About Nested Tunnels - Githubissues

sandialabs / wiretap

Wiretap is a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.

Other

793 stars 34 forks source link

About Nested Tunnels #5

Closed Sunr0 closed 1 year ago

Sunr0 commented 1 year ago

Regarding Nested Tunnels, I still don't quite understand how to add configuration and Endpoint settings to the client's conf file. Can you explain in detail? My operation is to generate a config that does not contain Endpoint, and then specify the --endpoint on hop2 as the ip of hop1 Then I don't know how to operate

luker983 commented 1 year ago

Currently he handshake has to be initiated from the client when doing nested hops. This means you can't use the --endpoint argument when running ./wiretap configure on the client or ./wiretap serve on hop 2.

Instead, when you run the second ./wiretap configure for hop 2 from your client, you take the resulting config file and add the Endpoint Line to the peer section:

# wiretap_1.conf
[Interface]
PrivateKey = <private key>
Address = 192.168.0.2/32
Address = fd::2/128
ListenPort = 51821

[Peer]
PublicKey = <public key>
AllowedIPs = <routes exposed by second hop>
### Manually add this line:
Endpoint = <ip of hop 2>:<port>
###

Then you can bring up the second tunnel with wg-quick up./wiretap_1.conf or whatever WireGuard client you're using. This causes your WireGuard interface to initiate the handshake through the first hop.

Happy to clarify more if needed!

Sunr0 commented 1 year ago

I generated the corresponding configuration file as you said, and added the Endpoint field.

I first execute wg-quick up ./wiretap.conf and everything works fine, execute wg-quick up ./wiretap_1.conf but report an error RTNETLINK answers: File exists.

wiretap is from client to hop1, and wiretap_1 is generated using wiretap configure --port 51821 --routes <routes exposed by second hop>.

Is there something wrong with my operation.

Sunr0 commented 1 year ago

wiretap.conf

[Interface]
PrivateKey =<private key1>
Address = 192.168.0.2/32
Address = fd::2/128
ListenPort = 1080

[Peer]
PublicKey = <public key1>
AllowedIPs = <routes exposed by second hop>

wiretap_1.conf

[Interface]
PrivateKey = <private key2>
Address = 192.168.0.2/32
Address = fd::2/128
ListenPort = 1081

[Peer]
PublicKey = <public key2>
AllowedIPs = <routes exposed by second hop>
Endpoint = <ip of hop 2>:<port>

luker983 commented 1 year ago

Looks like you're almost there. That error is likely because the routes in your two configuration files overlap. Make sure wiretap.conf only has the routes exposed by the first hop and wiretap_1.conf has routes exposed by the second hop.

If you don't include the -d option to wiretap configure, an API address will also be included. I bet you just need to remove a::/128 from the AllowedIPs of wiretap_1.conf

Sunr0 commented 1 year ago

Congratulations, I have successfully implemented it according to what you said. It is a great tool.

I hope that we can specify the listening port of the server through parameters.

However, the client should not be able to work normally without a public IP. haha

luker983 commented 1 year ago

Great! Glad it worked. I plan to add better support for nested/multi-hop tunnels in the near future.