I can’t easily reach wireguard peers from the ipfire box because the wg0 interface doesn’t have an IP address (and I can’t find anywhere in the GUI to assign it one). As a result, the wireguard-bound packets have the external red0 address, which isn’t a working return path. Any other source on the green subnet is fine, since my remote machine expects to reach those via wg. The cleanest solution I found was simply to pick an address out the wg pool/subnet and assign it manually to wg0 - it seems to solve all the isssues - but I don’t know easily how to persist it.
might be better if you explain what is that you are trying to achieve as you might have gone down the wrong path.
wg0 is not given a fixed “gateway” address because in IPFire it is used only as the road-warrior listener. The problem you describe hints you are into a net-2-net territory; need to connect to services with IPs in the wireguard client pool.
1 Like
Hello,
it is correct that the wg0 interface does not have an IP address. WireGuard creates a point-to-point connection, and as the name suggests, the tunnel is going from one place to another. There is no need to use a gateway, because the tunnel is actually only able to reach the other endpoint. And from there on… well, that is a whole different story.
If you allow the client for example to reach the GREEN subnet, the firewall should use its IP address in that subnet to reach any clients.
I’m surprised if what I’m doing is unusual. I have a few individual satellite machines physically distant from home base, and wireguard works well to link them virtually back home, and ipfire for the most part does a great job of routing. The remote machines (let’s say using a 192.168.* pool) can talk to everything on the home network (lets call it 10.*), which includes the ipfire firewall itself if they target the green interface (let’s call that one 10.0.0.1). They can also talk to each other, which is ideal for me. I imagine it’s possible to add firewall rules to prevent that, but I’m happy to have 10.* and the 192.168.* wireguard pool joined into an effectively flat network, not caring that under the covers the wireguard hosts are reached by individual point-to-point tunnel links mediated by ipfire.
The only problem is that the ipfire machine itself can’t reach any of the wireguard hosts. This is what I tried to say originally, and I just don’t understand the replies. I have plenty of reasons to want to be able to reach the machines. Let’s say one of them is running a web server and i simply want to make an http request. I can do this from every machine I own, except the ipfire box.
Let me take a simple ICMP example. The wireguard hosts can all successfully ping the ipfire box
tcpdump: listening on wg0, link-type RAW (Raw IP)
IP 192.168.99.99 > 10.0.0.1: ICMP echo request, id 70, seq 1, length 64
IP 10.0.0.1 > 192.168.99.99: ICMP echo reply, id 70, seq 1, length 64
but the same isn’t true in reverse
tcpdump: listening on wg0, link-type RAW (Raw IP)
IP 203.0.113.42 > 192.168.99.99: ICMP echo request, id 86, seq 1, length 64
IP 203.0.113.42 > 192.168.99.99: ICMP echo request, id 86, seq 2, length 64
IP 203.0.113.42 > 192.168.99.99: ICMP echo request, id 86, seq 3, length 64
and the reason is pretty evident, the ping requests have the red interface as the source, since that’s linux’s best efforts fallback almost coin-flip, because the wg0 interface does not have an address. Now for ping, one can override, ping -Iwg0 -I10.0.0.1 192.168.99.99. will work, to overcome the lack of configuration, but this isn’t practical more generally.
I vaguely infer from the replies above that maybe everything I’ve written here is already understood, and the point is that because the ipfire system itself has no need ever to connect to the wireguard hosts, it’s therefore a sort of a “feature” that routing is missing. That for me would be unfortunate.
I think your first reply above has the answer. net2net is probably what your looking for.
I agree IPFire wireguard implementation works great, and I backported the wireguard feature from IPFire to my IPFire clone BPFire. I also added IP address to wg0 interface in this wireguard: add IP on road warrior interface wg0 · vincentmli/bpfire@c7e72c5 · GitHub, if IPFire devs is interested in this, it could be added in IPFire.
1 Like