On Mon, Feb 24, 2025 at 09:40:41AM -0500, James Valleroy via Freedombox-discuss wrote: > Hi Augustine, > > On 2/23/25 9:02 PM, A. F. Cano via Freedombox-discuss wrote: > > I have a hard time believing that I'm the only one who has trouble with > > wireguard, or that I'm the only one who has tried to use it on a > > FreedomBox. Someone please tell me what I'm doing wrong. How does the > > FreedomBox differ from a standard wireguard implementation? How do I > > tell it to add 192.168.200.28 to the list of allowedIPs? In the server > > configuration page, "Allowed IPs" is read-only and only contains > > 10.84.0.2. > > I am still trying to get Wireguard working myself, so I don't have a full > answer for you. > > But what you are trying to do seems strange. Why do you need to use this > 192.168.x.y address?
My internal networks (on the 2 internal interfaces of an apu1d4) are 192.168.200.x/24 and 192.168.224.x/24. I assume that to be able to do via the vpn everything I do locally, the vpn has to be transparent and all the addresses have to be reachable, in both directions, so anything other than 192.168.200.x is not going to be reachable. To concentrate on the simple case I'm dealing with: a remote laptop with IP (specified in its /etc/wireguard/wg0.conf) of 192.168.200.28, once I have set that address specifically in the laptop's AllowedIPs (as explained earlier in this thread), doing a treceroute 192.168.200.9, the laptop actually sends packets via wg0 and they are received at the FreedomBox, but that's where I get the error described earlier. It seems to me that wireguard should know the IP ranges of the internal interfaces and should route the packets appropriately, or is this not necessary? At the very least it should accept packets specifically set in the FreedomBox AllowedIPs, but this is apparently not possible. Am I misunderstanding how wireguard interacts with the IP stack of the FreedomBox and its routing to the internal interfaces? > Usually Wireguard has its own private IP range that starts with 10.x.y.z. > Every > client should choose an IP address in this range. Note that this is completely > independent of any other IP address that the client may have on other network > interfaces (for example, assigned by DHCP). Yes, I went through that already. At first, as soon as I started wireguard on the laptop, nothing else would go out the other interface. With the current configuration file (see earlier in this thread) the routing on the laptop works correctly and only sends traffic destined to 192.168.200.x via the wg0 interface. I see that the wg0 interface on the FreedomBox has IP 10.84.0.1/24 and the one on the laptop is 10.84.0.2. Presumably if my internal interfaces were all 10.84.0.x, everything would work without needing extra configuration, but it happens that I have 2 networks with 192.168.200.x and 192.168.224.x and I'd rather not have to change the configuration of all the machines to satisfy wireguard. Also, presumably, if all I wanted to do was to talk to the FreedomBox itself, none of this would be applicable. But then again, ssh to the Freefombox from outside handles this case just fine. Maybe the complication comes from using the FreedomBox as a firewall/gateway. Or am I completely off base? > Regards, > James Thanks for taking the time to reply. Hopefully we can figure this out. Augustine _______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
