I spawned two AWS EC2 machines, installed Wireguard on both.
The first machine is supposed to work as a Wireguard Server. I have opened port 51820 on the AWS firewall for incoming UDP and TCP traffic on that machine.
I added net.ipv4.ip_forward=1 to /etc/sysctl.conf on the Server machine and reloaded with sudo sysctl -p
Server's /etc/wireguard/wg0.conf:
[Interface]
Address = 10.8.0.1/24
SaveConfig = true
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = *****************************************
[Peer]
PublicKey = aJtTwEv6LzdJx/ZEdQMSuOrslHY/AIv+e3EzI/bsMAY=
AllowedIPs = 10.8.0.2/32
[Peer]
PublicKey = eJJDZcHtVA0G5bJqXD/lj75Cbuu6Kcu4APrkZBwEAzs=
AllowedIPs = 10.8.0.3/32
[Peer]
PublicKey = MOgxJQTdIccWKwzAyS4Qt1CKZaDhP7Q8zHrRHDiRIwA=
AllowedIPs = 10.8.0.4/32
As you can see I have added 3 peers with different public keys. I followed the tutorial and ran the server via systemctl. Everything is up and running nicely.
Now the peer machine. Here, my /etc/wireguard/wg0.conf is the following:
[Interface]
PrivateKey = *********************************
Address = 10.8.0.4/24
[Peer]
PublicKey = MOgxJQTdIccWKwzAyS4Qt1CKZaDhP7Q8zHrRHDiRIwA=
AllowedIPs = 10.8.0.0/24
Endpoint = 34.235.224.92:51820
Address and public key match the values defined in the Server config. The Endpoint is the public IP of the first EC2 machine (I have used AWS Elastic IP)
I then ran sudo wg-quick up wg0 on the peer
The output is:
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.4/24 dev wg0
[#] ip link set mtu 8921 up dev wg0
Then I run sudo wg on the peer machine, and the output is:
interface: wg0
public key: MOgxJQTdIccWKwzAyS4Qt1CKZaDhP7Q8zHrRHDiRIwA=
private key: (hidden)
listening port: 46598
On the server machine sudo wg is not showing the 10.8.0.4 peer made any handshakes:
interface: wg0
public key: uO5puRXj/XvgCH0SGoAm+8CsUmCPbmdbW3nvpTnepgY=
private key: (hidden)
listening port: 51820
peer: aJtTwEv6LzdJx/ZEdQMSuOrslHY/AIv+e3EzI/bsMAY=
allowed ips: 10.8.0.2/32
peer: eJJDZcHtVA0G5bJqXD/lj75Cbuu6Kcu4APrkZBwEAzs=
allowed ips: 10.8.0.3/32
peer: MOgxJQTdIccWKwzAyS4Qt1CKZaDhP7Q8zHrRHDiRIwA=
allowed ips: 10.8.0.4/32
There aren't any logs. I don't know where to look to fix the issue.
Related
I have two Wireguard peers, both on the same network. For a while, I've been putting the server endpoint on the "client" and connecting to the server. Now, I want to put the client endpoint on the server and connect from the server. However, it does not work.
Server config:
[Interface]
Address = 10.200.200.1/32
ListenPort = 2000
PrivateKey = *************
MTU=1420
# substitute eth0 in the following lines to match the Internet-facing interface
# if the server is behind a router and receives traffic via NAT, these iptables rules are not needed
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s2 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s2 -j MASQUERADE
[Peer]
# Macbook
PublicKey = *************************
#PresharedKey = PRE-SHARED_KEY
Endpoint = 192.168.1.212:2000
AllowedIPs = 10.200.200.3/32
#PersistentKeepalive = 25
Client config:
[Interface]
Address = 10.200.200.3/32
DNS = 10.200.200.1
MTU = 1420
ListenPort = 2000
PrivateKey = *********************
[Peer]
# Computer
AllowedIPs = 0.0.0.0/0, ::0
PublicKey = *********************
Ok, apparently, if you put a client endpoint, the server must first reach out to the client (for example ssh or ping). This is because Wireguard only connects when it has to connect.
I have created a VM with virtual box that runs windows 10, and installed SQL Server.
