0

I'm trying to build a chain WireGuard Tunnel. Right now testing, but I'm stuck.

I have two WireGuard servers, 1st one is in India 2nd one is in Singapore. Here is what I'm trying.

Client < 10.26.26.0/24 > India < 10.26.27.0/24 > Singapore

IN Tunnel Peer: 10.26.26.20/32 SG Tunnel Peer: 10.26.27.20/32

I was able to deploy the WireGuard on both servers. And now I'm trying to establish a connection between India <> Singapore by creating a new tnl0 interface. Whenever I establish it kicks me from SSH. I believe I have to do some kind of firewall stuff here. Here is the server configuration. India Chain WG Interface:

#Server:
[Interface]
Address = 10.26.26.1/24
ListenPort = 443
PrivateKey = YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
SaveConfig = true
## Firewall Rules
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
#PC-PEER:
[Peer]
Public Key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 10.26.26.2/32
#Tnl-PEER:
[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 10.26.26.20/32

Singapore Server:

#Server:
[Interface]
Address = 10.26.27.1/24
ListenPort = 443
PrivateKey = YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
SaveConfig = true
## Firewall Rules
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
#Tnl-PEER:
[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 10.26.27.20/32

India to Singapore Tunnel Config:

[Interface]
PrivateKey = YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
Address = 10.26.27.20/32
DNS = 1.1.1.1
[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 10.26.27.0/24
Endpoint = 1.2.3.4:443
PersistentKeepalive = 21

I tried to follow this guide https://www.ckn.io/blog/2017/12/28/wireguard-vpn-chained-setup/ But this one is very old and not working. I tried to replicate as much as I can do but had no luck. I believe I have to add some routing tables in Tunnel Config so that that allows me to pass client's traffic to the Singapore server via India.

Aman Juman
  • 304
  • 2
  • 6
  • You didn't mention it, and I think you need to allow forwarding; `sysctl -w net.ipv4.ip_forward=1`. Also, you are setting routing everything `AllowedIPs = 0.0.0.0/0`, that's not good. That will that includes the endpoint traffic itself, so, you'll cut yourself off. You have to be more selective on the peers `AllowedIPs` – Mikael Öhman Jul 23 '21 at 00:16
  • Actually, I have added sysctl -w net.ipv4.ip_forward=1 and both server is working properly. Now I have no idea How I can connect Server-1 with Server-2 and pass client traffic via Server-1 through Server-2. And I updated the config, instead of 0.0.0.0/0, I used 2nd server WG Subnet. – Aman Juman Jul 24 '21 at 10:14

0 Answers0