#3                        UHS         lo0
ff02::/16                         link#3                        URS         lo0

I'm I missing something here? Routing maybe?

Thanks in advance.
 
What are the source and destination IPs of the traffic that isn't going through the tunnel? Have you tried running tcpdump on the wireguard interfaces at both ends of the tunnel? Need to determine if the traffic is 1) going into the tunnel at the source, 2) coming back into the tunnel at the far end on return, 3) if any extra routing or NAT is required at each end to make the return path complete.
 
I will answer my own questions for future persons.

I was trying to connect wireguard for one of my network cards, I wasn't clear about that with my initial question. I've got two network cards igb0 and igb1. igb0 with 192.168.20.0/24 should route through wireguard.

I had trouble getting fib 0 and fib 1 working as I wanted but this is how I did:

Added in /etc/sysctl.conf:
Code: 
net.fibs=2
net.add_addr_allfibs=0

Added in /etc/rc.conf for static routes:
Code: 
ifconfig_igb1="DHCP"
ifconfig_igb0="DHCP"
defaultrouter="192.168.10.1"
static_routes="mullvad mullvad_def"
route_mullvad="-fib 1 -net 192.168.20.0/24 -interface igb0"
route_mullvad_def="-fib 1 default -ifa 192.168.20.2 192.168.20.1"

Needed to edit startup script for wireguard in /usr/local/etc/rc.d/wireguard to run under setfib 1:
Added setfib 1 in two places; setfib 1 /usr/local/bin/wg-quick up and setfib 1 /usr/local/bin/wg syncconf:
Code: 
wireguard_start()
{
    ${wireguard_env:+eval export $wireguard_env}

    for interface in ${wireguard_interfaces}; do
        setfib 1 /usr/local/bin/wg-quick up ${interface}
    done
}

wireguard_stop()
{
    for interface in ${wireguard_interfaces}; do
        /usr/local/bin/wg-quick down ${interface}
    done
}

wireguard_reload()
{
    ${wireguard_env:+eval export $wireguard_env}

    for interface in ${wireguard_interfaces}; do
        tmpfile="`mktemp`"
        /usr/local/bin/wg-quick strip ${interface} > ${tmpfile}
        setfib 1 /usr/local/bin/wg syncconf ${interface} ${tmpfile}
        rm -f ${tmpfile}
    done
}

Here is my setfib 1 netstat -rn:
Code: 
netstat -rn
Routing tables (fib: 1)

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          link#4             US          wg0
default            192.168.20.1       UGS        igb0
10.71.247.7        link#3             UH          lo0
127.0.0.1          link#3             UH          lo0
128.0.0.0/1        link#4             US          wg0
Endpointip           192.168.20.1       UGHS       igb0
192.168.10.0/24    link#2             U          igb1
192.168.20.0/24    link#1             U          igb0

My wg0.conf:
Code: 
cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = Hidden
Address = 10.71.247.7/32
#Table = 1

[Peer]
PublicKey = Hidden
AllowedIPs = 0.0.0.0/0
Endpoint = hidden:51820

wg show:
Code: 
wg show
interface: wg0
  public key:
  private key: (hidden)
  listening port: 52284

peer:
  endpoint: hidden
  allowed ips: 0.0.0.0/0
  latest handshake: 39 seconds ago
  transfer: 2.61 MiB received, 6.33 MiB sent

Traceroute showing and connecting as should. Setting this up was harder than I initially thought.
 
slimture edited startup script for wireguard.

In my case, I've set up the tunnelfib configuration in the PostUp line of wg0.conf. Personally, I recommend this approach because it allows for mixing WireGuard configurations that use tunnelfib with those that don't, and it doesn't require any changes even after updating wireguard-tools via pk upgrade.

wg0.conf
[Interface]
Privatekey = [Privatekey]
Address = 10.8.41.1/24
table = off
ListenPort = 1111
PostUp = /sbin/ifconfig wg0 tunnelfib 1

[Peer]
PublicKey = IOx7n4S1rBZPlj6an2rMQSddj07RMQFkWPAyvtJsYnY=
AllowedIPs = 10.8.0.0/16, 192.168.0.0/24
Endpoint = [End Point IP address]:1111
PersistentKeepAlive = 30
Click to expand...

I've just written a blog post about this, so I've included the link as well.

[FreeBSD] use fib for specific wireguard interface
 
You must log in or register to reply here.
Back
Top