|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
pf - wireguard
Hello,
My VPN provider do openvpn or wierguard. Of course I haven't any shell access on it. My goal is to use wireguard. In a first step I do a testing network My network is Provider --- internet --- firewall --- PC firewall and PC are virtualbox computers The network firewall configuration is vio0 - 192.168.150.31 - outside vio1 - 192.168.50.242 - inside The PC network configuration is vio0 - 192.168.50.150 The pf.conf (of course it's a minimalist pfi for testing) is Code:
firewall#cat /etc/pf.conf pass out quick log on vio0 from (vio1:network) nat-to (vio0) pass out quick log on wg0 from (vio1:network) nat-to (wg) With wireguard, on my PC, the traceroute is OK, I pass into wg. The DNS is OK. But I found a problem I cannot access every web pages. I can access some https pages (j2b.fr for examp le) but not other (duckduckgo.com) firefox says "The connection has timed out" I suppose I forget a rule in pf.conf but I cannot find it. Can you help me please ? Code:
firewall# wg-quick up /etc/wireguard/wg0.conf [#] ifconfig wg0 create description wg-quick: wg0 [#] wg setconf wg0 /dev/fd/63 [#] ifconfig wg0 inet 10.140.1.31 alias [#] ifconfig wg0 mtu 1420 [#] ifconfig wg0 up [#] cp /etc/resolv.conf /etc/resolv.conf.wg-quick-backup.wg0 [#] printf nameserver %s\n 192.168.150.177 [#] route -q -n add -inet 0.0.0.0/1 -iface 10.140.1.31 [#] route -q -n add -inet 128.0.0.0/1 -iface 10.140.1.31 [#] route -q -n delete -inet X.X.X.X [#] route -q -n add -inet X.X.X.X -gateway 192.168.150.242 [+] Backgrounding route monitor firewall# wg show interface: wg0 public key: <removed> private key: (hidden) listening port: 20180 peer: <removed> endpoint: X.X.X.X:48040 allowed ips: 0.0.0.0/0 latest handshake: 20 seconds ago transfer: 92 B received, 360 B sent persistent keepalive: every 30 seconds firewall# ifconfig wg0 wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420 description: wg-quick: wg0 index 10 priority 0 llprio 3 wgport 20180 wgpubkey <removed> wgpeer <removed> wgpka 30 (sec) wgendpoint X.X.X.X 48040 tx: 392, rx: 92 last handshake: 36 seconds ago wgaip 0.0.0.0/0 groups: wg inet 10.140.1.31 netmask 0xff000000 broadcast 10.255.255.255 |
|
|||
I am pretty sure nat-to should be part of a match rule, not a pass rule, and then you will need a pass rule as well to allow the traffic.
(Please disreguard, this couldn't be wronger lol!) Last edited by vns3; 30th October 2021 at 05:51 PM. Reason: Bad advice |
|
|||
Hello jggimi,
Ok I swith to wg and hostname.wg0. My etc/hostname.wg0 is Code:
wgkey <removed> wgpeer <removed> wgaip 0.0.0.0/0 wgendpoint X.X.X.X 48040 inet 10.140.1.45 255.255.255.0 NONE !route add -priority 2 X.X.X.X 192.168.150.242 !route add 0.0.0.0/1 10.140.1.45 !route add 128.0.0.0/1 10.140.1.45 up The 192.168.150 IP is my working IP In fact my configuration is internet --- public IP - firewall - 192.168.150.242 ----- 192.168.150.31 - wireguard firewall - 192.168.50.242 --- 192.168.50.150 - working station And when the VPN is up it becomes internet --- 10.140.1.45 - wireguard firewall - 192.168.50.242 --- 192.168.50.150 - working station My route are Code:
Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.150.242 UGS 0 1 - 8 vio0 0/1 10.140.1.45 UGS 2 85 - 8 wg0 128/1 10.140.1.45 UGS 3 73 - 8 wg0 224/4 127.0.0.1 URS 0 0 32768 8 lo0 10.140.1/24 10.140.1.45 UCn 0 0 - 4 wg0 10.140.1.45 wg0 UHhl 2 263 - 1 wg0 10.140.1.255 10.140.1.45 UHb 0 0 - 1 wg0 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 1 2 32768 1 lo0 X.X.X.X 192.168.150.242 UGHS 1 1 - 2 vio0 192.168.50/24 192.168.50.242 UCn 2 0 - 4 vio1 |
|
||||
I see two errors with loopback. First, loopback should not be routed. Second, the loopback subnet has the wrong netmask. It is 128/8 (netmask 255.0.0.0). You've routed 128/1, which is netmask 128.0.0.0.
The inside of the tunnel appears to be incorrectly routed. 0.0.0.0/1 is not the default route, you should use 0.0.0.0/0 or the keyword "default". The inner route should also have a higher priority than your non-VPN default route, such as priority 7. This way, the tunnel will be used when it is available, but your non-VPN default route will be used if the tunnel is not in operation, such as when you intentionally set it "down" with ifconfig(8). The outside of the tunnel appears to be routed correctly. It has the highest routing priority. Last edited by jggimi; 31st October 2021 at 10:33 AM. Reason: clarity |
|
|||
Ok, I tried to simply my route table.
