I swapped over to a new desktop today, and after having used IPSec extensively for years for Net-to-Net, and less extensively for Host-to-Net, I had issues setting up my connection. I also noticed that Trail of Bits’ Algo product has deprecated IPSec for Windows in favor of Wireguard, so I figured I’d give it a try.
After minimal effort (stumbled a little around the subnet parameter - it wasn’t clear if it should be a subset of green/blue or its own unique subnet), I got it configured and it connects happily. I can connect to the IPFire WUI, and I can browse the internet, and sites like IPChicken show my IP as the IP of the IPfire box, not my local IP. DNS worked right out of the box, too, but I’m not split tunnelling, so that’s not terribly surprising.
HOWEVER - I cannot contact any OTHER devices on the green network. I can connect to devices on the blue network, and I can connect to devices on the far side of various IPSec Net-to-Net tunnels.
The only thing I can think of is the client pool may be causing me issues. Here are my settings:
Green Subnet: 10.x.2.0/24
Client Pool: 10.x.224/28
OpenVPN has a completely different subnet chosen instead of choosing a subset of the Green network. Should I be doing that?
Yes the WireGuard subnet should be totally separate from the green subnet, the blue subnet and the openvpn dynamic subnet and any openvpn fixed pool subnet defined, or any other subnet used anywhere else on IPFire.
OK, so I deleted the client definition, then changed the subnet to its own unique subnet, then installed the new configuration on the client PC. Now, I am able to reach the IPFire WUI, but literally nothing else. No internet, no IPSec, nothing else on green, and nothing on blue.
I tried (in desperation) to create a firewall rule to allow the wireguard client pool to access all standard networks, but that’s no use. I’m sure I’m missing something obvious, but I can’t imagine what it is.
In further testing, I have even more perplexing results. I created a second peer definition for this host, and changed the allowed IPs from 0.0.0.0/0 to match the combined subnet for our Green/Blue networks (10.x.0.0/23).
That should allow me access to blue and green, but not anywhere else. On the contrary, I can reach the IPFire WUI and I can reach the Internet, but that’s it. Nothing on Blue or Green.
The default 0.0.0.0/0 enables the road warrior to connect to all systems at the end of the wireguard tunnel so should be the easiest to connect to other systems.
I just tested it with my vm setup and I was able to connect with my wireguard RW config and I could then ping a machine on the green vm network via wireguard. I then ssh’d into the machine on the green v,m network which occurred successfully and I was then able to do directory listings and read files on the green machine via wireguard.
disconnected the wireguard tunnel on my laptop and then I was unable to access anything on the green machine. So that confirms that my connection was via the wireguard tunnel.
The only thing I can think of is that you started out with using overlapping subnets. Maybe you need to clear everything away and not just delete the old client and create a new client.
Check the contents of
/var/ipfire/wireguard/settings
and /var/ipfire/wireguard/peers
to make sure that the IP’s in the client lines from the peers file are from the subnet defined in the settings file.
Make sure that the settings defined in the peers file matches the client settings that have been put into your client.
Thanks for your help and patience, Adolf. On my end, none of this is working correctly, and I cannot figure out why. Perhaps that other subnet I used got stuck somewhere in one of the files controlling the firewall or…?
All I know is that the settings in the wireguard files you mention match both the IPFire WUI and the client configuration. Everything should be working, as-is. Nonetheless, I can still only connect to the IPfire host itself, even when using a peer config that has the allowed IPs set to 0.0.0.0/0.
I should add that I am able to resolve DNS properly, via IPFire, but pinging or otherwise trying to contact any of those hosts does not work.
Can you confirm that I should not need to create any firewall rules to allow access to red, green, blue, or remote IPSec networks?
I don’t know for sure with blue and ipsec but for red and green you definitely don’t need to create any firewall rules as the required ones are automatically created. Red and green are fully accessible by myself without any special firewall rules.
EDIT:
Confirmed that i can access systems in the orange network via the wireguard tunnel without any additional firewall rules. So access to the blue network systems should also work without any specially created firewall rules.
Unfortunately i also have no idea what could be causing the problem.