I have two Wireguard peers, both on the same network. For a while, I've been putting the server endpoint on the "client" and connecting to the server. Now, I want to put the client endpoint on the server and connect from the server. However, it does not work.
Server config:
[Interface]
Address = 10.200.200.1/32
ListenPort = 2000
PrivateKey = *************
MTU=1420
# substitute eth0 in the following lines to match the Internet-facing interface
# if the server is behind a router and receives traffic via NAT, these iptables rules are not needed
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s2 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s2 -j MASQUERADE
[Peer]
# Macbook
PublicKey = *************************
#PresharedKey = PRE-SHARED_KEY
Endpoint = 192.168.1.212:2000
AllowedIPs = 10.200.200.3/32
#PersistentKeepalive = 25
Client config:
[Interface]
Address = 10.200.200.3/32
DNS = 10.200.200.1
MTU = 1420
ListenPort = 2000
PrivateKey = *********************
[Peer]
# Computer
AllowedIPs = 0.0.0.0/0, ::0
PublicKey = *********************
Ok, apparently, if you put a client endpoint, the server must first reach out to the client (for example ssh or ping). This is because Wireguard only connects when it has to connect.
Related
I spawned two AWS EC2 machines, installed Wireguard on both.
The first machine is supposed to work as a Wireguard Server. I have opened port 51820 on the AWS firewall for incoming UDP and TCP traffic on that machine.
I added net.ipv4.ip_forward=1 to /etc/sysctl.conf on the Server machine and reloaded with sudo sysctl -p
Server's /etc/wireguard/wg0.conf:
[Interface]
Address = 10.8.0.1/24
SaveConfig = true
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = *****************************************
[Peer]
PublicKey = aJtTwEv6LzdJx/ZEdQMSuOrslHY/AIv+e3EzI/bsMAY=
AllowedIPs = 10.8.0.2/32
[Peer]
PublicKey = eJJDZcHtVA0G5bJqXD/lj75Cbuu6Kcu4APrkZBwEAzs=
AllowedIPs = 10.8.0.3/32
[Peer]
PublicKey = MOgxJQTdIccWKwzAyS4Qt1CKZaDhP7Q8zHrRHDiRIwA=
AllowedIPs = 10.8.0.4/32
As you can see I have added 3 peers with different public keys. I followed the tutorial and ran the server via systemctl. Everything is up and running nicely.
Now the peer machine. Here, my /etc/wireguard/wg0.conf is the following:
[Interface]
PrivateKey = *********************************
Address = 10.8.0.4/24
[Peer]
PublicKey = MOgxJQTdIccWKwzAyS4Qt1CKZaDhP7Q8zHrRHDiRIwA=
AllowedIPs = 10.8.0.0/24
Endpoint = 34.235.224.92:51820
Address and public key match the values defined in the Server config. The Endpoint is the public IP of the first EC2 machine (I have used AWS Elastic IP)
I then ran sudo wg-quick up wg0 on the peer
The output is:
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.4/24 dev wg0
[#] ip link set mtu 8921 up dev wg0
Then I run sudo wg on the peer machine, and the output is:
interface: wg0
public key: MOgxJQTdIccWKwzAyS4Qt1CKZaDhP7Q8zHrRHDiRIwA=
private key: (hidden)
listening port: 46598
On the server machine sudo wg is not showing the 10.8.0.4 peer made any handshakes:
interface: wg0
public key: uO5puRXj/XvgCH0SGoAm+8CsUmCPbmdbW3nvpTnepgY=
private key: (hidden)
listening port: 51820
peer: aJtTwEv6LzdJx/ZEdQMSuOrslHY/AIv+e3EzI/bsMAY=
allowed ips: 10.8.0.2/32
peer: eJJDZcHtVA0G5bJqXD/lj75Cbuu6Kcu4APrkZBwEAzs=
allowed ips: 10.8.0.3/32
peer: MOgxJQTdIccWKwzAyS4Qt1CKZaDhP7Q8zHrRHDiRIwA=
allowed ips: 10.8.0.4/32
There aren't any logs. I don't know where to look to fix the issue.
I am thinking of setup wireguard server on my raspberrypi 4, and I have configuration like below:
Address = 192.168.2.0/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE
ListenPort = 5555
PrivateKey = '\\\\hidden this line\\\\'
and my iPhone has the configuration like:
But I can only access net within: 192.168.0.0/16 other than 0.0.0.0/0, instead with 0.0.0.0/0, handshake even failes.
