Re: Accessing LAN behind gateway from Road Warrior on wg(4) based tunnel
On Fri, Aug 27, 2021 at 03:03:36PM +0200, Erling Westenvik wrote:
> Hello all,
> I have successfully set up a wg(4) based VPN tunnel from my laptop
> (current) to my home/office gateway (6.9) but have problems
> understanding how to access the LAN behind the gateway.
>
> [Laptop]
> - wg0 (10.0.0.42)
> - egress (trunk0 {em0 iwn0} dhcp)
> [Internet]
> [Gateway]
> - egress (em0 dhcp)
> - wg0 (10.0.0.1)
> - bridge0 {em1, (vether0 192.168.3.1 dhcpd)}
> [LAN]
> - various 192.168.3.0/24
>
> I can ping/ssh between wg(4) endpoints (10.0.0.1 to 10.0.0.42 and vica
> versa) and also from LAN clients (192.168.3.0/24) to gateway wg(4)
> endpoint (10.0.0.1), but the laptop (10.0.0.42) can only reach the
> gateway (10.0.0.1).
>
> Is it as easy as defining some routes? If so, where? There's a ton of
> more or less relevant and/or updated howto's out there but I have not
> found anyone dealing with a similar scenario. Any hints are appreciated.
Routes:
laptop: route add 192.168.3/24 10.0.0.1
"various 192.168.3.0/24": route add 10.0.0.42 192.168.3.1
(The latter is probably already the case if 192.168.3.1 is the default gw)
Alternatively, NAT the traffic from 10.0.0.42 onto the 192.168.3/24 network
Something like this late in the pf rules on Gateway:
match out on em1 from any received-on wg0 nat-to (em1)
/Alexander
>
> (My wg(4) setup is based on:
> https://www.tumfatig.net/20201202/a-mesh-vpn-using-openbsd-and-wireguard/)
>
> Best regards,
>
> Erling
>
Re: Accessing LAN behind gateway from Road Warrior on wg(4) based tunnel
On Mon, Aug 30, 2021 at 07:42:43AM -, Stuart Henderson wrote: > On 2021-08-29, Erling Westenvik wrote: > > On Fri, Aug 27, 2021 at 07:36:21PM -, Stuart Henderson wrote: > >> > >> Make sure you have set wgaip to allow traffic from the machines on the > >> subnet on the other side of the tunnel. > > > > That was it. Thank you so much. Not directly intuitive to me that > > "access" to a remote subnet must be specified on the connecting client, > > but I think I understand the mechanisms a little better now. > > > > I can now access my home/office LAN which was my primary goal but I just > > found out that traffic to everything else leaves egress untunneled. > > However - trying something like: > > > > route change default 10.0.0.1 > > > > leaves the laptop dead in the water. Again a routing problem of some > > kind I guess. Any hints on where to start digging? > > Changing the default route means that wg won't be able to reach the > endpoint because the route to it is over the wg interface itself. If you > want to tunnel all traffic, the easiest way is: > > - set your physical interface in a different routing domain, e.g. > add "rdomain 2" to hostname.em0 > > - set wg to use the route table associated with that routing domain > when sending the encapsulated packets, e.g. add "wgrtable 2" to the wg > interface itself. > > - set your physical interface in a different routing domain, e.g. > add "rdomain 2" to hostname.em0 > > - set wg to use the route table assocoated with that routing domain > when sending the encapsulated packets, e.g. add "wgrtable 2" to > hostname.wg0 > > - on the machine you're connecting wg to, unless you use externally > routable IPs directly on the wg interface, you'll probably want > something like "match out on em0 received-on wg0 nat-to (em0)" > > - and because now you'll be receiving traffic from anywhere over the > wg interface you'll need wgaip 0.0.0.0/0 > > I think that covers everything but if not then tcpdump on various > interfaces and both wg endpoints to figure out where packets are > getting to, and that they have the expected address. Thanks again. I'll look into that information and compare and combine it with Matthieu Herrb's page "Setting up a WireGuard client with routing domains on OpenBSD" at https://codimd.laas.fr/s/NMc3qt5PQ#. (My father passed away the day after my initial post which was motivated by the need to access my LAN while watching over him at the nursery home. Thanks for putting time and effort into your answers despite my late replies.) Erling > > -- > Please keep replies on the mailing list. >