Now, i have Code:
Destination Gateway Flags Refs Use Mtu Prio Iface default 10.140.1.45 UGS 0 194 - 2 wg0 10.140.1/24 10.140.1.45 UCn 0 0 - 4 wg0 10.140.1.45 wg0 UHhl 1 2 - 1 wg0 10.140.1.255 10.140.1.45 UHb 0 0 - 1 wg0 127/8 127.0.0.1 UGS 0 0 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 1 16 32768 1 lo0 XX.XX.XX.XX 192.168.150.242 UGHS 1 12 - 2 vio0 Why can I access https://google.fr and not https://duckduckgo.com for example from my PC ? Whereas, when I try to access duckduckgo page from the firewall directly it's OK Last edited by vazaro; 1st November 2021 at 08:36 AM. |
|
||||
Here's my laptop's routing table. Note that I have two default routes at different priorities: 192.168.99.1 is my inner WireGuard tunnel endpoint, and is set to -priority 7. The DHCP auto-configured default route is priority 12.
Code:
Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.99.1 UGS 5 1356 - 7 wg0 default 192.168.1.254 UGS 5 49 - 12 iwn0 <my.server> 192.168.1.254 UGHS 0 0 - 2 iwn0 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 3 444 32768 1 lo0 192.168.1/24 192.168.1.74 UCn 1 2436 - 8 iwn0 192.168.1.74 8c:70:5a:c4:39:bc UHLl 0 3761 - 1 iwn0 192.168.1.254 dc:7f:a4:6d:3b:f1 UHLch 2 1372 - 7 iwn0 192.168.1.255 192.168.1.74 UHb 0 0 - 1 iwn0 192.168.99/24 192.168.99.3 UCn 1 0 - 4 wg0 192.168.99.1 link#0 UHch 1 2 - 3 wg0 192.168.99.3 wg0 UHl 0 29 - 1 wg0 192.168.99.255 192.168.99.3 UHb 0 0 - 1 wg0 |
|
|||
OK, I changed my route table like this
Code:
Destination Gateway Flags Refs Use Mtu Prio Iface default 10.140.1.45 UGS 5 8 - 8 wg0 224/4 127.0.0.1 URS 0 0 32768 8 lo0 10.140.1/24 10.140.1.45 UCn 0 0 - 4 wg0 10.140.1.45 wg0 UHhl 1 60 - 1 wg0 10.140.1.255 10.140.1.45 UHb 0 0 - 1 wg0 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 1 2 32768 1 lo0 185.5.46.25 192.168.150.242 UGHS 1 1 - 12 vio0 Code:
PC#traceroute google.fr 1 192.168.50.242 (192.168.50.242) 0.999 ms 0.189 ms 0.133 ms 2 10.140.0.1 (10.140.0.1) 52.082 ms 53.121 ms 53.89 ms 3 aaaaa.net (AA.BB.CC.DD) 53.36 ms 53.202 ms 54.783 ms <- VPN PROVIDER 4 bbbbb.net (EE.FF.GG.HH) 54.103 ms 53.976 ms 53.511 ms <- VPN PROVIDER 5 outside ... And so on still google. OK Code:
PC#traceroute duckduckgo.com 1 192.168.50.242 (192.168.50.242) 0.276 ms 0.184 ms 0.148 ms 2 10.140.0.1 (10.140.0.1) 52.75 ms 54.144 ms 52.801 ms 3 aaaaa.net (AA.BB.CC.DD) 54.457 ms 53.062 ms 53.515 ms <- VPN PROVIDER 4 ccccc.net (II.JJ.KK.MM) 54.079 ms 53.278 ms 53.969 ms <- VPN PROVIDER 5 outside ... And so on still google. OK If I do a tcpdump, the problem seems be in the pf rules, the ssl/tls transaction changes in the case with or without wireguard. |
|
||||
The lower the -priority number, the higher the priority of the route. Whenever there are multiple active routes to the same destination, the higher priority (or lower -priority number) will be used. According to your most recent routing table, your default route is set to -priority 4, which is HIGHER than the route to your WireGuard server -- the outside of the VPN tunnel, which is set to -priority 12.
In my configuration, the -priority for the outside of the tunnel to my WireGuard server is -priority 2. This is the HIGHEST priority that can be set with route(8), as -priority 1 is reserved for assignment by the kernel. My two default routes are set at different priorities: the "through the VPN" default route is set to -priority 7, which is higher than the "use when the VPN is down" default route, which is set to -priority 12. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Screenshots of WireGuard Android app | J65nko | General software and network | 1 | 5th June 2021 12:00 AM |
FreeBSD port of Wireguard Code Quality Disaster | bashrules | News | 3 | 27th March 2021 08:34 AM |
WireGuard: replacement for IPsec | e1-531g | News | 15 | 16th March 2021 09:08 AM |