Hello, Following @Jesse Norell advice, he gave me here https://forum.howtoforge.com/threads/multiple-server-config-change-one-server-ip.88582 I try to setup wireguard to create a local network only. I follow several tuto but I still have difficulties to make it working. I install wireguard on 2 servers having IP_1 and IP_2 as IPv4 address I setup conf file Code: # Interface_1 [Interface] Address = 10.66.66.1/32 ListenPort = 61232 PrivateKey = +MztuTAzc7NkUiqbtmpUqbQ0ov57fl1hk7nhwTDeeGs= PreUp = /mypath/wireguard.postup.sh PostDown = /mypath/wireguard.postdown.sh # Peer_2 [Peer] PublicKey = fPHVWBCoNNoe/1GQfsn+K9+Fz1KuyUaPmiz7v74XzSo= Endpoint = IP_2:61232 AllowedIPs = IP_1/32,IP_2/32,10.66.66.0/24 PresharedKey = 6bjh2b8rX8hOJHuzuOcn7auwauhEjj8ZhbFQptgEyrs= and Code: # Interface_2 [Interface] Address = 10.66.66.3/32 ListenPort = 61232 PrivateKey = KABGwD/P0msYYQ626aCyyKg2s6+Ga75aViwO8FMKjkg= PreUp = /mypath/wireguard.postup.sh PostDown = /mypath/wireguard.postdown.sh # Peer_1 [Peer] PublicKey = qmcJzAnA247hlPWj41gxgLzKV2xSdD72wW1MCE2BjSw= Endpoint = IP_1:61232 AllowedIPs = IP_2/32,IP_1/32,10.66.66.0/24 PresharedKey = 6bjh2b8rX8hOJHuzuOcn7auwauhEjj8ZhbFQptgEyrs= I check pubkey, privatekey, they are corresponding file /root/scripts/wireguard.postup.sh is Code: echo "net.ipv4.ip_forward = 1" >/etc/sysctl.d/wg.conf sysctl --system defaultroute=$(ip route | grep default | gawk '{print $5}') iptables -I FORWARD -s 10.66.66.0/24 -o $defaultroute -j DROP iptables -I FORWARD -s 10.66.66.0/24 -d IP_1/32,IP_2/32 -j ACCEPT I start with Code: systemctl start wg-quick@wg0 On server_1, ping 10.66.66.1 (it is server1) is answering, on server _2, ping 10.66.66.3 (it is server2) is answering But on server_1, ping 10.66.66.3 nothing, on server_2, ping 10.66.66.3 nothing Kernel.log says Code: wireguard: wg0: Sending handshake initiation to peer 7 Handshake for peer 7 (IP_2:61232) did not complete after 5 seconds, retrying (try 2) I check ufw status, port udp 61232 is open on both server. Is there anything obvious I forgot ?
I have an ISPConfig multiserver configuration with several VPS (several providers) Each one has its direct connection to internet - NOT behind a NAT @Jesse Norell explains me that Mariadb connections are not crypted and recommend me to setup a local network via VPN. @till explains that I can connect my servers through local network changing /etc/hosts file, implementing VPN local IP. So I try to setup that local network. But I don't want my mail server going through my Web UI server to send mail... To send mail, I want my mail server to connect directly to internet through its eth0. So, above, you can see a test with 2 servers (VPS with their own direct connection to internet) In wireguard conf, I setup AllowedIP with external IPs of my VPS + local network IPs In iptables, I try to setup rules I see on internet. But, there is something wrong somewhere ! Many thanks for your help.
