asked on

Wireguard VPN routing issue

Hi

I am getting started with WireGuard (using VeeamPN, which is in my understanding a nice GUI on top of "stock" WireGuard running in Ubuntu 18) and I am facing my first issue...

My current setup is pretty simple with two sites that I want to link:

The tunnel goes up as expected and I have this config showing up:

Host A (Gateway)

root@localhost:/etc/netplan# wg
interface: wg.veeampn
  public key: 6dn2ejlfAIR8OZ9O131QqGlzbUHK5ZNw2vX3BN8Khw8=
  private key: (hidden)
  listening port: 1194


peer: Mx9YFD9awzixX9x7MH+S7nPLYEzmemosBxlIn6KZIQI=
  preshared key: (hidden)
  endpoint: x.x.x.x:1194
  allowed ips: 10.211.0.0/16, 10.210.0.0/16
  latest handshake: 24 seconds ago
  transfer: 348.14 KiB received, 317.97 KiB sent
  persistent keepalive: every 20 seconds


root@localhost:route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 ens160
10.210.0.0      0.0.0.0         255.255.0.0     U     0      0        0 wg.veeampn
10.211.0.0      0.0.0.0         255.255.0.0     U     0      0        0 wg.veeampn
172.16.107.0    0.0.0.0         255.255.255.0   U     0      0        0 ens160

Open in new window

Host B (hub)

root@localhost:~# wg
interface: wg.veeampn
  public key: Mx9YFD9awzixX9x7MH+S7nPLYEzmemosBxlIn6KZIQI=
  private key: (hidden)
  listening port: 1194


peer: 6dn2ejlfAIR8OZ9O131QqGlzbUHK5ZNw2vX3BN8Khw8=
  preshared key: (hidden)
  endpoint: x.x.x.x:1028
  allowed ips: 10.211.0.2/32, 172.16.107.0/24
  latest handshake: 51 seconds ago
  transfer: 318.53 KiB received, 348.97 KiB sent
  persistent keepalive: every 20 seconds

root@localhost:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    100    0        0 ens160
10.210.0.0      0.0.0.0         255.255.0.0     U     0      0        0 tun.veeampn
10.211.0.0      0.0.0.0         255.255.0.0     U     0      0        0 wg.veeampn
172.16.107.0    0.0.0.0         255.255.255.0   U     0      0        0 wg.veeampn
172.16.215.0    0.0.0.0         255.255.255.0   U     0      0        0 ens160
_gateway        0.0.0.0         255.255.255.255 UH    100    0        0 ens160
root@localhost:~#

Open in new window

Accordingly I can reach subnet A from B but not B from A as there is no route to 172.16.215.0/24.

I would have thought that correct routes would have been dynamically added (as in OpenVPN for instance) on both ends (ie to to 172.16.215.0/24 via wg on host A and 172.16.107.0/24 on host B via wg) but for some reason it is not the case (either "by design" or because I missoconfigured something).

I have read this excellent post and was wondering what would be my best course of action as adding a static route will probably not persist in this setup.

noci

Routes should get added if mentioned in the config file.
(WG routes based on keys & profile..., and wg-quick should configure the IP stack for this).

Why are the allowed ip's in gateway A based on 10.... network and not 172...?

Alexandre Takacs

ASKER

Not sure... this is the "basic" config as produced VeeamPN

noci

I mean this line, "allowed ips: 10.211.0.0/16, 10.210.0.0/16" it is missing 172.16.215.0/24 ==> wg-quick won't add it.

I guess it should be: "allowed ips: 10.210.0.0/15 172.16.215.0/24"
(the 10.211... & 10.210... can be glued together by adjusting the netmask).

Alexandre Takacs

ASKER

Understood - but what is my best way to get it. Is there a config file to edit or should I use the wg command ?

noci

Yes there are wg config files. (there should be for sustained use across reboots).
Those are in /etc/wireguard/*.conf (most probably...)

The files look like the data show on screen...
(There can be multiple peers per private key, for a hubs & spoke model).

ASKER CERTIFIED SOLUTION

Alexandre Takacs

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial