I've been trying for the past 5 hours to setup WireGuard on my server, and after getting everything setup, I can't ping IPs or resolve domains.
Below is the server config
[Interface]
Address = 10.100.100.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
ListenPort = 51820
# Server's private key
PrivateKey = EPRQ7Tujdx2pITBV9DeUz+PzYFVb1sax9Fn2hMcLMGI=
[Peer]
# Client's public key
PublicKey = 7FGaduQME4ytI3AyYusl/itkOWU3YgQ3jU7Bsme76WU=
AllowedIPs = 10.100.100.2/32
And this is the client's config
[Interface]
Address = 10.100.100.2/32
# Client's private key
PrivateKey = 0B5b3ysvvpn6kC50sdCFELlMhIexY47kKRRMtBpqdlQ=
[Peer]
# Server's public key
PublicKey = HUuRYaDwqPNHirxlFTewTVKTsCi2udFImqvDfoiAH24=
Endpoint = 129.213.59.233:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21
The server has IP-forwading enabled.
I was attempting to follow this video: https://www.youtube.com/watch?v=n00ayGUdCaI
the server side iptables configuration has two problems:
the following 4 configuration repeated two times.
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE;
ip6tables -A FORWARD -i wg0 -j ACCEPT;
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE;
ip6tables -D FORWARD -i wg0 -j ACCEPT;
For the following 4 lines of configuration should replace wg0 with your main network interface name.
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; -> iptables -t nat -A POSTROUTING -o <your main network interface name> -j MASQUERADE;
ip6tables -t nat -A POSTROUTING -o wg0 -j MASQUERADE -> ip6tables -t nat -A POSTROUTING -o <your main network interface name> -j MASQUERADE
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; -> iptables -t nat -D POSTROUTING -o <your main network interface name> -j MASQUERADE;
ip6tables -t nat -D POSTROUTING -o wg0 -j MASQUERADE -> ip6tables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
for the main network interface name should easy to get with ifconfig or ip -c a command
Eventually, the need to change iptables configuration part should be like:
[Interface]
...
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <your main network interface name> -j MASQUERADE;ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o <your main network interface name> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <your main network interface name> -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o <your main network interface name> -j MASQUERADE
...
Related
I spawned two AWS EC2 machines, installed Wireguard on both.
The first machine is supposed to work as a Wireguard Server. I have opened port 51820 on the AWS firewall for incoming UDP and TCP traffic on that machine.
I added net.ipv4.ip_forward=1 to /etc/sysctl.conf on the Server machine and reloaded with sudo sysctl -p
Server's /etc/wireguard/wg0.conf:
[Interface]
Address = 10.8.0.1/24
SaveConfig = true
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = *****************************************
[Peer]
PublicKey = aJtTwEv6LzdJx/ZEdQMSuOrslHY/AIv+e3EzI/bsMAY=
AllowedIPs = 10.8.0.2/32
[Peer]
PublicKey = eJJDZcHtVA0G5bJqXD/lj75Cbuu6Kcu4APrkZBwEAzs=
AllowedIPs = 10.8.0.3/32
[Peer]
PublicKey = MOgxJQTdIccWKwzAyS4Qt1CKZaDhP7Q8zHrRHDiRIwA=
AllowedIPs = 10.8.0.4/32
As you can see I have added 3 peers with different public keys. I followed the tutorial and ran the server via systemctl. Everything is up and running nicely.
Now the peer machine. Here, my /etc/wireguard/wg0.conf is the following:
[Interface]
PrivateKey = *********************************
Address = 10.8.0.4/24
[Peer]
PublicKey = MOgxJQTdIccWKwzAyS4Qt1CKZaDhP7Q8zHrRHDiRIwA=
AllowedIPs = 10.8.0.0/24
Endpoint = 34.235.224.92:51820
Address and public key match the values defined in the Server config. The Endpoint is the public IP of the first EC2 machine (I have used AWS Elastic IP)
I then ran sudo wg-quick up wg0 on the peer
The output is:
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.4/24 dev wg0
[#] ip link set mtu 8921 up dev wg0
Then I run sudo wg on the peer machine, and the output is:
interface: wg0
public key: MOgxJQTdIccWKwzAyS4Qt1CKZaDhP7Q8zHrRHDiRIwA=
private key: (hidden)
listening port: 46598
On the server machine sudo wg is not showing the 10.8.0.4 peer made any handshakes:
interface: wg0
public key: uO5puRXj/XvgCH0SGoAm+8CsUmCPbmdbW3nvpTnepgY=
private key: (hidden)
listening port: 51820
peer: aJtTwEv6LzdJx/ZEdQMSuOrslHY/AIv+e3EzI/bsMAY=
allowed ips: 10.8.0.2/32
peer: eJJDZcHtVA0G5bJqXD/lj75Cbuu6Kcu4APrkZBwEAzs=
allowed ips: 10.8.0.3/32
peer: MOgxJQTdIccWKwzAyS4Qt1CKZaDhP7Q8zHrRHDiRIwA=
allowed ips: 10.8.0.4/32
There aren't any logs. I don't know where to look to fix the issue.
I have two Wireguard peers, both on the same network. For a while, I've been putting the server endpoint on the "client" and connecting to the server. Now, I want to put the client endpoint on the server and connect from the server. However, it does not work.
Server config:
[Interface]
Address = 10.200.200.1/32
ListenPort = 2000
PrivateKey = *************
MTU=1420
# substitute eth0 in the following lines to match the Internet-facing interface
# if the server is behind a router and receives traffic via NAT, these iptables rules are not needed
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s2 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s2 -j MASQUERADE
[Peer]
# Macbook
PublicKey = *************************
#PresharedKey = PRE-SHARED_KEY
Endpoint = 192.168.1.212:2000
AllowedIPs = 10.200.200.3/32
#PersistentKeepalive = 25
Client config:
[Interface]
Address = 10.200.200.3/32
DNS = 10.200.200.1
MTU = 1420
ListenPort = 2000
PrivateKey = *********************
[Peer]
# Computer
AllowedIPs = 0.0.0.0/0, ::0
PublicKey = *********************
Ok, apparently, if you put a client endpoint, the server must first reach out to the client (for example ssh or ping). This is because Wireguard only connects when it has to connect.
I am thinking of setup wireguard server on my raspberrypi 4, and I have configuration like below:
Address = 192.168.2.0/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE
ListenPort = 5555
PrivateKey = '\\\\hidden this line\\\\'
and my iPhone has the configuration like:
But I can only access net within: 192.168.0.0/16 other than 0.0.0.0/0, instead with 0.0.0.0/0, handshake even failes.
Does anyone ever meet the same issue here?
Thanks a lot for any reply or answers!
it is because of DNS issue, if I put a DNS server for the client (which could be the address of your router like 192.168.0.1, or any other in the subnet, to me I use my pihole as DNS server (192.168.0.161), or use the public DNS server like 8.8.8.8, 1.1.1.1
I want to use Kafka to publish MSSQL CDC events.
I am using Docker containers for:
debezium/zookeeper
debezium/kafka
debezium/connect
Microsoft SQL Server
Containers started as follows:
docker run -it --name zookeeper -p 2181:2181 -p 2888:2888 -p 3888:3888 debezium/zookeeper
docker run -it --name kafka -p 9092:9092 --link zookeeper:zookeeper debezium/kafka
docker run -it --name connect -p 8083:8083 -e GROUP_ID=1 -e CONFIG_STORAGE_TOPIC=my-connect-configs -e OFFSET_STORAGE_TOPIC=my-connect-offsets -e ADVERTISED_HOST_NAME="localhost" --link zookeeper:zookeeper --link kafka:kafka debezium/connect
docker run -e "ACCEPT_EULA=Y" -e "SA_PASSWORD=xxxxxxxxxxxxx" -p 1433:1433 --name sql1 -d mcr.microsoft.com/mssql/server:2017-CU8-ubuntu
All containers start running successfully.
Then I created new MSSQL db in SQL Server container. Created 1 table in new db and turned on CDC for that table. CDC is working fine.
Then I send connector configuration below to Kafka Connect REST API as follows:
curl -X POST -H "Content-Type: application/json" -d #test-mssql-connector.json http://localhost:8083/connectors
using test-mssql-connector.json
{
"name": "test-mssql-connector5",
"config": {
"connector.class": "io.debezium.connector.sqlserver.SqlServerConnector",
"database.hostname": "localhost",
"database.port": "1433",
"database.user": "SA",
"database.password": "xxxxxxxxxxxxx",
"database.dbname": "test",
"database.server.name": "sql1",
"table.whitelist": "dbo.Persons",
"database.history.kafka.bootstrap.servers": "kafka:9092",
"database.history.kafka.topic": "dbhistory.sql1"
}
}
However, Kafka connector cannot connect to the MSSQL db giving error message below:
com.microsoft.sqlserver.jdbc.SQLServerException: The TCP/IP connection
to the host localhost, port 1433 has failed. Error: \"Connection
refused. Verify the connection properties. Make sure that an instance
of SQL Server is running on the host and accepting TCP/IP connections
at the port. Make sure that TCP connections to the port are not
blocked by a firewall.
Most troubleshooting are if database actually running, or port is blocked, but there is no problem with new MSSQL db. It's container is active, and the db is successfully running. The port is not blocked. I can successfully connect to it from host machine using DbVisualizer or other query tools with following configuration:
database server = localhost
database port = 1433
user = SA
pw = xxxxxxxxxxxxx
database name = test
I can successfully use telnet localhost 1433 to connect to server.
Is there something missing in the connector configuration above?
IMHO the localhost is not correct as localhost is something else in Connect container and in SQL Server container. You should link the database container into Connect container and use the appropriate hostname.
You need to first set up your sql container and THEN only start the connect service specifying the sql server as an additional link:
docker run -it --name connect -p 8083:8083 -e GROUP_ID=1 -e CONFIG_STORAGE_TOPIC=my-connect-configs -e OFFSET_STORAGE_TOPIC=my-connect-offsets -e ADVERTISED_HOST_NAME="localhost" --link zookeeper:zookeeper --link kafka:kafka --link kafka:kafka debezium/connect
I have a website deployed on Apache2. The Apache2 server is setup on a VM.
When I try to access the site using a browser from a remote machine (my laptop), I get a connection timed out error.
When I try to access something deployed on Tomcat on the same VM it works fine. But Apache gives a problem.
Please let me know what I am missing.
Thanks.
1) check that the httpd process is running
ps -ef | grep httpd |grep -v grep
2) make sure you are broadcasting on port 80
netstat -atn |grep :80
3) verify in your conf (/etc/httpd/conf.d/*.conf) file that you are binding Apache to port 80
<virtualhost *:80>
or
<virtualhost xxx.xxx.xxx.xxx:80>
Your Tomcat process may be bound to port 80 and the socket is not available.
on centos run this commands:
iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
/etc/init.d/iptables save