housepanther,

#wireguard is pissing me off. The peers can ping and communicate with the server but not each other. I've got no idea why . #linux

kkarhan,

@housepanther I guess you didn't allow those IP adresses to communicate with each other?

#WireGuard - like any #VPN - is a seperate network interface with seperate routing rules - at least in #pfSense & #OPNsense...

housepanther,

@kkarhan I did allow them to communicate with each other. I am using wq-quick not pfSense or OPNsense. I could share my configs with you.

kkarhan,

@housepanther Well, I don't use #Linux aside from #Clients and #Servers for the woes of DIY'ing a WiFi...

housepanther,

@kkarhan I allowed the entire subnet that the VPN is sitting on, 100.64.0.0/24.

kkarhan,

@housepanther THAT'S WHY!

100.64.0.0/10 is #CGNAT adress space as per #RFC6598, which SHALL NEVER allow intra-Client communication but only Gateway <-> Client.

https://en.wikipedia.org/wiki/Carrier-grade_NAT

housepanther,

@kkarhan LOL! I feel stoopid now.

kkarhan,

@housepanther nah.

That happens more experienced people...

Like having hit 0 too often and then typing 100.64 instead of 10.64 ...

Personally I've done stupider mistakes myself in the past...

housepanther,

@kkarhan Oh okay! LOL! I did not know that. Time to change the IP address scheme. Thank you!!!!!!!!!!!!!!!

kkarhan,

@housepanther np. You're welcome...

OFC #WireGuard may have done so since there are some #ISPs that do #CGNAT + #Tunneling i.e. [#L2TP on #DSL is common in #Russia to prevent people from 'blueboxing' by splicing the phone line]...

And in some Corporate setups this may even be desireable to have all the remote workers not able to #P2P as to mitigate #malware propagation...

kkarhan,

@housepanther If you use an #RFC1918 adress space, that issue won't happen...

https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

housepanther,

@kkarhan I am changing it to a 10.0.0.0/24 address space.

kkarhan,

@housepanther makes sense depending on your size and how generous you want your other subnets to be...

That should work mostly...

housepanther,

@kkarhan No, still doesn't work. Damnit! I don't know what's going on? You're probably correct and I am missing something else.

jon404,

@housepanther @kkarhan

Not sure about wg-quick, but in all of the wireguard setups I've used you have to have the vpn-external IPs in the AllowedIPs list (i.e. if I have two boxes using 172.31.0.1 and 172.31.0.2 to vpn to each other, and they route traffic for 10.0.0.0/24 on one side and 10.1.0.0/24 on the other, then AllowedIPs has to contain all three ranges, IIRC (this assumes you aren't NAT'ing or anything like that)).

Also, if 10.0.0.0/24 and 10.1.0.0/24 want to reach each other, they need to have a route to the 172.31.0.X boxes so they know where to send traffic destined for the other side.

kkarhan,

@jon404 @housepanther

That comes to it as well...

#pfSense & #OPNsense do make these default routes most of the time but if you manually setup some #Routing on a #Linux box to do that, you may need to adjust all these parts on your own.

jon404,

@kkarhan @housepanther

Yeah, I just set up ospf and forget about routes.

But...I see how that might be overkill heh.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • wireguard
  • DreamBathrooms
  • everett
  • InstantRegret
  • magazineikmin
  • thenastyranch
  • rosin
  • cubers
  • Durango
  • Youngstown
  • slotface
  • khanakhh
  • kavyap
  • ngwrru68w68
  • GTA5RPClips
  • JUstTest
  • osvaldo12
  • tacticalgear
  • modclub
  • cisconetworking
  • mdbf
  • tester
  • ethstaker
  • Leos
  • normalnudes
  • provamag3
  • anitta
  • megavids
  • lostlight
  • All magazines
    •