1
Virtual private networks / Re: Wireguard Site-to-Site + Selective routing is buggy!
« on: April 12, 2023, 05:43:47 pm »
Correct. MSS clamping fixed the problem. Thanks.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Virtual private networks / Re: Wireguard with two Peers routing
« on: April 12, 2023, 01:57:39 am »
The Madrid VPS needs to have the Brazil Peer have allowed-IPs 0.0.0.0/0 to allow internet traffic from brazil in through the tunnel.
The allowed-IPs dictate what is allowed to com in through the tunnel, and a secondary convenience adds the necessary routes. In this cases like this you usually disable the Wireguard auto routing and put in the routes yourself.
Same thing with the Opnsense. The tunnel you connect to has to have 0.0.0.0/0 as allowed IPs to allow internet traffic in through it.
The only thing that you need to figure out is how to do the routing manually, maybe someone can chime in with suggestions.
The allowed-IPs dictate what is allowed to com in through the tunnel, and a secondary convenience adds the necessary routes. In this cases like this you usually disable the Wireguard auto routing and put in the routes yourself.
Same thing with the Opnsense. The tunnel you connect to has to have 0.0.0.0/0 as allowed IPs to allow internet traffic in through it.
The only thing that you need to figure out is how to do the routing manually, maybe someone can chime in with suggestions.
3
Virtual private networks / Wireguard Site-to-Site + Selective routing is buggy!
« on: April 12, 2023, 12:05:10 am »
I have a working Site-to-Site wireguard setup and I want to be able to selectively route certain hosts from site A to reach the internet through the WAN from site B.
Site A: Network 192.168.1.0/24, Wireguard Tunnel IP 10.10.10.1
Site B: Network 192.168.2.0/24, Wireguard Tunnel IP 10.10.10.2
I used the wiki's Selective Routing Wireguard guide as a base and changed the following from the site-to-site setup.
After I do that all hosts on Site A can reach Site B hosts, and the aliased Site A hosts have their public IP show to be Site B's WAN address on the check my IP websites.
THE PROBLEM
Not every website works well. some sites run smoothly, some sites like Reddit occasionally timeout. The site paramountplus alway gives an Err_Timed_out error. The Hulu login button after inputting username and password alway gives a network error. So this setup kinda works, but many sites don't really work well.
My first thought was this was an MTU issue, but I dropped the MTU all the way to 900 and it still acts exactly the same (WAN on site A uses PPPOE fiber so MTU shouldn't need to be smaller than 1412). So it doesn't seem to be an MTU problem.
If I connect my laptop as a road warrior setup directly to Site B with allowed-ips 0.0.0.0/0 then all the problems go away. So Wireguard can work, but for some reason there is something in my Site-to-Site + Selective routing setup that is causing buggy behavior with certain sites. I was wondering if anything seems wrong with my setup.
Site A: Network 192.168.1.0/24, Wireguard Tunnel IP 10.10.10.1
Site B: Network 192.168.2.0/24, Wireguard Tunnel IP 10.10.10.2
I used the wiki's Selective Routing Wireguard guide as a base and changed the following from the site-to-site setup.
- On Site A router, VPN->Wireguard. Changed the Allowed-IPs on the on the endpoint to 0.0.0.0/0
- On Site A router, VPN->Wireguard -> Local. Disable routes and add IP 10.10.10.11 as gateway
- On Site A router, System->Gateway->Single. Add Wireguard Gateway, Far Gateway, IP 10.10.10.11, Monitor 10.10.10.2
- On Site A router, System->Routes->Config. Add route to 192.168.2.0/24 through new Wireguard Gateway
- On Site A router, Firewall->Alias. Add alias of hosts I want to route
- On Site A router, Firewall->Rules->Lan. Any alias source to a non-RFC1918 address uses Wireguard Gateway (rule placed at top of rule list)
- On Site B router, Firewall->NAT->Outbound. Add Manual Rule, source 192.168.1.0/24, any destination, NAT to WAN address. Also set hybrid rules for outbound.
After I do that all hosts on Site A can reach Site B hosts, and the aliased Site A hosts have their public IP show to be Site B's WAN address on the check my IP websites.
THE PROBLEM
Not every website works well. some sites run smoothly, some sites like Reddit occasionally timeout. The site paramountplus alway gives an Err_Timed_out error. The Hulu login button after inputting username and password alway gives a network error. So this setup kinda works, but many sites don't really work well.
My first thought was this was an MTU issue, but I dropped the MTU all the way to 900 and it still acts exactly the same (WAN on site A uses PPPOE fiber so MTU shouldn't need to be smaller than 1412). So it doesn't seem to be an MTU problem.
If I connect my laptop as a road warrior setup directly to Site B with allowed-ips 0.0.0.0/0 then all the problems go away. So Wireguard can work, but for some reason there is something in my Site-to-Site + Selective routing setup that is causing buggy behavior with certain sites. I was wondering if anything seems wrong with my setup.
Pages: [1]