Well let me add to this The config of your main server should look like this: Code: [Interface] Address = 10.10.0.10 PrivateKey = xxThisisAweirdPrivateKeyxx ListenPort = 51820 [Peer] PublicKey = xxThisisAweirdPublicKeyxx AllowedIPs = 10.10.0.11 Endpoint = YOURMASTERPUBLICIP:51820 [Peer] PublicKey = xxThisisAweirdPublicKeyxx AllowedIPs = 10.10.0.12 Endpoint = YOURMASTERPUBLICIP:51820 And the peers should look like this: Code: [Interface] Address = 10.10.0.11 PrivateKey = xxThisisAweirdPrivateKeyxx ListenPort = 51820 [Peer] PublicKey = xxThisisAweirdPublicKeyxx Endpoint = YOURMASTERPUBLICIP AllowedIPs = 10.10.0.0/24 If you want to add other subnets to the configuration like a local docker subnet for example, just edit the Master Server config and add the subnet in question to the AllowedIPs section for each Peer like so: Code: [Interface] Address = 10.10.0.10 PrivateKey = xxThisisAweirdPrivateKeyxx ListenPort = 51820 [Peer] PublicKey = xxThisisAweirdPublicKeyxx AllowedIPs = 10.10.0.11 10.0.8.0/24 Endpoint = YOURMASTERPUBLICIP:51820 [Peer] PublicKey = xxThisisAweirdPublicKeyxx AllowedIPs = 10.10.0.12 Endpoint = YOURMASTERPUBLICIP:51820 And don't forget to add it to your clients config aswell!
Hello @pyte It works well now, but, I would like to improve a bit the configuration. I have several VPS limited in bandwith (A - wireguard master-, B and C), and, I would like to avoid to have VPS B and VPS C communicating throuh VPS A My question is Can I have one network wg0 and several master in it ? Should I have wg0, wg1, wg2, one by VPS ? or something else ? Many thanks
You can prevet this with iptables. The configuration should look something like this: Code: ip6tables -I FORWARD -i wg0 -o wg0 -j REJECT --reject-with icmp6-adm-prohibited iptables -I FORWARD -i wg0 -o wg0 -j REJECT --reject-with icmp-admin-prohibited Make sure to change 'wg0' according to your setup and please be aware that i cannot test this right now, so no garantee that this is working. However if you still want individual clients to be able to talk with others you have to add this too: Code: iptables -I FORWARD -i wg0 -s 10.10.0.XX/32 -d 10.10.0.0/24 -j ACCEPT
Thanks a lot. I am trying to figure out iptables... Server A=10.66.66.1, B=10.66.66.2, C=10.66.66.3 Right now, I prepare something like this for preup Code: echo "net.ipv4.ip_forward = 1" >/etc/sysctl.d/wg.conf sysctl --system ip6tables -I FORWARD 1 -i wg0 -o wg0 -j REJECT --reject-with icmp6-admin-prohibited iptables -I FORWARD 1 -i wg0 -o wg0 -j REJECT --reject-with icmp-admin-prohibited iptables -I FORWARD 1 -o 10.66.66.00/24 -o eth0 -j DROP iptables -I FORWARD 1 -i wg0 -s 10.66.66.1 -d 10.66.66.0/24 -j ACCEPT" iptables -I FORWARD 1 -i wg0 -s 10.66.66.0/24 -d 10.66.66.1 -j ACCEPT" iptables -I FORWARD 1 -i wg0 -s 10.66.66.2 -d 10.66.66.0/24 -j ACCEPT" iptables -I FORWARD 1 -i wg0 -s 10.66.66.0/24 -d 10.66.66.2 -j ACCEPT" iptables -I FORWARD 1 -i wg0 -s 10.66.66.3 -d 10.66.66.0/24 -j ACCEPT" iptables -I FORWARD 1 -i wg0 -s 10.66.66.0/24 -d 10.66.66.3 -j ACCEPT" Not sure to understand what is really needed except what you mention in the middle
I'm not that good with iptables but i assume as you want to block communication between server A and server B then this should work: iptables -I FORWARD 1 -i wg0 -s 10.66.66.1 -d 10.66.66.2 -j REJECT iptables -I FORWARD 1 -i wg0 -s 10.66.66.2 -d 10.66.66.1 -j REJECT This should block any traffic from .1 to .2 and any traffic from .2 to .1
