Here’s what I’ve done about it, but it still doesn’t work (without my keys):
- Server: https://termbin.com/xjsnc
- Desktop: https://termbin.com/d59cs
- Distant: https://termbin.com/vsr83
Each wg conf file is here with the settings specified in :
Did you check the routing table on your clients to make sure they are using the VPN server (its VPN IP, not the public one) as their gateway to the other hosts on the VPN network?
Also, I don’t think you need masquerading on the client machines. You only need to reach the one IP. They are not acting as routers.
What’s the best way to check this ?
Could you elaborate with what I exactly need, instead of denying what I’ve done only ?
I gave you the command above. ip ro sh
Here are the outputs for : ip ro sh
Server: https://termbin.com/bc9lp
Desktop: https://termbin.com/v55p
Distant: https://termbin.com/zllqf
Just don’t do the masquarade rules on the clients. They aren’t needed, for any reason I can think of. They just need to be told how to route to other clients on the VPN network, and you just have to allow them to route through the server.
I don’t think you need masquerade rules on the server, either, but maybe? It does need to act as a router, but I can’t think of why it would need to masquerade IPs here.
What’s good in this post for me then ? Does it not apply to me to ?
I believe that post is correct (but I am not a WireGuard developer or expert), though I’m iffy about the masquerade rules, I don’t understand why they would be needed anywhere. But you did something different than that, regardless.
The routing stuff happens on the server, not the clients.
You need the server to act as a router for hosts on the VPN.
You need the clients to know that’s the router for that network, but I’m not sure how that needs to be done (but masquerade rules would not be how that’s done…I can maybe imagine a scenario were they’d be necessary on the server, though I would try without first, but I’m not coming up with any reason to do it on the clients).
So my next search should be “How do I make my Wireguard server act like a router?”
Right ?
If this is the case, I’ll consult the wireguard chat to set this like it should first.
Afterwards, I’ll probably come to you if I still am unable to access 10.5.5.3:10001
Is this ok for you ?
That’s what that Stack Overflow post was about. You already searched it, and found what looks like a reasonable answer.
As I said, that answer looks right to me (though the masquerade may be unnecessary). You definitely need to allow routing on the server (that’s the FORWARD rules in that answer).
You also have to enable routing in the kernel: https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux
This is maybe a slight better answer that is more relevant to you: networking - Can I make Wireguard VPN peers to talk to each other? - Stack Overflow
Note it covers enabling routing, and does not suggest masquerade rules. Seems like the path I’d try first if I were trying to set this up.
I got the answer from IRC #wireguard
I had to replace the peers IP in AllowedIPs = 10.5.5.0/24 with the subnet
Since my server IP4 forwarding was already enabled, nothing more was needed.
Now it’s working
1 Like
Could you still help me for this last step eventually ?
Probably, but it requires all of the stuff I explained 50 or 60 comments back. I’ve already explained how to do everything you’ve asked about, and the complexities you’ll face. Every bit of information you need has been repeated by me multiple times and in multiple ways in this very thread.
You either need to learn how to use DNS, so you can validate a wildcard, or you need to learn how to port forward to a web server on every client machine so LE can validate each of the names you assign to them. That’s how Let’s Encrypt validates, either DNS or a website. Or, you can buy a wildcard cert, but that will likely require you to learn about DNS, too (cert providers have to validate that you are the legitimate owner of a domain somehow, and the cheapest option is a web request for specific certs or a DNS request for wildcards).
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.