On Fri, Aug 27, 2021 at 07:36:21PM -0000, Stuart Henderson wrote:
> On 2021-08-27, Erling Westenvik <erling.westen...@gmail.com> wrote:
> > On Fri, Aug 27, 2021 at 02:20:29PM +0100, Zé Loff wrote:
> >>
> >> On Fri, Aug 27, 2021 at 03:03:36PM +0200, Erling Westenvik wrote:
> >> > Hello all,
> >> > I have successfully set up a wg(4) based VPN tunnel from my laptop
> >> > (current) to my home/office gateway (6.9) but have problems
> >> > understanding how to access the LAN behind the gateway.
> >> >
> >> > [Laptop]
> >> > - wg0 (10.0.0.42)
> >> > - egress (trunk0 {em0 iwn0} dhcp)
> >> > [Internet]
> >> > [Gateway]
> >> > - egress (em0 dhcp)
> >> > - wg0 (10.0.0.1)
> >> > - bridge0 {em1, (vether0 192.168.3.1 dhcpd)}
> >> > [LAN]
> >> > - various 192.168.3.0/24
> >> >
> >> > I can ping/ssh between wg(4) endpoints (10.0.0.1 to 10.0.0.42 and vica
> >> > versa) and also from LAN clients (192.168.3.0/24) to gateway wg(4)
> >> > endpoint (10.0.0.1), but the laptop (10.0.0.42) can only reach the
> >> > gateway (10.0.0.1).
> >> >
> >> > Is it as easy as defining some routes? If so, where? There's a ton of
> >> > more or less relevant and/or updated howto's out there but I have not
> >> > found anyone dealing with a similar scenario. Any hints are appreciated.
> >>
> >> I added something like
> >>
> >> !route add 192.168.3.0/24 10.0.0.1
> >>
> >> to /etc/hostname.wg0.
> >
> > Thanks. I did too, I just forgot to mention it.
> > It doesn't work in my case though.
> > At least your answer tells me that what I try to achieve, to access the
> > LAN behind a wg(4) endpoint, is possible, right?
> >
> >> Of course this _might_ be messy if by any chance your laptop's local
> >> network is also 192.168.3.0/24 or a subset of this range.
> >
> > When connected to the LAN it of course is, but there should not be any
> > traces of that range after a reboot or two.
> >
> > Guess I'm up for debugging, testing of pf rules, and tcpdumping..
> > Any ideas where to begin is appreciated.
> >
> > Erling
> >
> >
> >> >
> >> > (My wg(4) setup is based on:
> >> > https://www.tumfatig.net/20201202/a-mesh-vpn-using-openbsd-and-wireguard/)
> >> >
> >> > Best regards,
> >> >
> >> > Erling
> >> >
> >>
> >> --
> >>
> >
> >
>
> Make sure you have set wgaip to allow traffic from the machines on the
> subnet on the other side of the tunnel.
That was it. Thank you so much. Not directly intuitive to me that
"access" to a remote subnet must be specified on the connecting client,
but I think I understand the mechanisms a little better now.
I can now access my home/office LAN which was my primary goal but I just
found out that traffic to everything else leaves egress untunneled.
However - trying something like:
route change default 10.0.0.1
leaves the laptop dead in the water. Again a routing problem of some
kind I guess. Any hints on where to start digging?
Erling
> If that's not it, please show some config, ifconfig wg0 output
> from both sides (run as root so it includes more info; make sure
> any masking is done consistently i.e. search-and-replace),
> netstat -rn output.
>
> When you get connectivity working you may find you get TCP stalls
> when connecting to/from machines on the subnet behind the gateway
> (initial connect is ok but stalling after larger data transfer) -
> if so then you might need some "match ... scrub (max-mss 1380)"
> or maybe a bit smaller depending on your internet connection.
>
>
> --
> Please keep replies on the mailing list.
>
