Wireguard VPN net-to-net local/remote subnets question

VPNs
1

Hi,
I try to configure a IPFire net-to-net setup, but I do not understand what I have to specify for local/remote subnet parameters.

My setup is as follows:

image
image608×823 49.5 KB

I need to route all networks (orange, green & blue) between both IPFire’s (A & B).

Currently I have configured::

IPFire A:

local subnets: 192.168.2.0/24,192.168.3.0/24,192.168.4.0/24
remote subnets: 192.168.120.0/24, 192.168.130.0/24,192.168.140.0/24

IPFire B:

local subnets: 192.168.120.0/24, 192.168.130.0/24,192.168.140.0/24
remote subnets: 192.168.2.0/24,192.168.3.0/24,192.168.4.0/24

VPN Connection is shown green on both IPFire’s (A&B), but no traffic is routed between the two locations.

Any help appreciated!

Many thanks!

Best regards
Patrick

2

Hello Patrick,

your configuration seems correct.

You could have the firewall blocking this if you have configured it to do so. For example to block everything by default unless access is granted. And you could check to ping from one side to the other one to at least reach the firewall.

tcpdump is also your friend :slight_smile:

3

Hello Michael,

Thanks for your reply.

I tried today with the following routing parameters:

IPFire A:
local subnets: 192.168.1.0/24,192.168.3.0/24
remote subnets: 192.168.0.0/16

IPFire B:
local subnets: 192.168.0.0/16
remote subnets: 192.168.1.0/24,192.168.3.0/24

Like this, I could reach (ping & ssh) from devices on IPFire B (blue) the IPFire A itself, but not any device on IPFire A’s green network (and vice versa).

Do I need to configure a FW rule for incoming connections from red to (orange, green, blue) the local and/or remote VPN port ?
I thought this is automatically done when Wireguard n2n is enabled/configured …

Currently the FW rules (IPFire B) look like this:

image
image1629×452 44.6 KB

Sorry for the question, but I’m not very familiar with tcpdump yet :frowning:

Many thanks!
Patrick

4

The following examples of commands may be helpful

For ICMP packets outgoing from the green0 interface
tcpdump -i green0 -n icmp -Q out

For ICMP packets incoming to the green0 interface
tcpdump -i green0 -n icmp -Q in

Both directions are visible
tcpdump -i green0 -n icmp

5

Have you changed the default firewall policy?

6

It is also important to remember that for communication to be two-way:

  • hosts in the green, blue and orange subnets on IPFireB must accept connections from the green, blue and orange subnets on IPFireA

  • hosts in the green, blue and orange subnets on IPFireA must accept connections from the green, blue and orange subnets on IPFireB

7

No, it’s default on both sides.

image
image1611×474 34.3 KB

Eh … to be honest I can’t check on IPFire A, because currently I cannot reach it at all due to mistake from my side. Have to go to site A physically tomorrow and fix it first.

8

the host on the local subnets (orange, green, blue) should accept connections; I did not block anything on the hosts.
and I believe that ping -R xxx.xxx.xxx.xxx should work anyway - or I’m wrong ?

9

Thanks!

I’ll try these commands tommorrow when I can reach IPFire A again :slight_smile:

BTW, I had a working Wireguard Roadwarrier connection from a host behind IPFire B to all hosts behind IPFire A (with ssh, access to my mail server to read emails and to the NAS box) while experimenting with the n2n setup and with ‘ping -R’, I was able to track the route the ping pakets did take…

  • from the roadwarrier host the the VPN tunnel (client pool ip) to a host behind IPFire A
  • from the hosts on the n2n VPN tunnel I could only reach the IPFire on the other site.
10

Maybe the following post will be helpful too
https://community.ipfire.org/t/wireguard-small-hints-for-various-configurations/

1 Like
11

The -R switch does not always work/does not work everywhere.

12

obraz
obraz243×253 12.6 KB

What is the Red subnet on IPFire A?

13

192.168.1.0/24

14

Which configuration is currently in use?

