Hi, On Thu, Jul 21, 2016 at 03:57:42PM -0500, Bruno Wolff III wrote: > I am trying to test using a wireguard link as a proxy and I am having > trouble. On the source machine I am trying to route packets through wg0 > using a routing entry that has the remote end point tunnel address on a via > command. The idea is to have the packets sent through the tunnel and then to > do source nat on the remote side of the tunnel. The packets go to the > interface, but do not come out the other end. Ping reports: > From 192.168.7.2 icmp_seq=69 Destination Host Unreachable > ping: sendmsg: Required key not available > > So I think the destination address in the packet is being used to find the > tunnel key to use rather than the immediate next destination for the packet.
Yes, the notion of "immediate next destinaton" does not make sense for Wireguard. It encapsulates plain IP, not Ethernet. > Has anyone else played with something like this an gotten it to work? > > Some info on what I was trying: > ip route > default via 129.89.248.129 dev em1 proto static metric 100 > 98.103.208.26 via 192.168.7.1 dev wg0 The "via 192.168.7.1" doesn't really make sense, because a wireguard interface is a layer-3 device, not an Ethernet device. You can include it but the kernel will just ignore that part, so the route above is equivalent to: 98.103.208.26 dev wg0 > 129.89.248.128/27 dev em1 proto kernel scope link src 129.89.248.147 metric > 100 > 192.168.7.1 dev wg0 proto kernel scope link src 192.168.7.2 > > wg source machine > endpoint: 98.103.208.27:992 > allowed ips: 192.168.7.1/32 You need "allowed ips 0.0.0.0/0" here. Your situation is just a regular client/server tunneling setup, there's nothing special about "proxying", whatever that means. Basically, you want your client to be able to reach the whole Internet via the wireguard interface, so any destination IP address should be routed through the server (and conversely, any source IP address should be allowed from the server). > wg proxy machine > endpoint: 129.89.248.147:992 > allowed ips: 192.168.7.2/32 > > tcpdump output from wg0 > 15:54:34.129798 IP 192.168.7.2 > 98.103.208.26: ICMP echo request, id 25371, > seq 1, length 64
signature.asc
Description: PGP signature
_______________________________________________ WireGuard mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/wireguard
