WireGuard: How to route another subnet through it?

ogogon

ogogon

Colleagues, tell me why I can't route another subnet through the wireguard?

I have two computers, one is a router and the other is a client.
The router has an interface with the address 172.16.0.1/24 and a wireguard interface with the address 10.20.0.1/24.
The client has an interface with the address 192.168.1.1/24 and a wireguard interface with the address 10.20.0.2/24.

Here is the router config:
Code: 
[Interface]
Address = 10.20.0.1
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
ListenPort = 51820

[Peer]
PublicKey = YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY=
AllowedIPs = 10.20.0.2/32
Here is the client config:
Code: 
[Interface]
Address = 10.20.0.2/32
PrivateKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

[Peer]
PublicKey = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=
AllowedIPs = 10.20.0.0/24
Endpoint = my.gw.ip.addr:51820
Network 10.20.0.0/24 works without problems. Ping and ssh in both directions pass normally. Tcpdumps of both sides shows the passage of the respective packets.

Then I give the command on the client:
route add -network 172.16.0.0/24 -interface wg0
After that, as it should be, a route entry appears:
Code: 
Destination        Gateway            Flags     Netif Expire
...
172.16.0.0/24      wg0                US          wg0
...

In theory, now if I start pinging the address 172.16.0.1, then ICMP packets will go to the wg0 interface on the client and exit the response interface on the router.
Unfortunately, this only happens halfway. On the client's interface wg0 the packets leave, but on the router's wg0 they do not appear.

Colleagues, tell me please, what is my problem? What am I doing wrong?

Grateful for help,
Ogogon.
 
Have you got

gateway_enable="YES" # Set to YES if this host will be a gateway

in /etc/rc.conf on the router? Handbook chapter 34.2.2. Set the sysctl net.inet.ip.forwarding (and the ip6 version) if you don't want to reboot immediately.
 
putney said:
Have you got

gateway_enable="YES" # Set to YES if this host will be a gateway
Click to expand...
Yes.
Even assuming I didn't, the packets would be visible on the wg0 interface. And I wrote above that I looked at them on the interface, using tсpdump.
 
yuripv79 said:
"router" has to know where to forward packets for 192.168.1/24, add the route there as well.
Click to expand...
I haven't gotten to that point yet. Everything stalled at an earlier stage.
So far, I cannot push packets through wireguard for an address that is not on its subnet, but is well known to the router, and routing to it is set.
Please read the first post of this discussion.
 
Try to use IPs instead of "-interface wg0", as mentioned by covacat.
In most cases you must setup static routes for the opposite network on both sides.
Try to check your NAT rules. In most cases you should to exclude all internal networks from NATing.
 
You have to enable the /24 in your wg config on the client. If you add to your config your client will automatically route all traffic through the wg interface. wg-quick up wg0 will add routes eg:
Code: 
litmk@client:/home/litmk # wg-quick up wg0
[#] ifconfig wg create name wg0
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 10.20.0.2/24 alias
[#] ifconfig wg0 mtu 1412
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 172.16.0.1/24 -interface wg1
[#] route -q -n add -inet 10.20.0.0/24 -interface wg1
[+] Backgrounding route monitor


Code: 
[Interface]

Address = 10.20.0.2/32
PrivateKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

[Peer]
PublicKey = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=
AllowedIPs = 10.20.0.0/24, 172.16.0.0/24
Endpoint = my.gw.ip.addr:51820

and then you need to use PF (or IPFW) similar to this:
Code: 
int_if = "igb1"
wg_net = "10.20.0.0/24"
nat on $int_if from $wg_net to any -> 172.16.0.1
 
You must log in or register to reply here.
Back
Top