15

this:

IPFire A:
local subnets: 192.168.1.0/24,192.168.3.0/24
remote subnets: 192.168.0.0/16

IPFire B:
local subnets: 192.168.0.0/16
remote subnets: 192.168.1.0/24,192.168.3.0/24

and I can ping from IPFire B a host in green subnet of IPFire A

[root@ipfire ~]# ping -R 192.168.3.220
PING 192.168.3.220 (192.168.3.220) 56(124) bytes of data.
64 bytes from 192.168.3.220: icmp_seq=1 ttl=63 time=58.4 ms
RR: 192.168.130.1
192.168.3.1
192.168.3.220
192.168.3.220
192.168.3.1
192.168.130.1

64 bytes from 192.168.3.220: icmp_seq=2 ttl=63 time=57.9 ms (same route)
64 bytes from 192.168.3.220: icmp_seq=3 ttl=63 time=58.9 ms (same route)
^C
— 192.168.3.220 ping statistics —
4 packets transmitted, 3 received, 25% packet loss, time 3005ms
rtt min/avg/max/mdev = 57.856/58.383/58.891/0.422 ms

but it does not work from a host on the green or blue subnet on IPFire B although i connected to IPFire B via ssh from the blue subnet

in my understanding:
IPFire B does not route the traffic from blue subnet into the tunnel to IPFire A (for whatever reason), although the tunnel is existing as the above ping command shows .. but I far away from beeing an expert …

output of wg show:

interface: wg1
public key: xxxxx
private key: (hidden)
listening port: 60166

peer: yyyyyy
preshared key: (hidden)
endpoint: zz.zz.z.z.:61001
allowed ips: 192.168.1.0/24, 192.168.3.0/24
latest handshake: 1 minute, 36 seconds ago
transfer: 48.71 KiB received, 65.09 KiB sent
persistent keepalive: every 25 seconds

16

Normally, for net-net VPN’s the local and remote subnets should not overlap. In your case they do as 192.168.0.0/16 covers both 192.168.1.0/24 and 192.168.3.0/24.

1 Like
17

Thanks for your answer.

As I understood the help, the subnets from the different VPN types (OpenVPN, IPSec and/or Wireguard) shall not overlap only if mutiple types are in use. As I use only WG, this was not an issue for me (I might be wrong)

However, my first configuration was like this (no subnet overlapping):

and it didn’t work as well

18

I’d stick with your first configuration and troubleshoot that.

2 Likes
19

A few tips for configuring WireGuard N2N with 3 zones

obraz
obraz1586×1051 125 KB

IPFireA

obraz
obraz1961×1041 226 KB

IPFireB

obraz
obraz1964×1044 226 KB

IPFireA

obraz
obraz1059×770 37.2 KB

IPFireA

obraz
obraz851×746 31.8 KB

edit
The above results were obtained from a test environment set up between two IPFire CU200 devices.

1 Like
20

OK, I’ll do that.

Unfortunately I had no network access anymore to IPFire A’s site after my last change (even not with the roadwarrier client) and a friend had to drive to site A and reboot the IPFire A.
I don’t know really if this was a coincidence or not but now I don’t dare to change anything on IPFire A as I need access at least via the roadwarrier client to my hosts on site A. (I’m currently abroad)

I’ll continue to troubleshot and change configuration (to no overlapping subnets) back for sure when I’m home again, but for now I will just try to analyze and understand with the information given under this topic, especially also the last post seems quite interesting to me (tips for configuring WireGuard N2N with tree zones), as it is saying that:

e.g: blueA → greenB requires Blue access setup and a FW rule

I guess this is might be the reason for the follwing output:

[root@ipfire ~]# tcpdump -v -i blue0 -n icmp | grep 98
tcpdump: listening on blue0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:55:14.318039 IP (tos 0x0, ttl 64, id 7798, offset 0, flags [none], proto ICMP (1), length 84)
192.168.140.98 > Public IP ISP router(IPFireA): ICMP 192.168.140.98 udp port 40447 unreachable, length 132
Public IP ISP router(IPFireA).51820 > 192.168.140.98.40447: UDP, length 96