TunSafe Forum

Welcome to the TunSafe Community Forum. This is open for discussions related to TunSafe and the WireGuard protocol.

You are not logged in.

#1 2018-03-11 13:01:49

question
Member
Registered: 2018-03-11
Posts: 5

Is TunSafe only point-to-point or can it act as a client?

I'm running a WireGuard in server configuration ( https://wiki.archlinux.org/index.php/Wi … VPN_server ) on Linux and I'm trying to set up TunSafe. I managed to set up a point-to-point connection (I can ping the WG server IP), but my default route still goes through my ISP. How can I route all my traffic from Windows through the TunSafe interface?

Offline

#2 2018-03-11 13:15:04

question
Member
Registered: 2018-03-11
Posts: 5

Re: Is TunSafe only point-to-point or can it act as a client?

Just to give more details, I managed to do the point-to-point connection using AllowedIPs = 192.168.88.0/24.

But when I tried to set AllowedIPs = 0.0.0.0/0, I can't ping almost any internet IP (e.g. 8.8.8.8). I can ping my real gateway, the VPN server public and private IP, that's about all.
[13:11:09] Added Route WG_PUBLIC_IP/32    => 192.168.2.1         
[13:11:09] Added Route 0.0.0.0/1            => 192.168.88.1       
[13:11:09] Added Route 128.0.0.0/1          => 192.168.88.1

Offline

#3 2018-03-11 17:34:27

ludde
Administrator
Registered: 2018-03-09
Posts: 128

Re: Is TunSafe only point-to-point or can it act as a client?

You need to setup NAT on the Linux server. Did you do that already?

Offline

#4 2018-03-11 17:36:51

question
Member
Registered: 2018-03-11
Posts: 5

Re: Is TunSafe only point-to-point or can it act as a client?

I think so. Isn't that what the PostUp action does in the configuration I linked? Or should I do it differently?

Offline

#5 2018-03-11 18:04:01

ludde
Administrator
Registered: 2018-03-09
Posts: 128

Re: Is TunSafe only point-to-point or can it act as a client?

Yes that looks like it. I'm not exactly a Linux expert though:)

Check what
sysctl net.ipv4.ip_forward
says. Make sure it's 1

Offline

#6 2018-03-11 18:16:47

question
Member
Registered: 2018-03-11
Posts: 5

Re: Is TunSafe only point-to-point or can it act as a client?

net.ipv4.ip_forward = 1

I suspect a problem on the Windows side in routing. My routing table is unfortunately more complex than necessary because Cisco VPN, VirtualBox and Hamachi all have their own virtual interfaces polluting the table. But all of them are currently inactive.

Here's my Windows routing table before and after I connect TunSafe:

