-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 6/2/20 7:39 PM, PGNet Dev wrote: > On 6/2/20 2:28 PM, Tom Eastep wrote: >> For route (such as these) in the main routing table, I prefer the >> system networking config files. > > > easily enough done in wireguard conf, > > @remote > > /etc/wireguard/wg0.conf [Interface] ... + PostUp = ip -6 route > del fd80:16:7::/116 dev wg0 + PostUp = ip -6 route add > fd80:16:7::/116 dev wg0 via fd10:254:254::2 + PostDown = ip -6 > route del fd80:16:7::/116 dev wg0 ... > > systemctl restart wg-quick@wg0.service ip -6 route | egrep > "fd|default" fd10:254:254::/116 dev wg0 proto kernel metric 256 > pref medium fd80:16:7::/116 via fd10:254:254::2 dev wg0 metric 1024 > pref medium fd80:16:8::/116 dev dummy0 proto kernel metric 256 pref > medium default via fe80::1 dev eth0 proto ra metric 1024 mtu 1500 > pref medium > > @local /etc/wireguard/wg0.conf [Interface] ... + PostUp = ip -6 > route add default dev wg0 via fd10:254:254::1 + PostDown = ip -6 > route del default dev wg0 ... > > systemctl restart wg-quick@wg0.service ip -6 route | egrep > "fd|default" fd10:254:254::/116 dev wg0 proto kernel metric 256 > pref medium fd80:16:7::/116 dev enp3s0 proto kernel metric 256 pref > medium fd80:16:7::a000/116 dev enp3s0 proto kernel metric 256 pref > medium fd80:16:8::/116 dev wg0 metric 1024 pref medium default via > fd10:254:254::1 dev wg0 metric 1024 pref medium > > > still, from @local, out to the 'net FAILs > > ping6 -c1 google.com PING google.com(2607:f8b0:4005:809::200e > (2607:f8b0:4005:809::200e)) 56 data bytes From fd10:254:254::2 > (fd10:254:254::2) icmp_seq=1 Destination unreachable: Address > unreachable ping6: sendmsg: Required key not available > > --- google.com ping statistics --- 1 packets transmitted, 0 > received, +1 errors, 100% packet loss, time 0ms > > i notice the 'from' IPv6 on this @local->'net ping is > > From fd10:254:254::2 > > which is the IP of the local end of the wg tunnel. that doesn't > seem right @ first glance. > > do I need SNAT, etc on either end in shorewall? > > or, is this still best dealt with all outside of shorewall? >
I know nothing about Wireguard, but this article seems relevant (note the 'Required key not available): https://bbs.archlinux.org/viewtopic.php?id=232754 - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl7XJeoACgkQluaz8kI6 TRAeSA/+L8t/5Ci2VizklmNN0DZunQGzlJ9wczqPzkBsjOx81uigZj7caYKcm4Cr QP/IDGf9ub3qqF1+kFZvXt25q9IN5FX5I45AeHRpIN+dpwOA02uHiwsL+gzazB7L +UKKO1epXbNmPAZoXnrEmdEDgghRkmNg0uUJczcC8zOMuBIBO811tcY4m8sjymIR ua8aThwtVl/Cwy+JkeXNl+p0xp9rn9koKuJbmKWHIuFSMNrBJVQNtPSNGYcB4D7w PYgWV7k/+Yac6No8yB0o2p+PXjbT65HBeDwUUKs748WIiVu6/+807KdVe/FB571Y AMkuDxTABxwofG4YRarO7aX8F7XysrLRsfF6JYEFedsBIHXRT2J5RQy+0+H7yXVd /KHz6HdnM+Emx7IQ5vm5oLZI1RlT2KdhlZk9eedZZ6dJQGpOD45rw1NsawaGdS4p TP+cMux7WFYGfROvb404pmEU0AjoEfa3Yvei0r6384CQRnSSr2crsoOuyx9EdUB2 /f9LoQXzHLoonoTudoKwqN6NZgnPv9KDtdh69N4bo7KoTLMc9+x1DMMUhOgjPBzs YNLbygU9r7qvOJ1YpmqEG2ZccemNWFhyxqNTxRf/tsIM1zvKDmpkS4ZEwBDYbNnF tsMo8PUj9+ljtelkk6B7CrfDsoBy+BZrVIVD+/cD3KCbjdB/4yg= =wuC7 -----END PGP SIGNATURE----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users