Skip to content

Instantly share code, notes, and snippets.

@vikaskedia

vikaskedia/wireguard.md

Last active March 16, 2018 04:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save vikaskedia/e9f4d3edeb8f7b217726c5c4f537786a to your computer and use it in GitHub Desktop.
Save vikaskedia/e9f4d3edeb8f7b217726c5c4f537786a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
wireguard.md

Problem: Peer2 is not able to traceroute using Peer1 as a router.

Peer1

vk@virtual-machine /g/r/c/w/server> ifconfig ens33
ens33     Link encap:Ethernet  HWaddr 00:0c:29:c8:6c:d5  
          inet addr:10.0.1.77  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::5b06:24b6:c9e4:954e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:353325 errors:0 dropped:0 overruns:0 frame:0
          TX packets:90566 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:362045065 (362.0 MB)  TX bytes:12505421 (12.5 MB)


vk@virtual-machine /g/r/c/w/server> ifconfig wg0 
wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.100.1.1  P-t-P:10.100.1.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:622 errors:0 dropped:41 overruns:0 frame:0
          TX packets:77 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:60008 (60.0 KB)  TX bytes:3880 (3.8 KB)


vk@virtual-machine /g/r/c/w/server> sudo iptables --list-rules --table nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-d5b2243c521b -j MASQUERADE
-A POSTROUTING -o ens33 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-d5b2243c521b -j RETURN


vk@virtual-machine /g/r/c/w/server> more /proc/sys/net/ipv4/ip_forward
1


vk@virtual-machine /g/r/c/w/server> ip route show
default via 10.0.1.1 dev ens33  proto static  metric 100 
10.0.1.0/24 dev ens33  proto kernel  scope link  src 10.0.1.77  metric 100 
10.100.1.0/24 dev wg0  proto kernel  scope link  src 10.100.1.1 
169.254.0.0/16 dev ens33  scope link  metric 1000 
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-d5b2243c521b  proto kernel  scope link  src 172.18.0.1 linkdown 


vk@virtual-machine /g/r/c/w/server> more etc-wireguard-wg0.conf 
[Interface]
Address = 10.100.1.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens33 -j MASQUERADE
PrivateKey = CPQLRq40QGY3+8yn2LlYb1x3zU/3/Ki+A4QjVYgbakY=
SaveConfig = true

[Peer]
PublicKey = uL8bs5596DJO7BMnrIVG5btvr4LTzlbx1ovwHe59NBc=
AllowedIPs = 10.100.1.2/32
vk@virtual-machine /g/r/c/w/server> 


vk@virtual-machine /g/r/c/w/server> sudo wg show
interface: wg0
  public key: KNuvytvYu9NktxybaOHsCF11q96IGfc+dT/Dv8L6KB0=
  private key: (hidden)
  listening port: 51820

peer: uL8bs5596DJO7BMnrIVG5btvr4LTzlbx1ovwHe59NBc=
  endpoint: 10.0.1.71:51820
  allowed ips: 10.100.1.2/32
  latest handshake: 19 seconds ago
  transfer: 22.16 KiB received, 2.66 KiB sent

Peer2

root@virtual-machine:/gt/runenv/config/wireguard/client# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.1.71  netmask 255.255.255.0  broadcast 10.0.1.255
        inet6 fe80::c4d7:35d6:306b:fc91  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b6:bb:18  txqueuelen 1000  (Ethernet)
        RX packets 6159  bytes 2137262 (2.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4008  bytes 520572 (520.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


root@virtual-machine:/gt/runenv/config/wireguard/client# ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.100.1.2  netmask 255.255.255.0  destination 10.100.1.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 82  bytes 4100 (4.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 673  bytes 69036 (69.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


root@virtual-machine:/gt/runenv/config/wireguard/client# more etc-wireguard-wg0.conf 
[Interface]
Address = 10.100.1.2/24
listenport = 51820
PrivateKey = AMZXJ1vBx6OOnZlbnYHuShTBAPuOzwCgweG73BS/4WY=

[Peer]
PublicKey = KNuvytvYu9NktxybaOHsCF11q96IGfc+dT/Dv8L6KB0=
AllowedIPs = 0.0.0.0/0
Endpoint = 10.0.1.77:51820


root@virtual-machine:/gt/runenv/config/wireguard/client# ping 10.100.1.1
PING 10.100.1.1 (10.100.1.1) 56(84) bytes of data.
64 bytes from 10.100.1.1: icmp_seq=1 ttl=64 time=0.489 ms
^C
--- 10.100.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.489/0.489/0.489/0.000 ms


root@virtual-machine:/gt/runenv/config/wireguard/client# sudo wg show
interface: wg0
  public key: uL8bs5596DJO7BMnrIVG5btvr4LTzlbx1ovwHe59NBc=
  private key: (hidden)
  listening port: 51820
  fwmark: 0xca6c

peer: KNuvytvYu9NktxybaOHsCF11q96IGfc+dT/Dv8L6KB0=
  endpoint: 10.0.1.77:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 29 seconds ago
  transfer: 2.60 KiB received, 44.59 KiB sent


root@virtual-machine:/gt/runenv/config/wireguard/client# traceroute 4.4.4.4
traceroute to 4.4.4.4 (4.4.4.4), 30 hops max, 60 byte packets
 1  10.100.1.1 (10.100.1.1)  1.341 ms  1.298 ms  1.105 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  *^C

Analysis

  1. Removing docker from peer 1 and then rebooting peer 1 allows peer 2 to use peer1 as router and do a traceroute.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment