Hello, I am trying to setup a server/client configuration wherein the client sends ALL network traffic to and through the Wireguard server. I have a setup a CentOS 7 server, a CentOS 7 client, and a Debian 9 client. The CentOS systems are using wireguard 1:0.0.20190702-1.fc30 from copr. The Debian system is using wiregard 0.0.20190227-1 from 'sid (unstable)'.
The CentOS server is operational and has the following config: ---------- [Interface] Address = 10.0.0.1/24 PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51820 PrivateKey = XX [Peer] PublicKey = XX AllowedIPs = 10.0.0.2/32 [Peer] PublicKey = XX AllowedIPs = 10.0.0.3/32 ---------- The Debian client is operational and has the following config: ---------- [Interface] PrivateKey = XX Address = 10.0.0.2/24 DNS = 1.1.1.1 PostUp = ip route flush cache PostDown = ip route flush cache [Peer] PublicKey = XX Endpoint = XX:51820 AllowedIPs = 0.0.0.0/0 ----------- Debian client routes (with WG interface active): ----------- Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.X.1 0.0.0.0 UG 1024 0 0 eth0 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 client 192.168.X.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 ---------- CentOS client IS NOT routing traffic over the tunnel. Config: ----------- [Interface] PrivateKey = XX Address = 10.0.0.3/24 DNS = 1.1.1.1 PostUp = ip route flush cache PostDown = ip route flush cache [Peer] PublicKey = XX Endpoint = XX:51820 AllowedIPs = 0.0.0.0/0 ------------ CentOS client routes (with WG interface active): ------------ Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.X.1 0.0.0.0 UG 0 0 0 eth0 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 client 192.168.X.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 ------- In this setup, the Debian client sends all traffic over the tunnel. I can verify this via watching TCPDUMP, and checking the public IP with 'curl -s checkip.dyndns.com', which returns the ENDPOINT (CentOS 7) Wireguard server Public IP address. The CentOS 7 CLIENT, does NOT send all the traffic over this established tunnel. The WG interface comes up and shows data transferred. I can ping the endpoint wireguard server via the 10.0.0.1. I can ping the 10.0.0.3 client, from the server. When I run 'curl -s checkip.dyndns.com' on the CentOS 7 client, I am returned my local Public IP, not the VPN endpoint Public IP. I do use the wg-quick utility on all systems to manage the interface. The CentOS 7 version has a few differences, but nothing that should cause this anomaly to occur. Why does the CentOS 7 client NOT route traffic over the tunnel as expected? How is the same configuration working as expected to tunnel traffic on the Debian system? Where can I find more information to explain and fix this issue? _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
