-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 6/2/20 7:39 PM, PGNet Dev wrote:
> On 6/2/20 2:28 PM, Tom Eastep wrote:
>> For route (such as these) in the main routing table, I prefer the
>> system networking config files.
>
>
> easily enough done in wireguard conf,
>
> @remote
>
> /etc/wireguard/wg0.conf [Interface] ... + PostUp = ip -6 route
> del fd80:16:7::/116 dev wg0 + PostUp = ip -6 route add
> fd80:16:7::/116 dev wg0 via fd10:254:254::2 + PostDown = ip -6
> route del fd80:16:7::/116 dev wg0 ...
>
> systemctl restart wg-quick@wg0.service ip -6 route | egrep
> "fd|default" fd10:254:254::/116 dev wg0 proto kernel metric 256
> pref medium fd80:16:7::/116 via fd10:254:254::2 dev wg0 metric 1024
> pref medium fd80:16:8::/116 dev dummy0 proto kernel metric 256 pref
> medium default via fe80::1 dev eth0 proto ra metric 1024 mtu 1500
> pref medium
>
> @local /etc/wireguard/wg0.conf [Interface] ... + PostUp = ip -6
> route add default dev wg0 via fd10:254:254::1 + PostDown = ip -6
> route del default dev wg0 ...
>
> systemctl restart wg-quick@wg0.service ip -6 route | egrep
> "fd|default" fd10:254:254::/116 dev wg0 proto kernel metric 256
> pref medium fd80:16:7::/116 dev enp3s0 proto kernel metric 256 pref
> medium fd80:16:7::a000/116 dev enp3s0 proto kernel metric 256 pref
> medium fd80:16:8::/116 dev wg0 metric 1024 pref medium default via
> fd10:254:254::1 dev wg0 metric 1024 pref medium
>
>
> still, from @local, out to the 'net FAILs
>
> ping6 -c1 google.com PING google.com(2607:f8b0:4005:809::200e
> (2607:f8b0:4005:809::200e)) 56 data bytes From fd10:254:254::2
> (fd10:254:254::2) icmp_seq=1 Destination unreachable: Address
> unreachable ping6: sendmsg: Required key not available
>
> --- google.com ping statistics --- 1 packets transmitted, 0
> received, +1 errors, 100% packet loss, time 0ms
>
> i notice the 'from' IPv6 on this @local->'net ping is
>
> From fd10:254:254::2
>
> which is the IP of the local end of the wg tunnel. that doesn't
> seem right @ first glance.
>
> do I need SNAT, etc on either end in shorewall?
>
> or, is this still best dealt with all outside of shorewall?
>
I know nothing about Wireguard, but this article seems relevant (note
the 'Required key not available):
https://bbs.archlinux.org/viewtopic.php?id=232754
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl7XJeoACgkQluaz8kI6
TRAeSA/+L8t/5Ci2VizklmNN0DZunQGzlJ9wczqPzkBsjOx81uigZj7caYKcm4Cr
QP/IDGf9ub3qqF1+kFZvXt25q9IN5FX5I45AeHRpIN+dpwOA02uHiwsL+gzazB7L
+UKKO1epXbNmPAZoXnrEmdEDgghRkmNg0uUJczcC8zOMuBIBO811tcY4m8sjymIR
ua8aThwtVl/Cwy+JkeXNl+p0xp9rn9koKuJbmKWHIuFSMNrBJVQNtPSNGYcB4D7w
PYgWV7k/+Yac6No8yB0o2p+PXjbT65HBeDwUUKs748WIiVu6/+807KdVe/FB571Y
AMkuDxTABxwofG4YRarO7aX8F7XysrLRsfF6JYEFedsBIHXRT2J5RQy+0+H7yXVd
/KHz6HdnM+Emx7IQ5vm5oLZI1RlT2KdhlZk9eedZZ6dJQGpOD45rw1NsawaGdS4p
TP+cMux7WFYGfROvb404pmEU0AjoEfa3Yvei0r6384CQRnSSr2crsoOuyx9EdUB2
/f9LoQXzHLoonoTudoKwqN6NZgnPv9KDtdh69N4bo7KoTLMc9+x1DMMUhOgjPBzs
YNLbygU9r7qvOJ1YpmqEG2ZccemNWFhyxqNTxRf/tsIM1zvKDmpkS4ZEwBDYbNnF
tsMo8PUj9+ljtelkk6B7CrfDsoBy+BZrVIVD+/cD3KCbjdB/4yg=
=wuC7
-----END PGP SIGNATURE-----
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
