On Tue, Jan 5, 2021 at 4:58 PM Peter Fraser <p...@thinkage.ca> wrote:
> I did get it work, but it took a lot of tries caused by my confusion. > I hope this message speed up other who try to configure wireguard. > I was trying to connect a windows 10 computer to an OpenBsd computer. > The problem was the OpenBSD computer was a 20 minute drive away, > And I didn't want to lock myself and others out if I made a mistake. > Which I did once and had to make the drive. > > 1) Ifconfig wg0 debug is not useful > 2) Ifconfig wg0 -debug is not documented, admittedly it is easy > guess it existence, but the other - options are documented > 3) If IP address give to wg0 on the server has to be available to the > outside world to allow establishing connections > This can be done by giving it an external IP address or using a rdr-to > in PF. > 4) the IP address of client interface is what will appear as the source > address of client, independent of whatever NATing goes on. > 5) You can't use the same wgpeer for multiple clients, each one has to be > unique. > 6) The wgpeer and wgaip have be set together, you cannot set the > separately. > 7) When the packets come in through wg0, the return packet will want to go > out through to default interface > To stop that you will need a route command to direct the packets back > to the wg0 interface, for that you will need the IP addresses involved. > 8) To keep your sanity, you want to have a private subnetwork, to be used > by all the clients just for this purpose. > Which allows you to construct the route command and set wgaip values. > 9) If you are connecting subnetworks you probably want a separate wg > interface for each subnetwork. > > > > > It went way smoother here ( an hour from scratch with openbsd and windows client ), i don't understand why someone would put a public ip on wg0 . Multi client setup could use an example for many reasons ( because it's probably design a way that is not obvious ) Overall it's a very good job. OP: debug is mostly for dev, or people reading code, not to help the setup -- -- --------------------------------------------------------------------------------------------------------------------- Knowing is not enough; we must apply. Willing is not enough; we must do
