Hi people,
have a weird problem, which I can debug, but where I’m not sure how to fix it.
I have three sites all connected to each other with site-to-site setups. Meaning at all subnets can reach all other subnets. Wireguard runs in Docker on each site.
Subnets:
192.168.8.0/24 WG-Host: 192.168.8.5/24
192.168.16.0/24 WG-Host: 192.168.16.31/24
192.168.24.0/24 WG-Host: 192.168.24.6/24
I have configured routing and the hosts properly, everthing else works fine. Except I can’t reach the subnets from the hosts where WG is running.
Example:
- When i try to ping (not WG-Host) ==> (not WG-Host) (in another subnet ofc) it works.
#Host 192.168.16.91
➜ ~ ping 192.168.8.1
PING 192.168.8.1 (192.168.8.1) 56(84) bytes of data.
From 192.168.16.1 icmp_seq=1 Redirect Host(New nexthop: 192.168.16.31)
64 bytes from 192.168.8.1: icmp_seq=1 ttl=62 time=20.3 ms
64 bytes from 192.168.8.1: icmp_seq=2 ttl=62 time=20.6 ms
64 bytes from 192.168.8.1: icmp_seq=3 ttl=62 time=20.1 ms
^C
--- 192.168.8.1 ping statistics ---
3 packets transmitted, 3 received, +1 errors, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 20.113/20.322/20.601/0.205 ms
- When i try to ping (not WG-Host) ==> (to WG-Host) it works.
#Host 192.168.16.91
➜ ~ ping 192.168.8.5
PING 192.168.8.5 (192.168.8.5) 56(84) bytes of data.
From 192.168.16.1 icmp_seq=1 Redirect Host(New nexthop: 192.168.16.31)
64 bytes from 192.168.8.5: icmp_seq=1 ttl=63 time=19.0 ms
64 bytes from 192.168.8.5: icmp_seq=2 ttl=63 time=19.1 ms
64 bytes from 192.168.8.5: icmp_seq=3 ttl=63 time=19.3 ms
^C
--- 192.168.8.5 ping statistics ---
3 packets transmitted, 3 received, +1 errors, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 19.031/19.156/19.327/0.125 ms
When I try to Ping (WG-Host) ==> (not WG-Host) it does not work.
#Host 192.168.16.31
root@docker2:/docker/promgraf# ping 192.168.8.1
PING 192.168.8.1 (192.168.8.1) 56(84) bytes of data.
^C
--- 192.168.8.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms
I’m pretty sure it has to do something with the routes on the WG-Hosts.
I did some tcp dumping and saw that, in the cases where traffic works, the source IP is the right one (192.168.X.X)
When I watch the traffic in a case where it doesn’t work, the Source-IP is directly 10.0.0.X.
So my suspition is, that the packets are directly sent to the WG-interface, without traversing through the host interface.
Here are the routes from one host (192.168.16.31)
root@docker2:/docker/promgraf# ip r s
default via 192.168.16.1 dev ens3 proto static
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.2
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-d8b6936d1a8c proto kernel scope link src 172.18.0.1 linkdown
172.20.0.0/16 dev br-64627e6f93b1 proto kernel scope link src 172.20.0.1
172.21.0.0/16 dev br-4a2f194092e0 proto kernel scope link src 172.21.0.1 linkdown
172.24.0.0/16 dev br-4e89d3b18e4e proto kernel scope link src 172.24.0.1
172.25.0.0/16 dev br-9ce31703595b proto kernel scope link src 172.25.0.1
172.28.0.0/16 dev br-9f75bcdd1f79 proto kernel scope link src 172.28.0.1
172.29.0.0/16 dev br-6733bb4fa579 proto kernel scope link src 172.29.0.1
172.30.0.0/16 dev br-1812446a9708 proto kernel scope link src 172.30.0.1
172.31.0.0/16 dev br-cc0379dc2ab0 proto kernel scope link src 172.31.0.1
192.168.8.0/24 dev wg0 scope link
192.168.16.0/24 dev ens3 proto kernel scope link src 192.168.16.31
192.168.24.0/24 dev wg0 scope link
192.168.32.0/20 dev br-75c60b839d17 proto kernel scope link src 192.168.32.1
192.168.48.0/20 dev br-a9f14bea449c proto kernel scope link src 192.168.48.1
Example config:
#Host 192.168.16.31
root@docker2:/docker/wg-p2p# cat config/wg0.conf
[Interface]
Address = 10.0.0.2/24
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ListenPort = 37589
[Peer]
PublicKey = KeDJbutugXNbMDNRI/useD0QtMmOLxedOCN5boqN7EY=
Endpoint = XXXXXXXXXXXXX:37589
AllowedIPs = 10.0.0.0/24, 192.168.8.0/24
[Peer]
PublicKey = NuOoBWlMEJx6mb2NfCKLjs6nRFdTYj69IKia8wFEzVg=
Endpoint = XXXXXXXXXX:37589
AllowedIPs = 10.0.0.0/24, 192.168.24.0/24