Can Wireguard site-to-site hosts also see the other LAN? - wireguard

Although my Wireguard site-to-site setup is mostly working fine, there's a problem when I try to communicate from one of the hosts (peers) themselves. The setup is two LANs, let's call them 'A' and 'B', with hosts Host A and Host B
Property
LAN 'A'
LAN 'B'
Subnet
192.168.1.xxx
192.168.2.xxx
Host WAN IP
110.120.130.140
210.220.230.240
Host LAN IP
192.168.1.108
192.168.2.102
Host A config:
[Interface]
PrivateKey = <HOST A PRIVATE KEY>
Address = 10.0.0.1/32
ListenPort = 51821
PreUp = sysctl -w net.ipv4.ip_forward=1
[Peer]
PublicKey = <HOST B PUBLIC KEY>
Endpoint = 210.220.230.240:51822
AllowedIPs = 192.168.2.0/24
Host B config:
[Interface]
PrivateKey = <HOST B PRIVATE KEY>
Address = 10.0.0.2/32
ListenPort = 51822
PreUp = sysctl -w net.ipv4.ip_forward=1
[Peer]
PublicKey = <HOST A PUBLIC KEY>
Endpoint = 110.120.130.140:51821
AllowedIPs = 192.168.1.0/24
Every device on LAN 'A', except for Host A itself, can communicate with any device on LAN 'B'.
For example, I try ping 192.168.2.105 on Host A, and ping just hangs. Similarly, pings from Host B itself to LAN 'A' also fail.
That's a problem because my Wireguard hosts are NAS boxes which are doing several other tasks too, and it would be good for them to be able to see the other LAN.
Is this a fundamental problem with the Wireguard site-to-site topology, or can this be fixed?

After a bit of experimentation, I discovered one way round the problem, though it's not fully clear why it works.
This might be the story. Consider Host A as a listener, then the configuration tells it to listen to all addresses on the other LAN, 192.168.2.0/24. This will work for all devices on the second LAN except for host B itself. I guess that Host B appears instead to Host A as having the tunnel address of 10.0.0.2 rather than its regular LAN address of 192.168.2.102.
The solution is then to add the tunnel address of the other host as one of the AllowedIPs in the configuration. On Host A, that line of the configuration should be changed to:
AllowedIPs = 192.168.2.0/24,10.0.0.2/32
and on Host B, its equivalent line changes to:
AllowedIPs = 192.168.1.0/24,10.0.0.1/32
Then each of the hosts can itself use its own VPN tunnel to see devices on the other LAN.

Related

Unable to ping from GNS3 topology to Physical Adapter

I'm trying to setup a connection b/w GNS3 Router and Local PC. Following are the steps done so far in GNS3:-
1. setup a router interface, e0/0/ = 192.168.1.1 255.255.255.0
2. created a cloud loopback adapter, interface, and assigned IP = 192.168.1.5 255.255.255.0
(Note: loopback adapter has been created as Mictosoft KM-Test loopback on my PC. and same interface has been added to cloud in GNS3 which is then connected to Router interface, e0/0)
When I tried ping from my PC to GNS3 R, arp entries get created in Router (running on GNS3 topology). See below:
RTR#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.1 - aabb.cc00.0200 ARPA Ethernet0/0
Internet 192.168.1.5 134 0200.4c4f.4f50 ARPA Ethernet0/0
But ICMP isn't successful on Router (See below) :-
RTR#ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Can anyone help here pls ??
Try setting the IP address of the KM-Test adapter to an address outside your home network. Such as 10.0.0.1/24. Attach your cloud to the network adapter and then create persistent static routes by opening a command prompt as administrator and entering the command.
route -p add [Destination] mask [Subnet Mask] [Gateway(KM-Test)]
Note that any additional network you create within GNS3 will need a static route so that windows knows to send your packets through the KM-Test rather than your home network gateway.

Port forwarding issue

I have Totolink A2004NS wifi router, to which I have connected a desktop PC with static IP configured.
I have got the static IP address from the ISP. I need to host a web service on port 80.
When I try to port forward External port 80 to Internal port 80, I get a error message saying -
Port number can not contain Web port.
Screenshot attached.
However, other port forwards work just fine.
What am I doing wrong?
I had the same issue. If you change the web port of the wifi router from the WAN settings, you will be able to port forward to 80.

How can I accessing a react app in Virtualbox

Trying to connect to a react app that is running inside a Virtualbox wit Ubuntu 18.04.
Did the network config on virtualbox by adding a second network configured via NAT and added all my forwarded ports.
Ports forwarded:
Server ports listening:
Result when trying to connect to port:
My problem is that all the other ports that I am forwarding work perfectly except for 3000 or 3001, which are both react apps.
What am I doing wrong?
You should specify Host IP and Guest IP in port forwarding.
To define Guest IP you need to call ifconfig command via console and find inet addr. In my case it equals to 10.0.2.15.
Your Host IP is 192.168.0.6 based on the screenshot above.

ARP : What Mac ARP does request when a Host want to communicate to Host in different Network

Please Clarify my doubt in ARP. In the below Topology,.
Looking for better understanding, how ARP works when Hosts are connected between default Gateways .
Host A(10.10.10.1)-----Switch-----(10.10.10.2)Router(20.20.20.2)--------HostB
When a Host want to communicate to Host B , does hostA send an ARP request for Destination IP (20.20.20.1) or to Default Gateway (10.10.10.2) .
If it send ARP for HOST B mean, Host A identifies Host B is in different network, it will send the Packet only to the Configured Default Gateway , so will it request for Default Gateway Mac address
Host B mac will not be learnt by Host A by any cost, So does Host A will generate ARP request for each time?
Since a MAC address is only useful for a layer-2 domain which is bounded by a layer-3 device (router), a host will not ARP for a MAC address on a different subnet unless it has a misconfigured mask.
The host will ARP for the address of its configured gateway so that it can send the frame to the gateway, and the gateway will remove the layer-2 frame and try to forward the layer-3 packet to the port toward the end host. The router will then encapsulate the layer-3 packet with a new layer-2 frame (possibly using ARP if the nest hop isn't in its ARP cache) for the next link.

How to differentiate between two or more devices in the same ip address (wifi)?

I am currently working on networking project that share files between mobile devices using p2p technology. Using wifi or mobile network. The main problem is when using wifi the general ip address become the same for all connected devices to that wifi connection and this is the problem how to send the file to a particular one if all connected devices have the same ip address?
Every device on same network has private IP addresses which are unique. All of them shares one public IP address. Now how do server distinguish them by only seeing their public IP and send them data?
Well the answer is the server doesn't see only IP address. It sees IP:Port. Every private IP connected to the server has same public IP but different port. The public IP belongs to your NAT. Your NAT assigns unique port to every private IP addresses and maps them. The mapping is like this [private IP, private port, public IP, public port, transport protocol].
So when your server sends a packet to public IP:port then the packet is forwarded to the mapped private IP:port. And your device with that private IP:Port receives it.
Use the mac address which is uniques for every device you pick.
Comparing mac address will be easy when you encounter multiple devices with same IP address.

Resources