0

Please need your help with WireGuard & network configuring. I am trying to get access from Office network to Field network through Oracle Cloud WireGuard server. Please take a look on the picture.enter image description here I've already tried different kind of settings for server & clients but still with no success :( For now what I have is a ping between WireGuard peers. So the main goal is to get an access from 10.10.10.1 to 192.168.0.0/24 (Field Network). Thank you in advance!

There are my current configs:

Office Network (WG settings)

[Interface]
PrivateKey = XXX
Address = 10.10.10.1/32
DNS = 8.8.8.8

[Peer]
PublicKey = XXX
AllowedIPs = 0.0.0.0/0
Endpoint = XXX.XXX.XXX.XXX:XXX
PersistentKeepalive = 20

Oracle Cloud (WG settings)

[Interface]
PrivateKey = XXX
Address = 10.10.10.254/24
ListenPort = 51830
PostUp = /etc/wireguard/helper/add-nat-routing.sh
PostDown = /etc/wireguard/helper/remove-nat-routing.sh

[Peer]
# Office Network
PublicKey = XXX
AllowedIPs = 10.10.10.1/32, 192.168.0.0/24

[Peer]
# Field Network
PublicKey = XXX
AllowedIPs = 10.10.10.2/32, 192.168.0.0/24

Oracle Cloud (iptables settings)

#!/bin/bash
IPT="/sbin/iptables"

IN_FACE="enp0s3"                 # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC
SUB_NET="10.10.10.0/24"          # WG IPv4 sub/net aka CIDR
WG_PORT="51830"                  # WG udp port

## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $WG_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
sysctl -q -w net.ipv4.ip_forward=1

Field Network (WG settings)

[Interface]
PrivateKey = XXX
Address = 10.10.10.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = XXX
AllowedIPs = 0.0.0.0/0
Endpoint = XXX.XXX.XXX.XXX:XXX
PersistentKeepalive = 20
Sergey
  • 11
  • 3

1 Answers1

0

If both your Office Network and your Field Network are using the same 192.168.0.0/24 address space, it's going to give you headaches, and you should change one or the other to use a different network block if you can.

If you can't, you won't be able to reach 192.168.0.0/24 as a whole from 10.10.10.1 -- you'll have to identify specific hosts (or a smaller block of the network, like say 192.168.0.96/28) that 10.10.10.1 should use its WireGuard connection to access.

Assuming you can't change your networks, this is what you could do to allow 10.10.10.1 to access 192.168.0.98 and 192.168.0.99, as well as to allow the hosts in 10.10.10.0/24 to access each other (assuming that's all you want to use the WireGuard connection for, not full Internet access like you currently have set up):

Configure WireGuard on 10.10.10.1 (Office Network) like this:

[Interface]
PrivateKey = XXX
Address = 10.10.10.1/24

[Peer]
PublicKey = XXX
AllowedIPs = 10.10.10.0/24, 192.168.0.98, 192.168.0.99
Endpoint = XXX.XXX.XXX.XXX:XXX
PersistentKeepalive = 20

Configure WireGuard on 10.10.10.254 (Oracle Cloud) like this:

[Interface]
PrivateKey = XXX
Address = 10.10.10.254/24
ListenPort = 51830

[Peer]
# Office Network
PublicKey = XXX
AllowedIPs = 10.10.10.1

[Peer]
# Field Network
PublicKey = XXX
AllowedIPs = 10.10.10.2, 192.168.0.98, 192.168.0.99

And you can trim your iptables script down to this:

#!/bin/bash
IPT="/sbin/iptables"

IN_FACE="enp0s3"                 # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC
SUB_NET="10.10.10.0/24"          # WG IPv4 sub/net aka CIDR
WG_PORT="51830"                  # WG udp port

## IPv4 ##
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $WG_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
sysctl -q -w net.ipv4.ip_forward=1

Configure WireGuard on 10.10.10.2 (Field Network) like this:

[Interface]
PrivateKey = XXX
Address = 10.10.10.2/24

[Peer]
PublicKey = XXX
AllowedIPs = 10.10.10.0/24
Endpoint = XXX.XXX.XXX.XXX:XXX
PersistentKeepalive = 20

And make sure you enable packet forwarding on 10.10.10.2.

Justin Ludwig
  • 1,006
  • 7
  • 8