Hi.
I have a Wireguard server behind NAT, but can't get it to work. Seems to missing routing between wg interface and rest of the system.
I'm using a Wireguard service from wireguard-tools pkg.
The system is 14.3 fresh install
My system is not standard, there are jails, and external IF is passed to one of the jails, which act as firewall, gateway, nat, dhcp ... etc.
I want to establish an external connection to my LAN/services within the 192.168.1.1/24 network.
The tunnel seems to work correctly.
I can ping Wireguard server (wg0 - 172.16.0.1) and the HOST 192.168.1.32, can also ssh to the HOST, but no routing to the rest of the network.
I have tried to add some routing rules, but without luck. Seems like I don't understand how to do that correctly.
If that change anything, I'm using IPFW inside the jail for NAT/Firewall/Forwarding - but that part of the system work as expected.
I even tried to add WG0 to the bridge, but it's not an ether type interface - not possible.
I also created wg tunnel with the same IP address range as my LAN, but same problem, no routing between wg0 and the rest. Only the HOST and wg0 are accessible.
Could someone help me to set up the route correctly? (I guess it's a route problem)
Best
willy.
I have a Wireguard server behind NAT, but can't get it to work. Seems to missing routing between wg interface and rest of the system.
I'm using a Wireguard service from wireguard-tools pkg.
The system is 14.3 fresh install
My system is not standard, there are jails, and external IF is passed to one of the jails, which act as firewall, gateway, nat, dhcp ... etc.
I want to establish an external connection to my LAN/services within the 192.168.1.1/24 network.
Code:
+-------------------------------------------------+
+ ------------------------------------------- +
internet -------=====+ jail 192.168.1.1 - gateway/firewall/nat + +
+ + unbound dhcp etc .... + +
+ + wireguard port forward to 192.168.1.32 + +
+ ------------------------------------------- +
+ +more jails 192.168.1.xx + +
+ -------------------------- +
+ +
+ wireguard server on host (172.16.0.1@wg0) +-------- LAN 192.168.1.xx
+ +
+ HOST 192.168.1.32 +
--------------------------------------------------+
sh:
willy@browar: ~ % service wireguard start
[#] ifconfig wg create name wg0
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 172.16.0.1/24 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] route -q -n add -inet 172.16.0.2/32 -interface wg0
[+] Backgrounding route monitor
sh:
willy@browar: ~ % netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.1.1 UGS mlxen0
127.0.0.1 link#2 UH lo0
172.16.0.0/24 link#6 U wg0
172.16.0.1 link#2 UHS lo0
172.16.0.2 link#6 UHS wg0
192.168.1.0/24 link#3 U mlxen0
192.168.1.32 link#2 UHS lo0
sh:
willy@browar: ~ % ifconfig
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
mlxen0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=ad00b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,HWSTATS>
ether f4:52:14:55:72:70
inet 192.168.1.32 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (10Gbase-CX4 <full-duplex,rxpause,txpause>)
status: active
nd6 options=9<PERFORMNUD,IFDISABLED>
bridge192: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=0
ether 58:9c:fc:10:ff:c9
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: e0a_gateway flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 7 priority 128 path cost 2000
member: mlxen0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 3 priority 128 path cost 2000
groups: bridge
nd6 options=9<PERFORMNUD,IFDISABLED>
e0a_gateway: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: vnet192 host interface for Bastille jail test
options=8<VLAN_MTU>
ether 02:f5:6b:8b:8d:0a
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=9<PERFORMNUD,IFDISABLED>
wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
options=80000<LINKSTATE>
inet 172.16.0.1 netmask 0xffffff00
groups: wg
nd6 options=109<PERFORMNUD,IFDISABLED,NO_DAD>
sh:
willy@browar: ~ % sudo ipfw list
65535 allow ip from any to any
willy@browar: ~ % sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1The tunnel seems to work correctly.
I can ping Wireguard server (wg0 - 172.16.0.1) and the HOST 192.168.1.32, can also ssh to the HOST, but no routing to the rest of the network.
I have tried to add some routing rules, but without luck. Seems like I don't understand how to do that correctly.
If that change anything, I'm using IPFW inside the jail for NAT/Firewall/Forwarding - but that part of the system work as expected.
I even tried to add WG0 to the bridge, but it's not an ether type interface - not possible.
I also created wg tunnel with the same IP address range as my LAN, but same problem, no routing between wg0 and the rest. Only the HOST and wg0 are accessible.
Could someone help me to set up the route correctly? (I guess it's a route problem)
Best
willy.