Does anyone ever meet the same issue here?
Thanks a lot for any reply or answers!
it is because of DNS issue, if I put a DNS server for the client (which could be the address of your router like 192.168.0.1, or any other in the subnet, to me I use my pihole as DNS server (192.168.0.161), or use the public DNS server like 8.8.8.8, 1.1.1.1
I've been trying for the past 5 hours to setup WireGuard on my server, and after getting everything setup, I can't ping IPs or resolve domains.
Below is the server config
[Interface]
Address = 10.100.100.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
ListenPort = 51820
# Server's private key
PrivateKey = EPRQ7Tujdx2pITBV9DeUz+PzYFVb1sax9Fn2hMcLMGI=
[Peer]
# Client's public key
PublicKey = 7FGaduQME4ytI3AyYusl/itkOWU3YgQ3jU7Bsme76WU=
AllowedIPs = 10.100.100.2/32
And this is the client's config
[Interface]
Address = 10.100.100.2/32
# Client's private key
PrivateKey = 0B5b3ysvvpn6kC50sdCFELlMhIexY47kKRRMtBpqdlQ=
[Peer]
# Server's public key
PublicKey = HUuRYaDwqPNHirxlFTewTVKTsCi2udFImqvDfoiAH24=
Endpoint = 129.213.59.233:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21
The server has IP-forwading enabled.
I was attempting to follow this video: https://www.youtube.com/watch?v=n00ayGUdCaI
the server side iptables configuration has two problems:
the following 4 configuration repeated two times.
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE;
ip6tables -A FORWARD -i wg0 -j ACCEPT;
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE;
ip6tables -D FORWARD -i wg0 -j ACCEPT;
For the following 4 lines of configuration should replace wg0 with your main network interface name.
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; -> iptables -t nat -A POSTROUTING -o <your main network interface name> -j MASQUERADE;
ip6tables -t nat -A POSTROUTING -o wg0 -j MASQUERADE -> ip6tables -t nat -A POSTROUTING -o <your main network interface name> -j MASQUERADE
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; -> iptables -t nat -D POSTROUTING -o <your main network interface name> -j MASQUERADE;
ip6tables -t nat -D POSTROUTING -o wg0 -j MASQUERADE -> ip6tables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
for the main network interface name should easy to get with ifconfig or ip -c a command
Eventually, the need to change iptables configuration part should be like:
[Interface]
...
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <your main network interface name> -j MASQUERADE;ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o <your main network interface name> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <your main network interface name> -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o <your main network interface name> -j MASQUERADE
...
Good Folks,
I have a weird situation here. My remote linux server is nice monitored by Nagios but when I try to run check_nrpe -H I get SSL Handshake error. I don't the same error from Nagios server.
[code]
[root#agent1 ~]# /usr/local/nagios/libexec/check_nrpe -H master
CHECK_NRPE: Error - Could not complete SSL handshake.
[root#agent1 ~]#
[root#master ~]# /usr/local/nagios/libexec/check_nrpe -H agent1
NRPE v2.15
[root#master ~]#
[/code]
Any idea how to resolve it?
Check your nrpe configuration file and your IP in only_from list.
nano /etc/xinetd.d/nrpe
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = IP1 IP2 IP3
}
Correct answer is recompiling nrpe with ssl headers.
./configure --enable-ssl
Rest steps which are given in everywhere in general documentation are correct.
I have a website deployed on Apache2. The Apache2 server is setup on a VM.
When I try to access the site using a browser from a remote machine (my laptop), I get a connection timed out error.
When I try to access something deployed on Tomcat on the same VM it works fine. But Apache gives a problem.
Please let me know what I am missing.
Thanks.
1) check that the httpd process is running
ps -ef | grep httpd |grep -v grep
2) make sure you are broadcasting on port 80
netstat -atn |grep :80
3) verify in your conf (/etc/httpd/conf.d/*.conf) file that you are binding Apache to port 80
<virtualhost *:80>
or
<virtualhost xxx.xxx.xxx.xxx:80>
Your Tomcat process may be bound to port 80 and the socket is not available.
on centos run this commands:
iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
/etc/init.d/iptables save