Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Wireguard on Bullseye
1,485 views
Skip to first unread message
Charles Curley
Dec 6, 2021, 3:00:05 PM12/6/21
to
I would like to set up a Wireguard VPN. I have followed the
instructions at
https://wiki.debian.org/SimplePrivateTunnelVPNWithWireGuard down to the
ping just above the heading "Routing configuration". The ping command
as given doesn't work:
root@iorich:/etc/wireguard# ping 10.0.2.1/24
ping: 10.0.2.1/24: Name or service not known
root@iorich:/etc/wireguard#
However, striping out the /24 at the end helps.
I have both firewalls cleared, i.e.:
root@hawk:/etc/wireguard# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@hawk:/etc/wireguard#
On the server, ping fails:
root@hawk:/etc/wireguard# ping 10.0.2.2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
From 10.0.2.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.2.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.2.1 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.2.1 icmp_seq=4 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.2.1 icmp_seq=5 Destination Host Unreachable
ping: sendmsg: Destination address required
--- 10.0.2.2 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time
4076ms
root@hawk:/etc/wireguard#
And on the client,
root@iorich:/etc/wireguard# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
From 10.0.2.2 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.0.2.2 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.0.2.2 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.0.2.2 icmp_seq=4 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.0.2.2 icmp_seq=5 Destination Host Unreachable
ping: sendmsg: Required key not available
--- 10.0.2.1 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time
4083ms
root@iorich:/etc/wireguard#
I did check the keys; they appear to be correct.
root@hawk:/etc/wireguard# wg show wg0
interface: wg0
public key: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
private key: (hidden)
listening port: 55820
peer: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
allowed ips: 10.0.2.2/32
root@hawk:/etc/wireguard#
root@iorich:/etc/wireguard# wg show wg0
interface: wg0
public key: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
private key: (hidden)
listening port: 44458
peer: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
endpoint: 72.36.20.38:55820
allowed ips: (none)
root@iorich:/etc/wireguard#
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
instructions at
https://wiki.debian.org/SimplePrivateTunnelVPNWithWireGuard down to the
ping just above the heading "Routing configuration". The ping command
as given doesn't work:
root@iorich:/etc/wireguard# ping 10.0.2.1/24
ping: 10.0.2.1/24: Name or service not known
root@iorich:/etc/wireguard#
However, striping out the /24 at the end helps.
I have both firewalls cleared, i.e.:
root@hawk:/etc/wireguard# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@hawk:/etc/wireguard#
On the server, ping fails:
root@hawk:/etc/wireguard# ping 10.0.2.2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
From 10.0.2.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.2.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.2.1 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.2.1 icmp_seq=4 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.0.2.1 icmp_seq=5 Destination Host Unreachable
ping: sendmsg: Destination address required
--- 10.0.2.2 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time
4076ms
root@hawk:/etc/wireguard#
And on the client,
root@iorich:/etc/wireguard# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
From 10.0.2.2 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.0.2.2 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.0.2.2 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.0.2.2 icmp_seq=4 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.0.2.2 icmp_seq=5 Destination Host Unreachable
ping: sendmsg: Required key not available
--- 10.0.2.1 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time
4083ms
root@iorich:/etc/wireguard#
I did check the keys; they appear to be correct.
root@hawk:/etc/wireguard# wg show wg0
interface: wg0
public key: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
private key: (hidden)
listening port: 55820
peer: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
allowed ips: 10.0.2.2/32
root@hawk:/etc/wireguard#
root@iorich:/etc/wireguard# wg show wg0
interface: wg0
public key: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
private key: (hidden)
listening port: 44458
peer: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
endpoint: 72.36.20.38:55820
allowed ips: (none)
root@iorich:/etc/wireguard#
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
Charles Curley
Dec 6, 2021, 4:49:21 PM12/6/21
to
On Mon, 6 Dec 2021 14:59:45 -0500
Dan Ritter <d...@randomstring.org> wrote:
> So iorich here is allowed to construct a tunnel to hawk, but no IPs
> from hawk are allowed...
>
> Add 10.0.2.1 to iorich's understanding of hawk's allowed ips.
Thanks. That helped, I think.
