Comments (25)
NHAS
commented on May 28, 2024
1
We've all done that man, I respect that hahaha
from wag.
paulb-smartit
commented on May 28, 2024
Has something changed on the firewall side too? We used to be able to remotely connect to the user's machine once they connected. Now we can't seem to do that.
I wonder if I broke something upgrading Alpine or if a new rule was added to not route traffic from server to clients.
from wag.
NHAS
commented on May 28, 2024
Ah, sorry about the golang bump. That was unintentional and can be reverted if its a major issue.
The patch notes for https://github.com/NHAS/wag/releases/tag/v1.4.1 include details about the changed configuration file, as thats the version where the majority of the work took place.
With a release notes file, do you mean something that just lists the changes between versions? I've been trying to keep those details in the releases page.
As for not being able to connect back to clients, I haven't changed anything that should cause that. How were you connecting back to them previously? (tcp/udp/ping?)
Sorry about the pain of upgrading, I did have you guys in the back of my mind when creating this version trying to make it easy to deploy. But perhaps upgrade instructions would have been better :P
from wag.
NHAS
commented on May 28, 2024
Interesting, so the server can talk to the client. But the client cant talk back for some reason.
from wag.
NHAS
commented on May 28, 2024
Yep definitely a iptables thing
from wag.
NHAS
commented on May 28, 2024
I've resolved this on main, I do need to get some more information from you though.
When you say you cant talk to clients, I have assumed this to mean that your wag/wireguard server cant properly initiate an in-tunnel connection to your connected peers?
If you are having forwarding issues to your clients please tell me.
from wag.
paulb-smartit
commented on May 28, 2024
Nice that you have us in mind, but you really don't have to. We're just grateful to be on board.
When a client connects, even without otp their external IP address is/was available to us. So we just used ssh to connect to them remotely. It's very possible I borked something in iptables or routing when upgrading Alpine, but it doesn't look like it.
$ sudo iptables -L --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED
3 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "INPUT:DROP:"
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 LOG all -- 0.0.0.0/0 0.0.0.0/0 /* Log dropped packets */ LOG flags 0 level 6 prefix "FORWARD:DROP:"
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination I'm not seeing any drops in the log.
As far as client usage goes, they continue operating without issue. Just we can'r remote onto them as we did previously.
Wonder if it's an ACL preventing traffic out from the server or back in from the client?
from wag.
NHAS
commented on May 28, 2024
Is this trying with version 1.4.3? I found that iptables was a bit borked and fixed that then made a release for ya.
from wag.
NHAS
commented on May 28, 2024
You can try adding a conntrack statement to your iptables configuration manually.
sudo iptables -I INPUT -i <wg_name> -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
May want to check this, as its from memory
from wag.
paulb-smartit
commented on May 28, 2024
Upgraded to 1.4.3
$ sudo ./wag version
remote
Version: v1.4.3
Hash: a18931b88630d83c664512f215008a10b50d2347617f9110a49ab243fb94c6a9conntack cmd is fine.
Still no remote forwarding
from wag.
NHAS
commented on May 28, 2024
Ah, thats because when hot upgrading it wont change iptables rules. Try doing the rule I posted above ^
from wag.
paulb-smartit
commented on May 28, 2024
I didn't do a hot upgrade. Took it down and restarted. Then reconnected a client.
from wag.
NHAS
commented on May 28, 2024
Oh! Annoying, can you give me your iptables state?
from wag.
paulb-smartit
commented on May 28, 2024
This any use?
# Generated by iptables-save v1.8.8 on Fri Oct 28 07:52:26 2022
*nat
:PREROUTING ACCEPT [1305:80824]
:INPUT ACCEPT [1:176]
:OUTPUT ACCEPT [2:168]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.254.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Oct 28 07:52:26 2022
# Generated by iptables-save v1.8.8 on Fri Oct 28 07:52:26 2022
*filter
:INPUT ACCEPT [1413:164320]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1331:198992]
-A INPUT -i wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wg0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i wg0 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wg0 -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Fri Oct 28 07:52:26 2022
ignore duplicate conntrack
from wag.
NHAS
commented on May 28, 2024
That looks perfectly fine to me.
Can you ssh to your machines when on the alpine/wag server?
And can you give me some more context on how it was working before, Im not clear on what "forwarding" is in this context, i.e ssh forwarding, network forwarding, other
from wag.
paulb-smartit
commented on May 28, 2024
No ssh or ping :( the Alpine/WAG is where I'm trying from.
From the Alpine/WAG server we just used ssh [client ip] and connected. Even if they hadn't used the otp. When we figured that worked we could use an ssh ProxyJump to get to the clients.
from wag.
NHAS
commented on May 28, 2024
Whoa! Thats super weird, that should definitely be working (classical works on my machine).
