I've added a LOG iptables rule to the server, in order to diagnose router configuration problems. wireguard: wg0-simon: Sending handshake initiation to peer 3 (1.2.3.4:33456) wireguard: wg0-simon: Handshake for peer 3 (1.2.3.4:33456) did not complete after 5 seconds, retrying (try 2) Activating debug messages on the client and adding a LOG rule into iptables, that logs OUTPUT packets, I get lots of these: IN= OUT=wlp4s0 SRC=10.150.44.32 DST=1.2.3.4 LEN=176 TOS=0x08 PREC=0x80 TTL=64 ID=2797 PROTO=UDP SPT=36883 DPT=33456 LEN=156 Starting wireguard on both systems does not establish the VPN connection. Here is a dirty diagram that depicts the situation: Client B -> LAN B -> VDSL Router B (NAT) -> the internet -> ZyWALL (NAT) -> LAN A -> Server A PrivateKey = YA9cRlF4DgfUojqz6pK89poB71UFoHPM6pdMQabWf1I= PublicKey = QnkTJ+Qd9G5EybA2lAx2rPNRkxiQl1W6hHeEFWgJ0zc=ĪllowedIPs = 10.31.33.211/32, fc00:31:33::3/128Īnd here is client B wireguard configuration (again, keys and domain aren't the real ones): # PostDown = iptables -t nat -D POSTROUTING -s 10.31.33.0/24 -o enp1s0 -j MASQUERADE ip6tables -t nat -D POSTROUTING -s fc00:31:33::/64 -o enp1s0 -j MASQUERADE # PreUp = iptables -t nat -A POSTROUTING -s 10.31.33.0/24 -o enp1s0 -j MASQUERADE ip6tables -t nat -A POSTROUTING -s fc00:31:33::/64 -o enp1s0 -j MASQUERADE PrivateKey = iJE/5Qy4uO55uUQg8nnDKQ/dFT1MEq+tDfFXrGNj3GY= Here is the server A wireguard configuration file (keys in this snippet, despite being valid, aren't the real ones): Īddress = 10.31.33.100/24, fc00:31:33::1/64 Here is the relevant configuration screen:
Router/firewall A (ZyWALL USG 100) is configured to allow UDP packets on port 23456 through it and forwards them to server A. Router B is a consumer grade VDSL router and it allows everything in outbound direction, only replies inbound. System B is behind VDSL router B and it acts as wireguard client, pointing to the dynamically updated "A record" and port 33456. It does so once every minute, but the public IP address actually changes only on reboot of the router/firewall, which basically never happens. System A is the server, and it dynamically updates a dedicated "A record" in the authoritative nameserver for its internet domain, with the correct public IP address its internet facing router A (ZyWALL USG 100 firewall) is assigned with. Both run a kernel version > 5.6 (wireguard mainlined). I have two Debian GNU/Linux systems (bullseye/sid), both running wireguard on port 23456, both behind NAT.
0 kommentar(er)
