through remote's external interface. almost there ... routing issue?

PGNet Dev Tue, 02 Jun 2020 19:41:45 -0700

On 6/2/20 2:28 PM, Tom Eastep wrote:
> For route (such as these) in the main routing table, I prefer the system
> networking config files.



easily enough done in wireguard conf,

@remote

        /etc/wireguard/wg0.conf
                [Interface]
                ...
+               PostUp   = ip -6 route del fd80:16:7::/116 dev wg0
+               PostUp   = ip -6 route add fd80:16:7::/116 dev wg0 via 
fd10:254:254::2
+               PostDown = ip -6 route del fd80:16:7::/116 dev wg0
                ...

        systemctl restart [email protected]
        ip -6 route | egrep "fd|default"
                fd10:254:254::/116 dev wg0 proto kernel metric 256 pref medium
                fd80:16:7::/116 via fd10:254:254::2 dev wg0 metric 1024 pref 
medium
                fd80:16:8::/116 dev dummy0 proto kernel metric 256 pref medium
                default via fe80::1 dev eth0 proto ra metric 1024 mtu 1500 pref 
medium

@local
        /etc/wireguard/wg0.conf
                [Interface]
                ...
+               PostUp   = ip -6 route add default dev wg0 via fd10:254:254::1
+               PostDown = ip -6 route del default dev wg0
                ...

        systemctl restart [email protected]
        ip -6 route | egrep "fd|default"
                fd10:254:254::/116 dev wg0 proto kernel metric 256 pref medium
                fd80:16:7::/116 dev enp3s0 proto kernel metric 256 pref medium
                fd80:16:7::a000/116 dev enp3s0 proto kernel metric 256 pref 
medium
                fd80:16:8::/116 dev wg0 metric 1024 pref medium
                default via fd10:254:254::1 dev wg0 metric 1024 pref medium


still, from @local, out to the 'net FAILs

        ping6 -c1 google.com
                PING google.com(2607:f8b0:4005:809::200e 
(2607:f8b0:4005:809::200e)) 56 data bytes
                From fd10:254:254::2 (fd10:254:254::2) icmp_seq=1 Destination 
unreachable: Address unreachable
                ping6: sendmsg: Required key not available

                --- google.com ping statistics ---
                1 packets transmitted, 0 received, +1 errors, 100% packet loss, 
time 0ms

i notice the 'from' IPv6 on this @local->'net ping is

        From fd10:254:254::2

which is the IP of the local end of the wg tunnel.  that doesn't seem right @ 
first glance.

do I need SNAT, etc on either end in shorewall?

or, is this still best dealt with all outside of shorewall?



_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] redirecting ALL ipv6 local/lan traffic over a wireguard VPN to/through remote's external interface. almost there ... routing issue?

Reply via email to