Giter Site home page Giter Site logo

RAW routing mode about wag HOT 8 CLOSED

nhas avatar nhas commented on May 28, 2024
RAW routing mode

from wag.

Comments (8)

NHAS avatar NHAS commented on May 28, 2024 1

Haha, networking is hard I get it.

from wag.

NHAS avatar NHAS commented on May 28, 2024

Howdy.

Yes this is definitely supported and is why the NAT flag exists.

Could you please give me your config (without the private key).

And the output of iptables -L -n on your host.

from wag.

Cody7172 avatar Cody7172 commented on May 28, 2024

I am testing with this configuration (for that moment using just totp as mfa). So I've read documentation several times but idk is it actually correct

{
    "Socket": "/tmp/wag.sock",
    "CheckUpdates": true,
    "Proxied": false,
    "ExposePorts": [
        "443/tcp",
        "4433/tcp",
        "8080/tcp"
    ],
    "NAT": false,
    "HelpMail": *adminmailhere*,
    "Lockout": 5,
    "ExternalAddress": "domainnamehere*",
    "MaxSessionLifetimeMinutes": 480,
    "SessionInactivityTimeoutMinutes": 1,
    "ManagementUI": {
        "ListenAddress": "domainnamehere:4433",
        "CertPath": "/root/certs/cert.crt",
        "KeyPath": "/root/certs/key.key",
        "Enabled": true
    },
    "Webserver": {
        "Public": {
            "ListenAddress": "domainnamehere:8080",
            "CertPath": "/root/certs/cert.crt",
            "KeyPath": "/root/certs/key.key"
        },
        "Tunnel": {
            "Port": "443"
        }
    },
    "Authenticators": {
        "DefaultMethod": "totp",
        "Issuer": "domainnamehere",
        "Methods": [
            "totp"
        ],
        "DomainURL": "https://domainnamehere",
        "OIDC": {
            "IssuerURL": "https://accounts.google.com",
            "ClientSecret": "secrethere",
            "ClientID": "clientidhere",
            "GroupsClaimName": "groups"
        },
        "PAM": {
            "ServiceName": ""
        }
    },
    "Wireguard": {
        "DevName": "wg0",
        "ListenPort": 5920,
        "PrivateKey": "privatekeyhere",
        "Address": "10.1.2.1/24",
        "MTU": 1420,
        "PersistentKeepAlive": 25,
        "DNS": [
            "8.8.8.8/32"
        ]
    },
    "DatabaseLocation": "devices.db",
    "Acls": {
        "Policies": {
            "*": {
                "Mfa": [
                    "10.114.0.4/24"
                ],
                "Allow": [
                    "10.1.2.0/24"
                ]
            }
        }
    }

So I trying to reach 10.114.0.0/24 via wag
Here is iptables output of ubuntu 22 host:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:4433
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

from wag.

NHAS avatar NHAS commented on May 28, 2024

Thanks for that. Looks sane to me, what are your host ips?

E.g why ip is the wag server and what is your target that isn't working?

from wag.

Cody7172 avatar Cody7172 commented on May 28, 2024

what are your host ips?
E.g why ip is the wag server and what is your target that isn't working?

host eth1 is 10.114.0.5/24, wg is 10.1.2.1/24
target is 10.114.0.4/24
trying to reach 10.114.0.0/24 via wag

from wag.

NHAS avatar NHAS commented on May 28, 2024

Sweet.
So are you completing the Mfa process? As youve put 10.114.0.4/24 in the Mfa block.

Secondly. Might want to make that either 10.114.0.4/32 or 10.114.0.0/24

from wag.

NHAS avatar NHAS commented on May 28, 2024

I would also say, does your other server have routes to the wag host?

I.e
ip route add 10.1.2.1/24 via 10.114.0.5

You can check this with ip r

And I'd also check on your target host (10.114.0.4) that you are receiving traffic with tcpdump.

E.g

tcpdump -i eth0 'net 10.114.0.0/24'

from wag.

Cody7172 avatar Cody7172 commented on May 28, 2024

Thank you so much for your response!
My mistake, I just realized that 10.114.0.4 has no reverse route to 10.1.2.0
Added a route and this worked as it should

from wag.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.