search

bigmoby / addon-wireguard-client

Hassio Add-On Wireguard Client
MIT License
67 stars 24 forks source link

IP masquerading not working correctly #34

Closed signmeuptwice closed 6 months ago

signmeuptwice commented 11 months ago

Problem/Motivation

IP masquerading not working; cannot access other devices on my local area network

Expected behavior

traceroute 192.168.8.169 and get a reply

Actual behavior

traceroute stops at 10.10.1.2

I used to run a wireguard client on debian. Since installing Home Assistant on my RPI4 I am trying to reproduce my wg config

here is my original config that worked

[Interface]
Address = 10.10.1.2/24
PrivateKey = redacted
ListenPort = 51820
DNS = 192.168.8.1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = redacted
Endpoint = mydomain.com:51820
AllowedIPs = 10.10.1.0/24
PersistentKeepalive = 25

here is the actual config in the plugin

[interface]
private_key: redacted
address: 10.10.1.2/24
dns:
  - 192.168.8.1
post_up: >-
  iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
  tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
post_down: >-
  iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
  tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
mtu: 1420

[peer]
- public_key: redacted
  endpoint: mydomain:51820
  allowed_ips:
    - 10.10.1.0/24
  persistent_keep_alive: "25"

I also tried changing the masquerading for the one of my original config replacing eth0 for end0 but nothing works

ip route list table main default
default via 192.168.8.1 dev end0  src 192.168.8.186  metric 100
10.10.1.0/24 dev wg0 scope link  src 10.10.1.2
172.30.32.0/23 dev hassio scope link  src 172.30.32.1
172.30.232.0/23 dev docker0 scope link  src 172.30.232.1
192.168.8.0/24 dev end0 scope link  src 192.168.8.186  metric 100

ipv4 forwarding seems to be enabled

cat /proc/sys/net/ipv4/ip_forward
1
stsquad commented 9 months ago

Should we be using iptables-legacy with the main system has iptables?

iptables -L nat
# Warning: iptables-legacy tables present, use iptables-legacy to see them
iptables v1.8.9 (nf_tables): chain `nat' in table `filter' is incompatible, use 'nft' tool.
stsquad commented 9 months ago

FWIW I tweaked the rules and I can now at least ping the HA WG address:

post_up: >-
  iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -i
  wg0 -j ACCEPT
post_down: >-
  iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -i
  wg0 -j ACCEPT

I'm having less luck exposing the :8123 API though.

ThatcherC commented 6 months ago

@stsquad I'm not sure if this will help you, but I finally just got this working for my setup (where I have a Wireguard peer on a VPS that I consider the "server" and I want to connect the Home Assistant as a peer):

post_up: >-
  ip route add 192.168.1.162/32 via 172.30.33.1 dev eth0; ping -c1 -W1 192.168.1.162; 
  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; 
  iptables -t nat -A PREROUTING -d 10.0.10.7/32 -j DNAT --to-destination 192.168.1.162

Here, 192.168.1.162 is the IP of the computer running Home Assisant OS with the Wireguard addon (on my wifi network), 172.30.33.1 is IP associated with the the Docker network inside the Wireguard addon container, and 10.0.10.7 is the computer's IP on the Wireguard network. This setup lets me connect to Home Assistant at 10.0.10.7:8123 from my phone and laptop which are also in the 10.0.10.0/24 range. Hopefully something like that helps in your case! I've been spending hours and hours trying to get a good Wireguard addon config for this

huelsner commented 5 months ago

After trying to achieve a similar setup (access to HA local network via this Wireguard Client add-on), I actually managed by using the Community Server add-on available on the add-on store in a client configuration. Sample configuration below.

server

host: homeassistant.local (doesn't really matter)
addresses:
  - 10.8.0.2
dns:
  - 8.8.8.8
  - 8.8.4.4
private_key: [HA private key]

peers

- name: server
  public_key: [server public key]
  addresses:
    - 10.8.0.1
  allowed_ips:
    - 10.8.0.0/24
  client_allowed_ips: []
  endpoint: server.com:51820
  persistent_keep_alive: 25

On the actual server the HA subnet needs to be added to the allowed IPs in the peer section for the HA: AllowedIPs = 10.8.0.2/32, 192.168.1.0/24