search

NHAS / wag

Simple Wireguard 2FA
BSD 3-Clause "New" or "Revised" License
499 stars 27 forks source link

RAW routing mode #52

Closed Cody7172 closed 1 year ago

Cody7172 commented 1 year ago

Hello! I've set NAT to false and am trying to get WAG to route traffic to another host on the same LAN as the WAG server. But all my attempts failed Is this feature supported and what do I need to do to get it? I saw the section with Limitations, but I don't quite understand if it fits this case

NHAS commented 1 year ago

Howdy.

Yes this is definitely supported and is why the NAT flag exists.

Could you please give me your config (without the private key).

And the output of iptables -L -n on your host.

Cody7172 commented 1 year ago

I am testing with this configuration (for that moment using just totp as mfa). So I've read documentation several times but idk is it actually correct

{
    "Socket": "/tmp/wag.sock",
    "CheckUpdates": true,
    "Proxied": false,
    "ExposePorts": [
        "443/tcp",
        "4433/tcp",
        "8080/tcp"
    ],
    "NAT": false,
    "HelpMail": *adminmailhere*,
    "Lockout": 5,
    "ExternalAddress": "domainnamehere*",
    "MaxSessionLifetimeMinutes": 480,
    "SessionInactivityTimeoutMinutes": 1,
    "ManagementUI": {
        "ListenAddress": "domainnamehere:4433",
        "CertPath": "/root/certs/cert.crt",
        "KeyPath": "/root/certs/key.key",
        "Enabled": true
    },
    "Webserver": {
        "Public": {
            "ListenAddress": "domainnamehere:8080",
            "CertPath": "/root/certs/cert.crt",
            "KeyPath": "/root/certs/key.key"
        },
        "Tunnel": {
            "Port": "443"
        }
    },
    "Authenticators": {
        "DefaultMethod": "totp",
        "Issuer": "domainnamehere",
        "Methods": [
            "totp"
        ],
        "DomainURL": "https://domainnamehere",
        "OIDC": {
            "IssuerURL": "https://accounts.google.com",
            "ClientSecret": "secrethere",
            "ClientID": "clientidhere",
            "GroupsClaimName": "groups"
        },
        "PAM": {
            "ServiceName": ""
        }
    },
    "Wireguard": {
        "DevName": "wg0",
        "ListenPort": 5920,
        "PrivateKey": "privatekeyhere",
        "Address": "10.1.2.1/24",
        "MTU": 1420,
        "PersistentKeepAlive": 25,
        "DNS": [
            "8.8.8.8/32"
        ]
    },
    "DatabaseLocation": "devices.db",
    "Acls": {
        "Policies": {
            "*": {
                "Mfa": [
                    "10.114.0.4/24"
                ],
                "Allow": [
                    "10.1.2.0/24"
                ]
            }
        }
    }

So I trying to reach 10.114.0.0/24 via wag Here is iptables output of ubuntu 22 host:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:4433
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
NHAS commented 1 year ago

Thanks for that. Looks sane to me, what are your host ips?

E.g why ip is the wag server and what is your target that isn't working?

Cody7172 commented 1 year ago

what are your host ips? E.g why ip is the wag server and what is your target that isn't working?

host eth1 is 10.114.0.5/24, wg is 10.1.2.1/24 target is 10.114.0.4/24 trying to reach 10.114.0.0/24 via wag

NHAS commented 1 year ago

Sweet. So are you completing the Mfa process? As youve put 10.114.0.4/24 in the Mfa block.

Secondly. Might want to make that either 10.114.0.4/32 or 10.114.0.0/24

NHAS commented 1 year ago

I would also say, does your other server have routes to the wag host?

I.e ip route add 10.1.2.1/24 via 10.114.0.5

You can check this with ip r

And I'd also check on your target host (10.114.0.4) that you are receiving traffic with tcpdump.

E.g

tcpdump -i eth0 'net 10.114.0.0/24'

Cody7172 commented 1 year ago

Thank you so much for your response! My mistake, I just realized that 10.114.0.4 has no reverse route to 10.1.2.0 Added a route and this worked as it should

NHAS commented 1 year ago

Haha, networking is hard I get it.