So first off could you give me the output of wag firewall -list
And have your clients sent any network data through the wireguard tunnel (otherwise wireguard doesnt know about the client endpoint)
from wag.
NHAS
commented on May 28, 2024
This should 100% work, and infact does work on my machine, the server is always allowed outside of MFA
from wag.
paulb-smartit
commented on May 28, 2024
Slight redaction
$ sudo ./wag firewall -list | jq
{
"192.168.254.10": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.125/32",
"10.0.0.144/32",
"10.0.0.162/32",
"62.X.X.X/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.12": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.125/32",
"10.0.0.144/32",
"10.0.0.162/32",
"62.X.X.X/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.13": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.125/32",
"10.0.0.144/32",
"10.0.0.162/32",
"62.X.X.X/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.14": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.125/32",
"10.0.0.144/32",
"10.0.0.162/32",
"62.X.X.X/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.15": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.125/32",
"10.0.0.144/32",
"10.0.0.162/32",
"62.X.X.X/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.16": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.125/32",
"10.0.0.144/32",
"10.0.0.162/32",
"62.X.X.X/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.17": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.125/32",
"10.0.0.144/32",
"10.0.0.162/32",
"62.X.X.X/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.18": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.132/32",
"10.0.0.144/32",
"10.0.0.162/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.3": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.125/32",
"10.0.0.144/32",
"10.0.0.160/32",
"10.0.0.162/32",
"62.X.X.X/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.4": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.125/32",
"10.0.0.126/32",
"10.0.0.144/32",
"10.0.0.160/32",
"10.0.0.162/32",
"62.X.X.X/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.5": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.111/32",
"10.0.0.125/32",
"10.0.0.144/32",
"10.0.0.162/32",
"10.0.0.191/32",
"62.X.X.X/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.6": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.144/32",
"10.0.0.162/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.7": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.125/32",
"10.0.0.144/32",
"10.0.0.155/32",
"10.0.0.160/32",
"10.0.0.162/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.8": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.144/32",
"10.0.0.162/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
},
"192.168.254.9": {
"IsAuthorized": false,
"LastPacketTimestamp": 0,
"Expiry": 0,
"MFA": [
"10.0.0.24/32",
"10.0.0.75/32",
"10.0.0.125/32",
"10.0.0.144/32",
"10.0.0.162/32",
"62.X.X.X/32"
],
"Public": [
"10.10.6.254/32",
"192.168.254.1/32"
]
}
}i'm thinking this isn't a wag issue
from wag.
paulb-smartit
commented on May 28, 2024
Yes, traffic is flowing as I'm running tcpdump on a client and can see the DNS requests in and out, but nothing from the server if I initiate an ssh connection or ping.
from wag.
NHAS
commented on May 28, 2024
Assuming that 192.168.254.1 is your wag server then this is fine!
More questions!
Can you clients access their resources? You might have forgotten the sysctl to allow ipv4 forwarding,
What is your routing on the wag server ip r?
from wag.
paulb-smartit
commented on May 28, 2024
I'm going to go away quietly now and pretend this didn't happen...
192.168.254.1/32 was not in the client's AllowedIPs :( So it had no return path. I must go check the other clients.
Sorry to have wasted your time, but many thanks for the assist.
from wag.
NHAS
commented on May 28, 2024
Was the client registered via wag? I.e is this a me problem?
from wag.
paulb-smartit
commented on May 28, 2024
No. This is a me problem.
I register with wag, but then modify the config to route entire 10.0.00/24 network. Then I can just modify ACL's to add remove users/devices without having to reconfigure at the client end.
For some reason, the key IP was left out of the client config.
from wag.
paulb-smartit
commented on May 28, 2024
Closing because I am an idiot.
from wag.
Related Issues (20)
- Port 80 already in use error HOT 2
- Custom templates not working HOT 4
- 2FA for Admin portal HOT 2
- Restore server-side persistent keepalive for logged-in users for a specified time frame HOT 3
- unable to render change password page: template: menus.html:192:56: executing "menus.html" at <.Message>: range can't iterate over HOT 4
- Proxy for the tunnel webserver - MFA portal HOT 1
- connection issues with MS Edge browser, Firefox OK HOT 6
- Unstable network causes wag logout HOT 4
- Performance issue on wag gui HOT 9
- Unable to access Tunnel webserver HOT 23
- Skip unresolvable dns entry on policy creation HOT 2
- Help needed with mfa HOT 15
- QR-Code instead of Download wg0.conf HOT 2
- Password requirement for WebAuthn external key (like YubiKey) should be optional HOT 8
- Access dns-server fully after mfa HOT 2
- Enable Discussions and Wiki for this repository HOT 4
- Add ability to run wg for stats/info HOT 1
- Add transfer stats for bytes sent/received to the web UI HOT 1
- Update documentation for ip_forward and service HOT 1
- Default value of NAT in config is null HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wag.