I added
AllowedIPs = 0.0.0.0/0
to iorich's (the client) configuration in the peer section. Now:
root@iorich:/etc/wireguard# wg
fwmark: 0xca6c
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 23 seconds ago
transfer: 1.87 KiB received, 11.31 KiB sent
root@iorich:/etc/wireguard# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.31 0.0.0.0 UG 600 0 0 wls3
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wls3
192.168.100.0 0.0.0.0 255.255.255.0 U 600 0 0 wls3
192.168.122.0 192.168.100.6 255.255.255.0 UG 600 0 0 wls3
192.168.124.0 192.168.100.16 255.255.255.0 UG 600 0 0 wls3
root@iorich:/etc/wireguard# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.0.2.2 netmask 255.255.255.0 destination 10.0.2.2
inet6 fc00:23:5::2 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 59 bytes 3628 (3.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 229 bytes 24840 (24.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@iorich:/etc/wireguard#
And on the server:
root@hawk:/etc/wireguard# wg
allowed ips: 10.0.2.0/24
latest handshake: 1 minute, 43 seconds ago
transfer: 9.81 KiB received, 2.02 KiB sent
root@hawk:/etc/wireguard# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.31 0.0.0.0 UG 0 0 0 enp3s0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
192.168.124.0 192.168.100.16 255.255.255.0 UG 0 0 0 enp3s0
root@hawk:/etc/wireguard# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 253 bytes 26204 (25.5 KiB)
RX errors 10 dropped 0 overruns 0 frame 10
TX packets 71 bytes 4132 (4.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@hawk:/etc/wireguard#
Ping isn't getting through, but at least it isn't complaining. Wg shows
data moving through the tunnel. I suspect a firewall/NATting issue, so I
will start tracking that down.
Hawk's endpoint is the inner IF of my firewall, and iorich's endpoint
is the external IF of the firewall, so that makes sense.
Dan Ritter <d...@randomstring.org> wrote:
> So iorich here is allowed to construct a tunnel to hawk, but no IPs
> from hawk are allowed...
>
> Add 10.0.2.1 to iorich's understanding of hawk's allowed ips.
Thanks. That helped, I think.
I added
AllowedIPs = 0.0.0.0/0
to iorich's (the client) configuration in the peer section. Now:
root@iorich:/etc/wireguard# wg
interface: wg0
public key: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
private key: (hidden)
listening port: 41490
public key: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
private key: (hidden)
fwmark: 0xca6c
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 23 seconds ago
transfer: 1.87 KiB received, 11.31 KiB sent
root@iorich:/etc/wireguard# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
--- 10.0.2.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4089ms
root@iorich:/etc/wireguard# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.31 0.0.0.0 UG 600 0 0 wls3
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wls3
192.168.100.0 0.0.0.0 255.255.255.0 U 600 0 0 wls3
192.168.122.0 192.168.100.6 255.255.255.0 UG 600 0 0 wls3
192.168.124.0 192.168.100.16 255.255.255.0 UG 600 0 0 wls3
root@iorich:/etc/wireguard# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.0.2.2 netmask 255.255.255.0 destination 10.0.2.2
inet6 fc00:23:5::2 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 59 bytes 3628 (3.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 229 bytes 24840 (24.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@iorich:/etc/wireguard#
And on the server:
root@hawk:/etc/wireguard# wg
interface: wg0
public key: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
private key: (hidden)
listening port: 55820
peer: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
endpoint: 192.168.10.1:41490
public key: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
private key: (hidden)
listening port: 55820
peer: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
allowed ips: 10.0.2.0/24
latest handshake: 1 minute, 43 seconds ago
transfer: 9.81 KiB received, 2.02 KiB sent
root@hawk:/etc/wireguard# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.31 0.0.0.0 UG 0 0 0 enp3s0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
192.168.124.0 192.168.100.16 255.255.255.0 UG 0 0 0 enp3s0
root@hawk:/etc/wireguard# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 253 bytes 26204 (25.5 KiB)
RX errors 10 dropped 0 overruns 0 frame 10
TX packets 71 bytes 4132 (4.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@hawk:/etc/wireguard#
Ping isn't getting through, but at least it isn't complaining. Wg shows
data moving through the tunnel. I suspect a firewall/NATting issue, so I
will start tracking that down.
