On 6/2/20 9:24 PM, Tom Eastep wrote:
> I know nothing about Wireguard, but this article seems relevant (note
> the 'Required key not available):
>
> https://bbs.archlinux.org/viewtopic.php?id=232754
good hint!
adding @local,
/etc/wireguard/wg0
+ AllowedIPs = 2000::/3
*AND* @remote,
/etc/wireguard/wg0
+ PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+ PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
does the trick -- without the 'active participation' of SW on either end; the
'ip6tables' _could_ be added to SW config ...
pin6 from @local -> 'net, now works,
ping6 -c1 google.com
PING google.com(sfo03s18-in-x0e.1e100.net
(2607:f8b0:4005:80b::200e)) 56 data bytes
64 bytes from sfo03s18-in-x0e.1e100.net
(2607:f8b0:4005:80b::200e): icmp_seq=1 ttl=57 time=27.8 ms
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 27.774/27.774/27.774/0.000 ms
what does _not_ yet is same from any IPv6 boxes on the LAN _behind_ @local
LAN -> @local is ok,
ping6 -c1 fd80:16:8::100
PING fd80:16:8::100(fd80:16:8::100) 56 data bytes
64 bytes from fd80:16:8::100: icmp_seq=1 ttl=64 time=0.551 ms
--- fd80:16:8::100 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.551/0.551/0.551/0.000 ms
but not even so far as LAN -> @remote
ping6 -c1 fd80:16:7::100
PING fd80:16:7::100(fd80:16:7::100) 56 data bytes
From fd80:16:8::73 icmp_seq=1 Destination unreachable: Address
unreachable
--- fd80:16:7::100 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss,
time 0ms
need to start @ my previous OpenVPN configs to see if that is wg-config as
well, or best within SW.
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