Re: Accessing LAN behind gateway from Road Warrior on wg(4) based tunnel
On 2021-08-29, Erling Westenvik wrote: > On Fri, Aug 27, 2021 at 07:36:21PM -, Stuart Henderson wrote: >> >> Make sure you have set wgaip to allow traffic from the machines on the >> subnet on the other side of the tunnel. > > That was it. Thank you so much. Not directly intuitive to me that > "access" to a remote subnet must be specified on the connecting client, > but I think I understand the mechanisms a little better now. > > I can now access my home/office LAN which was my primary goal but I just > found out that traffic to everything else leaves egress untunneled. > However - trying something like: > > route change default 10.0.0.1 > > leaves the laptop dead in the water. Again a routing problem of some > kind I guess. Any hints on where to start digging? Changing the default route means that wg won't be able to reach the endpoint because the route to it is over the wg interface itself. If you want to tunnel all traffic, the easiest way is: - set your physical interface in a different routing domain, e.g. add "rdomain 2" to hostname.em0 - set wg to use the route table associated with that routing domain when sending the encapsulated packets, e.g. add "wgrtable 2" to the wg interface itself. - set your physical interface in a different routing domain, e.g. add "rdomain 2" to hostname.em0 - set wg to use the route table assocoated with that routing domain when sending the encapsulated packets, e.g. add "wgrtable 2" to hostname.wg0 - on the machine you're connecting wg to, unless you use externally routable IPs directly on the wg interface, you'll probably want something like "match out on em0 received-on wg0 nat-to (em0)" - and because now you'll be receiving traffic from anywhere over the wg interface you'll need wgaip 0.0.0.0/0 I think that covers everything but if not then tcpdump on various interfaces and both wg endpoints to figure out where packets are getting to, and that they have the expected address. -- Please keep replies on the mailing list.
Re: Accessing LAN behind gateway from Road Warrior on wg(4) based tunnel
On Fri, Aug 27, 2021 at 07:36:21PM -, Stuart Henderson wrote:
> On 2021-08-27, Erling Westenvik wrote:
> > On Fri, Aug 27, 2021 at 02:20:29PM +0100, Zé Loff wrote:
> >>
> >> On Fri, Aug 27, 2021 at 03:03:36PM +0200, Erling Westenvik wrote:
> >> > Hello all,
> >> > I have successfully set up a wg(4) based VPN tunnel from my laptop
> >> > (current) to my home/office gateway (6.9) but have problems
> >> > understanding how to access the LAN behind the gateway.
> >> >
> >> > [Laptop]
> >> > - wg0 (10.0.0.42)
> >> > - egress (trunk0 {em0 iwn0} dhcp)
> >> > [Internet]
> >> > [Gateway]
> >> > - egress (em0 dhcp)
> >> > - wg0 (10.0.0.1)
> >> > - bridge0 {em1, (vether0 192.168.3.1 dhcpd)}
> >> > [LAN]
> >> > - various 192.168.3.0/24
> >> >
> >> > I can ping/ssh between wg(4) endpoints (10.0.0.1 to 10.0.0.42 and vica
> >> > versa) and also from LAN clients (192.168.3.0/24) to gateway wg(4)
> >> > endpoint (10.0.0.1), but the laptop (10.0.0.42) can only reach the
> >> > gateway (10.0.0.1).
> >> >
> >> > Is it as easy as defining some routes? If so, where? There's a ton of
> >> > more or less relevant and/or updated howto's out there but I have not
> >> > found anyone dealing with a similar scenario. Any hints are appreciated.
> >>
> >> I added something like
> >>
> >> !route add 192.168.3.0/24 10.0.0.1
> >>
> >> to /etc/hostname.wg0.
> >
> > Thanks. I did too, I just forgot to mention it.
> > It doesn't work in my case though.
> > At least your answer tells me that what I try to achieve, to access the
> > LAN behind a wg(4) endpoint, is possible, right?
> >
> >> Of course this _might_ be messy if by any chance your laptop's local
> >> network is also 192.168.3.0/24 or a subset of this range.
> >
> > When connected to the LAN it of course is, but there should not be any
> > traces of that range after a reboot or two.
> >
> > Guess I'm up for debugging, testing of pf rules, and tcpdumping..
> > Any ideas where to begin is appreciated.