Hawk's endpoint is the inner IF of my firewall, and iorich's endpoint
is the external IF of the firewall, so that makes sense.
Dan Ritter
Dec 6, 2021, 7:20:06 PM12/6/21
to
Charles Curley wrote:
> I would like to set up a Wireguard VPN. I have followed the
> instructions at
> https://wiki.debian.org/SimplePrivateTunnelVPNWithWireGuard down to the
> ping just above the heading "Routing configuration". The ping command
> as given doesn't work:
>
> root@iorich:/etc/wireguard# ping 10.0.2.1/24
> ping: 10.0.2.1/24: Name or service not known
> root@iorich:/etc/wireguard#
>
> However, striping out the /24 at the end helps.
That's fine.
> I would like to set up a Wireguard VPN. I have followed the
> instructions at
> https://wiki.debian.org/SimplePrivateTunnelVPNWithWireGuard down to the
> ping just above the heading "Routing configuration". The ping command
> as given doesn't work:
>
> root@iorich:/etc/wireguard# ping 10.0.2.1/24
> ping: 10.0.2.1/24: Name or service not known
> root@iorich:/etc/wireguard#
>
> However, striping out the /24 at the end helps.
> On the server, ping fails:
>
> root@hawk:/etc/wireguard# ping 10.0.2.2
> PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
> From 10.0.2.1 icmp_seq=1 Destination Host Unreachable
> ping: sendmsg: Destination address required
> --- 10.0.2.2 ping statistics ---
> 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time
> 4076ms
>
> 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time
> 4076ms
>
> I did check the keys; they appear to be correct.
>
> root@hawk:/etc/wireguard# wg show wg0
> interface: wg0
> public key: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
> private key: (hidden)
> listening port: 55820
>
> peer: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
> allowed ips: 10.0.2.2/32
>
> root@hawk:/etc/wireguard# wg show wg0
> interface: wg0
> public key: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
> private key: (hidden)
> listening port: 55820
>
> peer: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
> allowed ips: 10.0.2.2/32
> root@iorich:/etc/wireguard# wg show wg0
> interface: wg0
> public key: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
> private key: (hidden)
> listening port: 44458
>
> peer: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
> endpoint: 72.36.20.38:55820
> allowed ips: (none)
> interface: wg0
> public key: 28TsK9q71ruQ18acpp89MXGjsLVsEQcsKW3Y38VrfEo=
> private key: (hidden)
> listening port: 44458
>
> peer: HBkAW05W2zxbTGEE4FstJLxnBpfDpec3KGhSfs6BLCU=
> endpoint: 72.36.20.38:55820
> allowed ips: (none)
So iorich here is allowed to construct a tunnel to hawk, but no IPs from hawk
are allowed...
Add 10.0.2.1 to iorich's understanding of hawk's allowed ips.
Watch the status of the interface with
are allowed...
Add 10.0.2.1 to iorich's understanding of hawk's allowed ips.
# wg
You should get per-peer notes about
latest handshake: 42 seconds ago
transfer: 369.99 MiB received, 427.05 MiB sent
(less to begin with, of course.)
If you add dzur and issola, they can either all talk to hawk or
you can tell all of them about all the others, mesh-style.
-dsr-
john doe
Dec 7, 2021, 2:21:16 AM12/7/21
to
If you can not disable your firewall, allowing ping is a good idea!!! :)
CIDR notation is generaly used when defining a subnet or an IP range.
but rarely when you need to access a specific IP.
--
John Doe
Charles Curley
Dec 7, 2021, 10:40:06 AM12/7/21
to
On Tue, 7 Dec 2021 08:11:10 +0100
john doe <johndo...@mail.com> wrote:
> Looking at the logs should help you understand if it is a FW issue.
Yup. Already done that.
john doe <johndo...@mail.com> wrote:
> Looking at the logs should help you understand if it is a FW issue.
>
> If you can not disable your firewall, allowing ping is a good idea!!!
> :)
trying to debug something).
>
> CIDR notation is generaly used when defining a subnet or an IP range.
> but rarely when you need to access a specific IP.
wiki page. It didn't make sense in this instance, and didn't work.
0 new messages