Comments (8)
Haha, networking is hard I get it.
from wag.
Howdy.
Yes this is definitely supported and is why the NAT flag exists.
Could you please give me your config (without the private key).
And the output of iptables -L -n
on your host.
from wag.
I am testing with this configuration (for that moment using just totp as mfa). So I've read documentation several times but idk is it actually correct
{
"Socket": "/tmp/wag.sock",
"CheckUpdates": true,
"Proxied": false,
"ExposePorts": [
"443/tcp",
"4433/tcp",
"8080/tcp"
],
"NAT": false,
"HelpMail": *adminmailhere*,
"Lockout": 5,
"ExternalAddress": "domainnamehere*",
"MaxSessionLifetimeMinutes": 480,
"SessionInactivityTimeoutMinutes": 1,
"ManagementUI": {
"ListenAddress": "domainnamehere:4433",
"CertPath": "/root/certs/cert.crt",
"KeyPath": "/root/certs/key.key",
"Enabled": true
},
"Webserver": {
"Public": {
"ListenAddress": "domainnamehere:8080",
"CertPath": "/root/certs/cert.crt",
"KeyPath": "/root/certs/key.key"
},
"Tunnel": {
"Port": "443"
}
},
"Authenticators": {
"DefaultMethod": "totp",
"Issuer": "domainnamehere",
"Methods": [
"totp"
],
"DomainURL": "https://domainnamehere",
"OIDC": {
"IssuerURL": "https://accounts.google.com",
"ClientSecret": "secrethere",
"ClientID": "clientidhere",
"GroupsClaimName": "groups"
},
"PAM": {
"ServiceName": ""
}
},
"Wireguard": {
"DevName": "wg0",
"ListenPort": 5920,
"PrivateKey": "privatekeyhere",
"Address": "10.1.2.1/24",
"MTU": 1420,
"PersistentKeepAlive": 25,
"DNS": [
"8.8.8.8/32"
]
},
"DatabaseLocation": "devices.db",
"Acls": {
"Policies": {
"*": {
"Mfa": [
"10.114.0.4/24"
],
"Allow": [
"10.1.2.0/24"
]
}
}
}
So I trying to reach 10.114.0.0/24 via wag
Here is iptables output of ubuntu 22 host:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4433
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
from wag.
Thanks for that. Looks sane to me, what are your host ips?
E.g why ip is the wag server and what is your target that isn't working?
from wag.
what are your host ips?
E.g why ip is the wag server and what is your target that isn't working?
host eth1 is 10.114.0.5/24, wg is 10.1.2.1/24
target is 10.114.0.4/24
trying to reach 10.114.0.0/24 via wag
from wag.
Sweet.
So are you completing the Mfa process? As youve put 10.114.0.4/24 in the Mfa block.
Secondly. Might want to make that either 10.114.0.4/32 or 10.114.0.0/24
from wag.
I would also say, does your other server have routes to the wag host?
I.e
ip route add 10.1.2.1/24 via 10.114.0.5
You can check this with ip r
And I'd also check on your target host (10.114.0.4) that you are receiving traffic with tcpdump
.
E.g
tcpdump -i eth0 'net 10.114.0.0/24'
from wag.
Thank you so much for your response!
My mistake, I just realized that 10.114.0.4 has no reverse route to 10.1.2.0
Added a route and this worked as it should
from wag.
Related Issues (20)
- PersistentKeepaliveInterval on server config creates handshake loops while client disconnected HOT 2
- Server Error after deleting a user HOT 7
- Expose port range HOT 7
- DNS IP issue HOT 9
- Site to site HOT 3
- Change totp secret from gui HOT 4
- internal DNS question HOT 2
- Duplicates in AllowedIPs HOT 1
- Wag host IP is not accessible HOT 1
- WebAuthn is not supported on sites with TLS certificate errors. HOT 2
- Port 80 already in use error HOT 2
- Custom templates not working HOT 4
- 2FA for Admin portal HOT 2
- Restore server-side persistent keepalive for logged-in users for a specified time frame HOT 3
- unable to render change password page: template: menus.html:192:56: executing "menus.html" at <.Message>: range can't iterate over HOT 4
- Proxy for the tunnel webserver - MFA portal HOT 1
- connection issues with MS Edge browser, Firefox OK HOT 6
- Unstable network causes wag logout HOT 4
- Performance issue on wag gui HOT 9
- Unable to access Tunnel webserver HOT 23
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wag.