Re: Share one of machines IP via WireGuard
On Sat, 08 Jun 2024 15:56:06 +0100, Stuart Henderson wrote: > > I think this should be possible with the standard route table, without > route-to. Essentially you need: > > 1. your machine to answer arp for the wg ip so other hosts will send > ethernet packets to it > > 2. your machine to not be configured with the wg ip itself > > 3. route entries such that those packets end up sent out the wg interface > (you may possibly need a route command with -ifp wg0) > Thanks, after re-reading map page for route I was able to figure it out in quite simple way, without NAT, routing domain, dedicated MAC which was added to separate things with hope to make things easy. So, here the resulted config: Client: rdomain 1 wgrtable 0 wgkey ... wgpeer ... \ wgendpoint 1.2.3.4 51820 \ wgaip 0.0.0.0/0 \ wgpka 25 \ wgpsk ... inet 1.2.4.5/28 up !route -T 1 add default 1.2.4.1 Server: wgkey ... wgpeer ... \ wgaip 1.2.4.5/32 \ wgpka 25 \ wgpsk ... wgport 51820 inet 127.255.255.255/32 up !route add -inet 1.2.4.5 -llinfo -link -static -iface \$if Without inet 127.255.255.255/32 adding a static route fails as: add host 1.2.4.5: gateway wg0: Network is unreachable -- wbr, Kirill
Re: Share one of machines IP via WireGuard
On 2024-06-08, Kirill A Korinsky wrote: > On Fri, 07 Jun 2024 16:25:48 +0100, > Stuart Henderson wrote: >> >> I think you'll need proxy ARP then. >> > > After a few attempts to make it works, I think I need help. > > My setup. > > Server: where em0 is uplink with routed 1.2.3.4/24 and 1.2.4.5/24 with > expected gateway 1.2.3.1 and 1.2.4.1, em0 is included into bridge0 and > 1.2.3.4/24 is configured as input point at route domain 0. > > To make things simpler each IP is associeted with it's own MAC address and > switch expects that 1.2.4.5 with 00:50:56:01:1d:40. So, I have: > > $ cat /etc/hostname.vether1 > > lladdr 00:50:56:01:1d:40 > rdomain 2 > up > !arp -s 1.2.4.5 00:50:56:01:1d:40 pub > > $ cat /etc/hostname.wg0 > rdomain 2 > wgkey ... > wgpeer ... \ > wgaip 1.2.4.5/32 \ > wgpka 25 > wgport 51820 > wgrtable 0 > up > $ rdomains will at least complicate things as you then need a way to "leak" routes between rdomains, plus I don't think you need them. I don't think the vether is doing anything useful either, and I think the separate MAC is working against you > when I run ping from client to 1.2.4.1 I see traffic on wg0 on the server, > but I can't figure out how to redirect it to vether1 and send to the switch. > > I feel that I miss some pice. I see route-to in pf.conf which probably the > missed pice but I can't figure out how to use it. I think this should be possible with the standard route table, without route-to. Essentially you need: 1. your machine to answer arp for the wg ip so other hosts will send ethernet packets to it 2. your machine to not be configured with the wg ip itself 3. route entries such that those packets end up sent out the wg interface (you may possibly need a route command with -ifp wg0) > -- > wbr, Kirill > > -- Please keep replies on the mailing list.
Re: Share one of machines IP via WireGuard
On Fri, 07 Jun 2024 16:25:48 +0100, Stuart Henderson wrote: > > I think you'll need proxy ARP then. > After a few attempts to make it works, I think I need help. My setup. Server: where em0 is uplink with routed 1.2.3.4/24 and 1.2.4.5/24 with expected gateway 1.2.3.1 and 1.2.4.1, em0 is included into bridge0 and 1.2.3.4/24 is configured as input point at route domain 0. To make things simpler each IP is associeted with it's own MAC address and switch expects that 1.2.4.5 with 00:50:56:01:1d:40. So, I have: $ cat /etc/hostname.vether1 lladdr 00:50:56:01:1d:40 rdomain 2 up !arp -s 1.2.4.5 00:50:56:01:1d:40 pub $ cat /etc/hostname.wg0 rdomain 2 wgkey ... wgpeer ... \ wgaip 1.2.4.5/32 \ wgpka 25 wgport 51820 wgrtable 0 up $ when I run ping from client to 1.2.4.1 I see traffic on wg0 on the server, but I can't figure out how to redirect it to vether1 and send to the switch. I feel that I miss some pice. I see route-to in pf.conf which probably the missed pice but I can't figure out how to use it. -- wbr, Kirill
Re: Share one of machines IP via WireGuard
I think you'll need proxy ARP then. -- Sent from a phone, apologies for poor formatting. On 7 June 2024 16:23:56 Kirill A. Korinsky wrote: On Fri, 07 Jun 2024 12:36:20 +0100, Stuart Henderson wrote: Configure the IP address on the wg interface with some subnet of 1.2.4.0/24 that includes 1.2.4.5, and use wgaip 1.2.4.5/32 (or a larger block if you wish to route multiple addresses over wg) for the relevant peer. Here the catch on which I blocked: I do have only two IPs from two different network on em0 and it's all. The switch on ISP side I assume simple routes to my port traffic for both IP and I strugle on how redirect traffic from wg interface to em, I can't use bridge and I can't expect that traffic is routed via em's IP. -- wbr, Kirill
Re: Share one of machines IP via WireGuard
On Fri, 07 Jun 2024 12:36:20 +0100, Stuart Henderson wrote: > > Configure the IP address on the wg interface with some subnet of 1.2.4.0/24 > that > includes 1.2.4.5, and use wgaip 1.2.4.5/32 (or a larger block if you wish to > route > multiple addresses over wg) for the relevant peer. > Here the catch on which I blocked: I do have only two IPs from two different network on em0 and it's all. The switch on ISP side I assume simple routes to my port traffic for both IP and I strugle on how redirect traffic from wg interface to em, I can't use bridge and I can't expect that traffic is routed via em's IP. -- wbr, Kirill
Re: Share one of machines IP via WireGuard
On 2024-06-07, Kirill A Korinsky wrote: > misc@, > > I wonder if it is possible to share an IP associated with a machine through > a WireGuard connection? > > Suppose I have a machine that has two IPs on different networks: > - 1.2.3.4/24 gw 1.2.3.1 > - 1.2.4.5/24 gw 1.2.5.1 > > I'd like to allow incoming connections via WG to 1.2.3.4 and forward 1.2.4.5 > to the WG client. > > The best I can do now is create rdomain with wg and vether interfaces, and > use PF nat to vether. > > But maybe it is possible to avoid NAT somehow? Definitely is. I run externally accessible machines on my home network this way (I have a /29 from my ISP anyway but changed to this after a line outage, and have left it that way since). Configure the IP address on the wg interface with some subnet of 1.2.4.0/24 that includes 1.2.4.5, and use wgaip 1.2.4.5/32 (or a larger block if you wish to route multiple addresses over wg) for the relevant peer. Set net.inet.ip.forwarding as usual. -- Please keep replies on the mailing list.
Share one of machines IP via WireGuard
misc@, I wonder if it is possible to share an IP associated with a machine through a WireGuard connection? Suppose I have a machine that has two IPs on different networks: - 1.2.3.4/24 gw 1.2.3.1 - 1.2.4.5/24 gw 1.2.5.1 I'd like to allow incoming connections via WG to 1.2.3.4 and forward 1.2.4.5 to the WG client. The best I can do now is create rdomain with wg and vether interfaces, and use PF nat to vether. But maybe it is possible to avoid NAT somehow? -- wbr, Kirill