On 2021-08-27, Erling Westenvik <erling.westen...@gmail.com> wrote:
> On Fri, Aug 27, 2021 at 02:20:29PM +0100, Zé Loff wrote:
>>
>> On Fri, Aug 27, 2021 at 03:03:36PM +0200, Erling Westenvik wrote:
>> > Hello all,
>> > I have successfully set up a wg(4) based VPN tunnel from my laptop
>> > (current) to my home/office gateway (6.9) but have problems
>> > understanding how to access the LAN behind the gateway.
>> >
>> > [Laptop]
>> > - wg0 (10.0.0.42)
>> > - egress (trunk0 {em0 iwn0} dhcp)
>> > [Internet]
>> > [Gateway]
>> > - egress (em0 dhcp)
>> > - wg0 (10.0.0.1)
>> > - bridge0 {em1, (vether0 192.168.3.1 dhcpd)}
>> > [LAN]
>> > - various 192.168.3.0/24
>> >
>> > I can ping/ssh between wg(4) endpoints (10.0.0.1 to 10.0.0.42 and vica
>> > versa) and also from LAN clients (192.168.3.0/24) to gateway wg(4)
>> > endpoint (10.0.0.1), but the laptop (10.0.0.42) can only reach the
>> > gateway (10.0.0.1).
>> >
>> > Is it as easy as defining some routes? If so, where? There's a ton of
>> > more or less relevant and/or updated howto's out there but I have not
>> > found anyone dealing with a similar scenario. Any hints are appreciated.
>>
>> I added something like
>>
>> !route add 192.168.3.0/24 10.0.0.1
>>
>> to /etc/hostname.wg0.
>
> Thanks. I did too, I just forgot to mention it.
> It doesn't work in my case though.
> At least your answer tells me that what I try to achieve, to access the
> LAN behind a wg(4) endpoint, is possible, right?
>
>> Of course this _might_ be messy if by any chance your laptop's local
>> network is also 192.168.3.0/24 or a subset of this range.
>
> When connected to the LAN it of course is, but there should not be any
> traces of that range after a reboot or two.
>
> Guess I'm up for debugging, testing of pf rules, and tcpdumping..
> Any ideas where to begin is appreciated.
>
> Erling
>
>
>> >
>> > (My wg(4) setup is based on:
>> > https://www.tumfatig.net/20201202/a-mesh-vpn-using-openbsd-and-wireguard/)
>> >
>> > Best regards,
>> >
>> > Erling
>> >
>>
>> --
>>
>
>
Make sure you have set wgaip to allow traffic from the machines on the
subnet on the other side of the tunnel.
If that's not it, please show some config, ifconfig wg0 output
from both sides (run as root so it includes more info; make sure
any masking is done consistently i.e. search-and-replace),
netstat -rn output.
When you get connectivity working you may find you get TCP stalls
when connecting to/from machines on the subnet behind the gateway
(initial connect is ok but stalling after larger data transfer) -
if so then you might need some "match ... scrub (max-mss 1380)"
or maybe a bit smaller depending on your internet connection.
--
Please keep replies on the mailing list.
