NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client

Greg Troxel <gdt%lexort.com@localhost> wrote:
> RVP <rvp%SDF.ORG@localhost> writes:
> 
> > Can you start over? And this time, run script(1) on both the client and server
> > and do the config. within that so that we can get a verbatim transcript. Just
> > edit the `typescript' files to redact any info. you consider sensitive, and to
> > get rid of the `\r' chars.
> 
> Better yet, write a shell script that first clears everything, and then
> does all the config.

Good idea. Okay here's the script, ran on the NetBSD server:

	#!/bin/sh

	# clearing everything
	wgconfig wg0 delete peer sevastopol
	ifconfig wg0 destroy
	rm -rf /etc/wg

	# setup
	mkdir -p /etc/wg
	(umask 0077; wg-keygen > /etc/wg/wg0)
	wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub
	cat /etc/wg/wg0.pub                                                                                                                                              

	ifconfig wg0 create
	ifconfig wg0 inet 10.2.0.1/24
	ifconfig wg0 inet6 fd00:2::1/64

	wgconfig wg0 set private-key /etc/wg/wg0
	wgconfig wg0 set listen-port 9443
	wgconfig wg0 add peer sevastopol \
	        NJrA59aVt7zVv0KFWoICioASAj7lhLhkmRV3gdDwH14= \
	        --allowed-ips=10.2.0.42/32,fd00:2::42/128

	ifconfig wg0 up
	ifconfig wg0

	sysctl -w net.inet.ip.forwarding=1
	sysctl -w net.inet6.ip6.forwarding=1

	wgconfig wg0

And the output:

6V4GegyDijmPI+iWBmEyZEDsd1fIVt7XL2+zC7PuqU8=
wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
        status: active
        inet6 fe80::1457:1bc8:34cf:69c0%wg0/64 flags 0x2<TENTATIVE> scopeid 0x3
        inet6 fd00:2::1/64 flags 0x2<TENTATIVE>
        inet 10.2.0.1/24 flags 0
net.inet.ip.forwarding: 1 -> 1
net.inet6.ip6.forwarding: 1 -> 1
interface: wg0
        private-key: (hidden)
        listen-port: 9443
        peer: sevastopol
                public-key: NJrA59aVt7zVv0KFWoICioASAj7lhLhkmRV3gdDwH14=
                endpoint: (none)
                preshared-key: (hidden)
                allowed-ips: 10.2.0.42/32,fd00:2::42/128
                latest-handshake: (never)

The macOS WireGuard client config:

	[Interface]
	PrivateKey = ****
	Address = 10.2.0.42/24

	[Peer]
	PublicKey = 6V4GegyDijmPI+iWBmEyZEDsd1fIVt7XL2+zC7PuqU8=
	AllowedIPs = 1.0.0.0/8, 2.0.0.0/8, 3.0.0.0/8, 4.0.0.0/6, 8.0.0.0/7,
	11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2,
	128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11,
	172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4,
	192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16,
	192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10,
	193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4
	Endpoint = starbewastie.rnkn.xyz:9443

Connects, successful handshake, but client recives no more than a
bytes on the client. tcpdump on the physical device vioif0 while
pinging 10.2.0.1 on the client:

# tcpdump -tn -i vioif0 port 9443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vioif0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 148
IP 64.176.222.118.9443 > 1.146.105.131.3100: UDP, length 92
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 1424
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 1424
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 64.176.222.118.9443 > 1.146.105.131.3100: UDP, length 32
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 1424
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 1424
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 1424
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
[...]
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 1424
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 64.176.222.118.9443 > 1.146.105.131.3100: UDP, length 32
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96

tcpdump on the wg0 device while pinging 10.2.0.1 on the client:

# tcpdump -tn -i wg0 port 9443                                                                                                                                                   
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type NULL (BSD loopback), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

Thanks in advance :)

-- 
Paul W. Rankin
https://rnkn.xyz
Home | Main Index | Thread Index | Old Index