Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I make Wireguard VPN peers to talk to each other?

I have a server running Wireguard, and I have multiple clients (peers) connected to it up and running. I am not very sure how VPN works, but this is my current setup.

The /etc/wireguard/wg0.conf of my server looks like this.

[Interface]
Address = 172.16.16.1/24
SaveConfig = true
ListenPort = 8999
PrivateKey = XXX

[Peer]
PublicKey = XXX
AllowedIPs = 172.16.16.2/32

[Peer]
PublicKey = XXX
AllowedIPs = 172.16.16.3/32

And the configuration on my clients wg0.conf looks like this.

[Interface]
PrivateKey = XXX
Address = 172.16.16.x/32

[Peer]
PublicKey = XXX
AllowedIPs = 172.16.16.0/24
PersistentKeepalive = 30

With everything up and running, from my client with IP address 172.16.16.2, I am able to ping the server 172.16.16.1. I am able to do the same from my other client with 172.16.16.3, I can ping the server 172.16.16.1.

Interestingly, from my server, I am able to ping all the peers! That is, from within 172.16.16.1, I can ping both 172.16.16.2 and 172.16.16.3. But that is the prime purpose of the setup!

Now, I want my peers to talk to each other, that is, I must be able to ping 172.16.16.2 from my other peer 172.16.16.3 and vice-versa, but this is not working. It says that the network is unreachable.

The idea is, I want it to work like a LAN server, where one server that acts as a gateway, and multiple peers/clients that can talk to each other, and also talk to the server.

Is this possible? If yes, what am I missing?

like image 277
Sibidharan Avatar asked May 06 '20 16:05

Sibidharan


People also ask

How do you add peers to WireGuard?

Configuring a WireGuard peer is similar to setting up the WireGuard Server. Once you have the client software installed, you'll generate a public and private key pair, decide on an IP address or addresses for the peer, define a configuration file for the peer, and then start the tunnel using the wg-quick script.

What is WireGuard peer?

WireGuard introduces the concepts of Endpoints, Peers and AllowedIPs. A peer is a remote host and is identified by its public key. Each peer has a list of AllowedIPs. From the server's point of view, the AllowedIPs are IPs that a peer is allowed to use as source IP addresses.

Does WireGuard auto reconnect?

Does WireGuard automatically reconnect if I lose my connection? The WireGuard VPN protocol is designed stateless. Connections are considered as an interface — once they're up, they always stay up.

Does WireGuard route all traffic?

It turns out that we can route all Internet traffic via WireGuard using network namespaces, rather than the classic routing table hacks.


2 Answers

After the whole evening of searching through the internet, I found some useful links that talks about the same problem that I am facing.

Link: https://lists.zx2c4.com/pipermail/wireguard/2018-August/003250.html

That says, we must enable ip forwarding in the server to make it work like an edge router.

By default, the IPv4 policy in linux kernels disables support for IP forwarding. This prevents machines that run linux server from functioning as dedicated edge routers. To enable IP forwarding, use the following command:

[root@myServer ~ ] # sysctl -w net.ipv4.ip_forward=1

This configuration change is only valid for the current session; it does not persist beyond a reboot or network service restart. To permanently set IP forwarding, edit the /etc/sysctl.conf file as follows: Locate the following line:

net.ipv4.ip_forward = 0

Edit it to read as follows:

net.ipv4.ip_forward = 1

Use the following command to enable the change to the sysctl.conf file:

[root@myServer ~ ] # sysctl -p /etc/sysctl.conf

Read more: https://docs.fedoraproject.org/en-US/Fedora/18/html/Security_Guide/sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules.html

With this done, now all my peers are able to talk to each other, and this functions just like a LAN network!

like image 83
Sibidharan Avatar answered Oct 30 '22 03:10

Sibidharan


I followed all the steps suggested by Sibidharan but also needed to add an iptables command on the server to forward the wireguard traffic from peer to peer.

iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT

I was then able to connect via ssh from peer to peer.

like image 34
Nathaniel Ramm Avatar answered Oct 30 '22 03:10

Nathaniel Ramm