> >
> > Erling
> >
> >
> >> >
> >> > (My wg(4) setup is based on:
> >> > https://www.tumfatig.net/20201202/a-mesh-vpn-using-openbsd-and-wireguard/)
> >> >
> >> > Best regards,
> >> >
> >> > Erling
> >> >
> >>
> >> --
> >>
> >
> >
>
> Make sure you have set wgaip to allow traffic from the machines on the
> subnet on the other side of the tunnel.
That was it. Thank you so much. Not directly intuitive to me that
"access" to a remote subnet must be specified on the connecting client,
but I think I understand the mechanisms a little better now.
I can now access my home/office LAN which was my primary goal but I just
found out that traffic to everything else leaves egress untunneled.
However - trying something like:
route change default 10.0.0.1
leaves the laptop dead in the water. Again a routing problem of some
kind I guess. Any hints on where to start digging?
Erling
> If that's not it, please show some config, ifconfig wg0 output
> from both sides (run as root so it includes more info; make sure
> any masking is done consistently i.e. search-and-replace),
> netstat -rn output.
>
> When you get connectivity working you may find you get TCP stalls
> when connecting to/from machines on the subnet behind the gateway
> (initial connect is ok but stalling after larger data transfer) -
> if so then you might need some "match ... scrub (max-mss 1380)"
> or maybe a bit smaller depending on your internet connection.
>
>
> --
> Please keep replies on the mailing list.
>
Re: Accessing LAN behind gateway from Road Warrior on wg(4) based tunnel
On 2021-08-27, Erling Westenvik wrote:
> On Fri, Aug 27, 2021 at 02:20:29PM +0100, Zé Loff wrote:
>>
>> On Fri, Aug 27, 2021 at 03:03:36PM +0200, Erling Westenvik wrote:
>> > Hello all,
>> > I have successfully set up a wg(4) based VPN tunnel from my laptop
>> > (current) to my home/office gateway (6.9) but have problems
>> > understanding how to access the LAN behind the gateway.
>> >
>> > [Laptop]
>> > - wg0 (10.0.0.42)
>> > - egress (trunk0 {em0 iwn0} dhcp)
>> > [Internet]
>> > [Gateway]
>> > - egress (em0 dhcp)
>> > - wg0 (10.0.0.1)
>> > - bridge0 {em1, (vether0 192.168.3.1 dhcpd)}
>> > [LAN]
>> > - various 192.168.3.0/24
>> >
>> > I can ping/ssh between wg(4) endpoints (10.0.0.1 to 10.0.0.42 and vica
>> > versa) and also from LAN clients (192.168.3.0/24) to gateway wg(4)
>> > endpoint (10.0.0.1), but the laptop (10.0.0.42) can only reach the
>> > gateway (10.0.0.1).
>> >
>> > Is it as easy as defining some routes? If so, where? There's a ton of
>> > more or less relevant and/or updated howto's out there but I have not
>> > found anyone dealing with a similar scenario. Any hints are appreciated.
>>
>> I added something like
>>
>> !route add 192.168.3.0/24 10.0.0.1
>>
>> to /etc/hostname.wg0.
>
> Thanks. I did too, I just forgot to mention it.
> It doesn't work in my case though.
> At least your answer tells me that what I try to achieve, to access the
> LAN behind a wg(4) endpoint, is possible, right?
>
>> Of course this _might_ be messy if by any chance your laptop's local
>> network is also 192.168.3.0/24 or a subset of this range.
>
> When connected to the LAN it of course is, but there should not be any
> traces of that range after a reboot or two.
>
> Guess I'm up for debugging, testing of pf rules, and tcpdumping..
> Any ideas where to begin is appreciated.
>
> Erling
>
>
>> >
>> > (My wg(4) setup is based on:
>> > https://www.tumfatig.net/20201202/a-mesh-vpn-using-openbsd-and-wireguard/)
>> >
>> > Best regards,
>> >
>> > Erling
>> >
>>
>> --
>>
>
>
Make sure you have set wgaip to allow traffic from the machines on the
subnet on the other side of the tunnel.
If that's not it, please show some config, ifconfig wg0 output
from both sides (run as root so it includes more info; make sure
any masking is done consistently i.e. search-and-replace),
netstat -rn output.
