From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Feedback on WG Date: Thu, 29 Aug 2024 15:53:36 +0200 Message-ID: In-Reply-To: <8997c945-d6bd-42eb-a112-d5dac12e7f55@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3033319405087060548==" List-Id: --===============3033319405087060548== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 29 Aug 2024, at 14:36, Adolf Belka wrote: >=20 > Hi Michael, >=20 > On 29/08/2024 11:28, Michael Tremer wrote: >> Hello, >>> On 27 Aug 2024, at 13:09, Adolf Belka wrote: >>>=20 >>> Hi Michael, >>>=20 >>> On 27/08/2024 12:19, Michael Tremer wrote: >>>> Could you show me the route tables of both systems, please? >>>=20 >>> The laptop has >>> ip route >>> default via 192.168.26.254 dev wlp2s0 proto dhcp src 192.168.26.37 metric= 600 >>> 192.168.26.0/24 dev wlp2s0 proto kernel scope link src 192.168.26.37 metr= ic 600 >>> 192.168.200.0/24 dev tethysvmwg proto static scope link metric 50 >>>=20 >>> and the vm pc on the IPFire green lan has >>> ip route >>> default via 192.168.200.254 dev enp0s3 proto dhcp src 192.168.200.10 metr= ic 1002 >>> 192.168.200.0/24 dev enp0s3 proto dhcp scope link src 192.168.200.10 metr= ic 1002 >> So it looks like the routes for Wireguard are missing here. >> Assuming that the interface is called wg0, there should be a route for you= r GREEN subnet on the laptop pointing at wg0. >=20 > As I am having to import the wireguard conf file manually in the command li= ne, maybe I am also expected to set my own routes up on my laptop but I am no= t sure what I should set the route command to. >=20 > Normally I do an import of a VPN profile into Network Manager GUI and it de= als with everything but Network Manager cannot do this via the GUI for Wiregu= ard yet. So I had to just run >=20 > nmcli connection import type wireguard file "$CONF_FILE" NetworkManager should configure everything for you. That is its job in the en= d. If you use the wg command to import the configuration, I don=E2=80=99t know w= hether it is creating routes or not. It could, but it might also just care ab= out the tunnel and nothing else. > where $CONF_FILE contains the path and name of the wireguard config file th= at I downloaded from the IPFire Wireguard page. >=20 > All the stuff I have read about routing with regard to Wireguard is just a = bit to complicated for me to understand what I am supposed to do in my specif= ic case. You just need a route to the GREEN network on your firewall like so: ip route add 192.168.0.0/24 dev wg0 Assuming that your GREEN network is 192.168.0.0./24. What is =E2=80=9Cwg show wg0=E2=80=9D giving you? -Michael >=20 > If you can give some hints maybe, then I can have a go at getting it to wor= k. >>> and the ipfire system has >>> ip route >>> default via 192.168.26.254 dev red0 proto dhcp src 192.168.26.200 metric = 1002 >>> 10.110.30.0/24 via 10.110.130.2 dev tun0 >>> 10.110.130.0/24 via 10.110.130.2 dev tun0 >>> 10.110.130.2 dev tun0 proto kernel scope link src 10.110.130.1 >>> 10.120.50.0/24 dev wg0 scope link >> This is the opposite route. >>> 10.120.50.2 dev tun1 proto kernel scope link src 10.120.50.1 >>> 192.168.26.0/24 dev red0 proto dhcp scope link src 192.168.26.200 metric = 1002 >>> 192.168.120.0/24 via 10.120.50.2 dev tun1 >>> 192.168.200.0/24 dev green0 proto kernel scope link src 192.168.200.254 >>> 192.168.220.0/24 dev blue0 proto kernel scope link src 192.168.220.254 >>> 192.168.240.0/24 dev orange0 proto kernel scope link src 192.168.240.254 >> So I assume that from IPFire you can send packets to your laptop, but they= don=E2=80=99t find their way back. > I didn't try the ping from IPFire. I will do that and report back. > I just tried the ping from a machine on the green lan of the IPFire running= the wireguard server. >=20 > Regards, > Adolf. >=20 >> -Michael >>> Regards, >>> Adolf. >>>> -Michael >>>>> On 26 Aug 2024, at 13:13, Adolf Belka wrote: >>>>>=20 >>>>> I tried out netcat to send some traffic through the tunnel. That confir= med that the