Using Consume Adapter Service in Visual Studio for BizTalk 2020
Configured: SQLBinding AS: mssql://DESKTOP-T2G7B3A/MSSQL15.MSSQLSERVER/AFBizTalkTest?InboundId=ID
Click Connect:
Failure 26 - Error Locating Server/Instance Specified
Items tried or checked:
Ran PortQry on Virtual Box:
Starting portqry.exe -n 10.0.2.15 -e 1433 -p TCP ...
Querying target system called:
10.0.2.15
Attempting to resolve IP address to a name...
IP address resolved to DESKTOP-T2G7B3A
querying...
TCP port 1433 (ms-sql-s service): LISTENING
portqry.exe -n 10.0.2.15 -e 1433 -p TCP exits with return code 0x00000000.
1A. Ran PortQry On Host
Starting portqry.exe -n 10.0.2.15 -e 1433 -p TCP ...
Querying target system called:
10.0.2.15
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 1433 (ms-sql-s service): FILTERED
portqry.exe -n 10.0.2.15 -e 1433 -p TCP exits with return code 0x00000002.
1B. Verified the IP address on Virtual Box is 10.0.2.15. Failed to ping on Host, Successful ping on Virtual Box.
TCP/IP Enabled in SQL Server instance.
Changed Server name to ip address - Error Locating Server/Instance Specified
Verified SQL Server Browser is running.
Verified Server Name from Error Log.
I have wireguard setup on a machine (call it MachineA, with the IP 10.42.0.19). I have my laptop configured with the IP 10.42.0.15, call it LaptopB. I am able to SSH into MachineA from the LaptopB when I connect both peers using ssh root#MachineA. Then, if I wait a while, I can no longer SSH into the MachineA from LaptopB. For example, the same command ssh root#MachineA just hangs.
Using -vvvv shows me this:
$ ssh -vvvv root#10.42.0.19
OpenSSH_8.3p1 Ubuntu-1ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/xrd/.ssh/config
...
debug2: ssh_connect_direct
debug1: Connecting to 10.42.0.19 [10.42.0.19] port 22.
And, it never connects.
There is a simple fix: from inside the machine, ping any other Wireguard machine on the network. MachineA is a DigitalOcean droplet. If I use the web console to login, and then ping any other peer on the network (say 10.42.0.4), then immediately after the ping starts, the SSH connection completes.
How do I troubleshoot this?
I have not restarted wireguard on either LaptopB nor MachineA. Both appear to be connected.
In my wg0.conf on both ends they are more or less like this:
[Interface]
Address = 10.42.0.19/24
PrivateKey = DontYouWishYouHadThis
DNS = 10.42.0.1,8.8.8.8
[Peer]
PublicKey = SomePublicKeyIsHere
AllowedIPs = 10.42.0.0/24
Endpoint = 33.33.33.33.:51280
I am thinking of setup wireguard server on my raspberrypi 4, and I have configuration like below:
Address = 192.168.2.0/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE
ListenPort = 5555
PrivateKey = '\\\\hidden this line\\\\'
and my iPhone has the configuration like:
But I can only access net within: 192.168.0.0/16 other than 0.0.0.0/0, instead with 0.0.0.0/0, handshake even failes.
Does anyone ever meet the same issue here?
Thanks a lot for any reply or answers!
it is because of DNS issue, if I put a DNS server for the client (which could be the address of your router like 192.168.0.1, or any other in the subnet, to me I use my pihole as DNS server (192.168.0.161), or use the public DNS server like 8.8.8.8, 1.1.1.1
I have an apache2/httpd install on centos fronting a tomcat instance and I want it to trust all client certificates.
How should I go about it?
There is no such thing as 'SSL Passthrough' with Apache since Apache needs to handle the SSL negotiation. Things I may think of are
Do not use Apache but perform TCP forwarding, using a NAT rule for instance (/sbin/iptables -I PREROUTING -t nat -p tcp -d test.server.ip --dport 443 -j DNAT --to :8443). If you have two IP addresses assigned to the machine, your NAT rule can redirect based on the destination IP.
You could configure a virtual host in Apache dedicated to test where you set SSLVerifyClientto none. This Virtual Host has a reverse proxy rule mapping directly to the non SSL http port of your Tomcat instance, or maps to the HTTP/S port and then you set the SSLProxyMachineCertificateFile with certs that Apache can present to authenticate to Tomcat