When you get connectivity working you may find you get TCP stalls
when connecting to/from machines on the subnet behind the gateway
(initial connect is ok but stalling after larger data transfer) -
if so then you might need some "match ... scrub (max-mss 1380)"
or maybe a bit smaller depending on your internet connection.
--
Please keep replies on the mailing list.
Re: Accessing LAN behind gateway from Road Warrior on wg(4) based tunnel
On Fri, Aug 27, 2021 at 02:20:29PM +0100, Zé Loff wrote:
>
> On Fri, Aug 27, 2021 at 03:03:36PM +0200, Erling Westenvik wrote:
> > Hello all,
> > I have successfully set up a wg(4) based VPN tunnel from my laptop
> > (current) to my home/office gateway (6.9) but have problems
> > understanding how to access the LAN behind the gateway.
> >
> > [Laptop]
> > - wg0 (10.0.0.42)
> > - egress (trunk0 {em0 iwn0} dhcp)
> > [Internet]
> > [Gateway]
> > - egress (em0 dhcp)
> > - wg0 (10.0.0.1)
> > - bridge0 {em1, (vether0 192.168.3.1 dhcpd)}
> > [LAN]
> > - various 192.168.3.0/24
> >
> > I can ping/ssh between wg(4) endpoints (10.0.0.1 to 10.0.0.42 and vica
> > versa) and also from LAN clients (192.168.3.0/24) to gateway wg(4)
> > endpoint (10.0.0.1), but the laptop (10.0.0.42) can only reach the
> > gateway (10.0.0.1).
> >
> > Is it as easy as defining some routes? If so, where? There's a ton of
> > more or less relevant and/or updated howto's out there but I have not
> > found anyone dealing with a similar scenario. Any hints are appreciated.
>
> I added something like
>
> !route add 192.168.3.0/24 10.0.0.1
>
> to /etc/hostname.wg0.
Thanks. I did too, I just forgot to mention it.
It doesn't work in my case though.
At least your answer tells me that what I try to achieve, to access the
LAN behind a wg(4) endpoint, is possible, right?
> Of course this _might_ be messy if by any chance your laptop's local
> network is also 192.168.3.0/24 or a subset of this range.
When connected to the LAN it of course is, but there should not be any
traces of that range after a reboot or two.
Guess I'm up for debugging, testing of pf rules, and tcpdumping..
Any ideas where to begin is appreciated.
Erling
> >
> > (My wg(4) setup is based on:
> > https://www.tumfatig.net/20201202/a-mesh-vpn-using-openbsd-and-wireguard/)
> >
> > Best regards,
> >
> > Erling
> >
>
> --
>
Re: Accessing LAN behind gateway from Road Warrior on wg(4) based tunnel
On Fri, Aug 27, 2021 at 03:03:36PM +0200, Erling Westenvik wrote:
> Hello all,
> I have successfully set up a wg(4) based VPN tunnel from my laptop
> (current) to my home/office gateway (6.9) but have problems
> understanding how to access the LAN behind the gateway.
>
> [Laptop]
> - wg0 (10.0.0.42)
> - egress (trunk0 {em0 iwn0} dhcp)
> [Internet]
> [Gateway]
> - egress (em0 dhcp)
> - wg0 (10.0.0.1)
> - bridge0 {em1, (vether0 192.168.3.1 dhcpd)}
> [LAN]
> - various 192.168.3.0/24
>
> I can ping/ssh between wg(4) endpoints (10.0.0.1 to 10.0.0.42 and vica
> versa) and also from LAN clients (192.168.3.0/24) to gateway wg(4)
> endpoint (10.0.0.1), but the laptop (10.0.0.42) can only reach the
> gateway (10.0.0.1).
>
> Is it as easy as defining some routes? If so, where? There's a ton of
> more or less relevant and/or updated howto's out there but I have not
> found anyone dealing with a similar scenario. Any hints are appreciated.
I added something like
!route add 192.168.3.0/24 10.0.0.1
to /etc/hostname.wg0.
Of course this _might_ be messy if by any chance your laptop's local
network is also 192.168.3.0/24 or a subset of this range.
>
> (My wg(4) setup is based on:
> https://www.tumfatig.net/20201202/a-mesh-vpn-using-openbsd-and-wireguard/)
>
> Best regards,
>
> Erling
>
--