tunnel is only working in one direction. >>>>>=20 >>>>> If I put the laptop in listening mode and from a vm on the IPFire green= lan sent some data from /dev/zero through the tunnel, it was received at the= other end. >>>>>=20 >>>>>=20 >>>>> Setting the vm on the IPFire green lan into listening mode and sending = the data from the laptop resulted in nothing being sent from the laptop and o= bviously nothing received at the green vm. >>>>>=20 >>>>> So it is not just a ping issue. >>>>>=20 >>>>> Regards, >>>>>=20 >>>>> Adolf. >>>>>=20 >>>>> On 26/08/2024 13:17, Adolf Belka wrote: >>>>>> Hi Michael, >>>>>>=20 >>>>>> Getting back to testing out the WG. >>>>>>=20 >>>>>> On 21/08/2024 16:23, Michael Tremer wrote: >>>>>>> Hello Adolf, >>>>>>>=20 >>>>>>>> On 19 Aug 2024, at 12:04, Adolf Belka wro= te: >>>>>>>>=20 >>>>>>>> Hi Michael, >>>>>>>>=20 >>>>>>>> Sorry for the delay with feedback on the WG testing. I was a bit tie= d up with DIY stuff in the house. >>>>>>>=20 >>>>>>> No problem... >>>>>>>=20 >>>>>>>> By manually importing the WG config file created I was able to succe= ssfully connect from my laptop to my IPFire vm system. The WUI showed connect= ed. The config file had my allowed subnets set as 192.168.200.0/255.255.255.0= which is the green subnet on my vm system. However trying ping over the WG t= unnel gave failures for the IP of the vm machine, green1, and also for the gr= een interface of the vm IPFire. >>>>>>>=20 >>>>>>> Okay, connecting should be nice and easy. However, you *should* be ab= le to transfer some data... >>>>>>>=20 >>>>>>>> Trying to ping with the FQDN for the green1 system resulted in no re= solving of green1's FQDN to a local IP but tried to send it to my main red in= terface with my ISP. >>>>>>>=20 >>>>>>> Can you try to ping from either side? The client the firewall and the= firewall the client? That should work if the tunnel is up. >>>>>>=20 >>>>>> Tried again to ping from laptop to IPFire green lan, both the IPFire g= reen interface and a vm PC on the green lan. In both cases 100% packet loss. >>>>>>=20 >>>>>> I then tried doing the ping from the vm machine on the green IPFire la= n to the laptop, as you suggested and in this case I got 100% packet transmis= sion. >>>>>>=20 >>>>>> In all above tests I used IP's to remove any question about DNS resolv= ing. >>>>>>=20 >>>>>> So the ping seems to only be working in one direction. Let me know if = there are any other tests or checks I should do based on this result. >>>>>>=20 >>>>>> Regards, >>>>>> Adolf. >>>>>>=20 >>>>>>>=20 >>>>>>>> So something appears to be missing or incorrect with the routing but= not sure what. >>>>>>>>=20 >>>>>>>> Minor points on the WUI. >>>>>>>=20 >>>>>>> I would like to have the thing working first before we spend any time= on making the UI look nice, but you are raising very good points. >>>>>>>=20 >>>>>>>> When disconnected the status section that is coloured red is huge an= d the space for the remark is very small but when connected then the status s= pace is large enough to have the connected status word, giving much more room= for the remark. >>>>>>>=20 >>>>>>> That should not be. No idea why that is, but I am sure that is not to= o hard to fix. >>>>>>>=20 >>>>>>>> When the WG config file is created and you have the page with the QR= code, there is also a message about the WG config file only being shown this= one time as it contains private key material. The message is fine but the he= ading for the message is "Oops, something went wrong...". It should really be= something like "Information Note" or equivalent as it is not an actual error= message. >>>>>>>=20 >>>>>>> I think I created a little widget which I used somewhere else too and= then added the headline. It certainly does not fit here. >>>>>>>=20 >>>>>>> -Michael >>>>>>>=20 >>>>>>>>=20 >>>>>>>> See the screenshots attached. >>>>>>>>=20 >>>>>>>> Regards, >>>>>>>>=20 >>>>>>>> Adolf. >>>>>>>> >>>>>>>=20 >=20 > --=20 > Sent from my laptop --===============3033319405087060548==--