          0.0.0.0          0.0.0.0      192.168.2.1    192.168.2.100     20
          0.0.0.0          0.0.0.0        10.80.8.1      10.80.8.225     21
        10.80.8.0    255.255.255.0       On-link         10.80.8.225    276
      10.80.8.225  255.255.255.255       On-link         10.80.8.225    276
      10.80.8.255  255.255.255.255       On-link         10.80.8.225    276
        127.0.0.0        255.0.0.0       On-link           127.0.0.1    306
        127.0.0.1  255.255.255.255       On-link           127.0.0.1    306
  127.255.255.255  255.255.255.255       On-link           127.0.0.1    306
      169.254.0.0      255.255.0.0       On-link      169.254.197.10    266
   169.254.197.10  255.255.255.255       On-link      169.254.197.10    266
  169.254.255.255  255.255.255.255       On-link      169.254.197.10    266
      192.168.2.0    255.255.255.0       On-link       192.168.2.100    276
    192.168.2.100  255.255.255.255       On-link       192.168.2.100    276
    192.168.2.255  255.255.255.255       On-link       192.168.2.100    276
        224.0.0.0        240.0.0.0       On-link           127.0.0.1    306
        224.0.0.0        240.0.0.0       On-link       192.168.2.100    276
        224.0.0.0        240.0.0.0       On-link      169.254.197.10    266
        224.0.0.0        240.0.0.0       On-link         10.80.8.225    276
  255.255.255.255  255.255.255.255       On-link           127.0.0.1    306
  255.255.255.255  255.255.255.255       On-link       192.168.2.100    276
  255.255.255.255  255.255.255.255       On-link      169.254.197.10    266
  255.255.255.255  255.255.255.255       On-link         10.80.8.225    276
          0.0.0.0          0.0.0.0      192.168.2.1    192.168.2.100     20
          0.0.0.0          0.0.0.0        10.80.8.1      10.80.8.225     21
          0.0.0.0        128.0.0.0     192.168.88.1     192.168.88.2    120
        10.80.8.0    255.255.255.0       On-link         10.80.8.225    276
      10.80.8.225  255.255.255.255       On-link         10.80.8.225    276
      10.80.8.255  255.255.255.255       On-link         10.80.8.225    276
        127.0.0.0        255.0.0.0       On-link           127.0.0.1    306
        127.0.0.1  255.255.255.255       On-link           127.0.0.1    306
  127.255.255.255  255.255.255.255       On-link           127.0.0.1    306
        128.0.0.0        128.0.0.0     192.168.88.1     192.168.88.2    120
      169.254.0.0      255.255.0.0       On-link      169.254.197.10    266
   169.254.197.10  255.255.255.255       On-link      169.254.197.10    266
  169.254.255.255  255.255.255.255       On-link      169.254.197.10    266
      192.168.2.0    255.255.255.0       On-link       192.168.2.100    276
    192.168.2.100  255.255.255.255       On-link       192.168.2.100    276
    192.168.2.255  255.255.255.255       On-link       192.168.2.100    276
     192.168.88.0    255.255.255.0       On-link        192.168.88.2    276
     192.168.88.2  255.255.255.255       On-link        192.168.88.2    276
   192.168.88.255  255.255.255.255       On-link        192.168.88.2    276
   195.178.95.132  255.255.255.255      192.168.2.1    192.168.2.100    120
        224.0.0.0        240.0.0.0       On-link           127.0.0.1    306
        224.0.0.0        240.0.0.0       On-link       192.168.2.100    276
        224.0.0.0        240.0.0.0       On-link        192.168.88.2    276
        224.0.0.0        240.0.0.0       On-link      169.254.197.10    266
        224.0.0.0        240.0.0.0       On-link         10.80.8.225    276
  255.255.255.255  255.255.255.255       On-link           127.0.0.1    306
  255.255.255.255  255.255.255.255       On-link       192.168.2.100    276
  255.255.255.255  255.255.255.255       On-link        192.168.88.2    276
  255.255.255.255  255.255.255.255       On-link      169.254.197.10    266
  255.255.255.255  255.255.255.255       On-link         10.80.8.225    276

Offline

#7 2018-03-11 18:34:54

ludde
Administrator
Registered: 2018-03-09
Posts: 128

Re: Is TunSafe only point-to-point or can it act as a client?

I'm unfortunately on vacation without computer access. Perhaps have a look with tcpdump on the wg0 interface on the Linux side. That can be useful to check the packets.

Offline

#8 2018-03-11 18:57:20

wiggo
Administrator
Registered: 2018-03-09
Posts: 98

Re: Is TunSafe only point-to-point or can it act as a client?

I'm above the clouds using a poor flight wifi. Realizing that this forum should be better optimized for phones as it requires a constant zoom in/out. Even with or without a successful NAT configuration on the router, doing a traceroute should reveal if windows use 88.1 as default. Try tracert 8.8.8.8 and see which ip that is your first hop.

Last edited by wiggo (2018-03-11 18:59:16)

Offline

#9 2018-03-11 19:46:12

question
Member
Registered: 2018-03-11
Posts: 5

Re: Is TunSafe only point-to-point or can it act as a client?

tracert 8.8.8.8 from Windows shows 192.168.88.1 as the first hop, then everything else is TTL exceeded.

tcpdump on wg0server also shows packets going out from 192.168.88.2 including TCP retransmission attempts, but none returning (with the exception of TTL exceeded responses from 192.168.88.1).

So I guess I haven't configured NAT correctly on the WG server side, though I'm not sure what's wrong:

# wg-quick up wg0server
[#] iptables -A FORWARD -i wg0server -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# iptables -L -t nat -n -v
Chain POSTROUTING (policy ACCEPT 75 packets, 16751 bytes)
 pkts bytes target     prot opt in     out     source               destination
  254 52180 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Last edited by question (2018-03-11 19:55:13)

Offline

#10 2018-03-12 13:15:22

wiggo
Administrator
Registered: 2018-03-09
Posts: 98

Re: Is TunSafe only point-to-point or can it act as a client?

Try following to enable NAT.

change eth0 and wg0 if needed. (eth0 is WAN in example)


make sure forward is enabled (which you have already done), and enable it on reboot

pico /etc/sysctl.conf <-- UNCOMMENT net.ipv4.ip_forward=1
sysctl -p
echo 1 > /proc/sys/net/ipv4/ip_forward

// flush/release existing and add new NAT rules.

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT

Last edited by wiggo (2018-03-12 13:17:36)

Offline

Board footer

Powered by FluxBB