Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client

To: RVP <rvp%SDF.ORG@localhost>
Subject: Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
From: Paul W. Rankin <rnkn%rnkn.xyz@localhost>
Date: Wed, 15 Jan 2025 19:31:32 +1000

RVP <rvp%SDF.ORG@localhost> wrote:
> On Tue, 14 Jan 2025, Paul W. Rankin wrote:
> 
> > I disabled the firewall entirely and saw no change. At least we can
> > rule that out.
> >
> 
> OK, judging from the `vioif0' i/f name, the server is running in a VM, and
> from the client i/f name you were doing the tcpdump on, utun4, plus the fact
> that ICMP packets (pings) from the client were seen as UDP packets on the
> server (this is what QEMU, for one, does when it's running unprivileged--it
> doesn't have rootly powers, so it "compensates") , I would judge that the
> client is running inside a VM too?
> 
> Can you show the output of `ifconfig -a' on both the server and client?
> Have the VMs assigned a 10.x.x.x (again, std. for QEMU in some config.) to
> the virtual i/f addresses?
> 
> If so, can you reassign the Wireguard addresses to some other range?

The server is a VM, the host uses KVM. The macOS client is not a VM,
it's 100% pure Apple.

On the NetBSD server/VM:

# ifconfig -a
vioif0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ec_capabilities=0x1<VLAN_MTU>
	ec_enabled=0
	address: 56:00:05:34:d7:f6
	status: active
	inet6 fe80::5400:5ff:fe34:d7f6%vioif0/64 flags 0 scopeid 0x1
	inet6 2001:19f0:5:34b4:43ba:2063:5ba4:b14d/64 flags 0x40<AUTOCONF>
	inet 64.176.222.118/23 broadcast 64.176.223.255 flags 0
lo0: flags=0x8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33624
	status: active
	inet6 ::1/128 flags 0x20<NODAD>
	inet6 fe80::1%lo0/64 flags 0 scopeid 0x2
	inet 127.0.0.1/8 flags 0
wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
	status: active
	inet6 fe80::1457:1bc8:34cf:69c0%wg0/64 flags 0 scopeid 0x3
	inet6 fd00:2::1/64 flags 0
	inet 10.2.0.1/24 flags 0

On the macOS client (with WireGuard up):

# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
	inet 127.0.0.1 netmask 0xff000000
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
anpi0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether 32:81:29:1a:04:10
	media: none
	status: inactive
anpi1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether 32:81:29:1a:04:11
	media: none
	status: inactive
en3: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether 32:81:29:1a:04:f0
	nd6 options=201<PERFORMNUD,DAD>
	media: none
	status: inactive
en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether 32:81:29:1a:04:f1
	nd6 options=201<PERFORMNUD,DAD>
	media: none
	status: inactive
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=460<TSO4,TSO6,CHANNEL_IO>
	ether 36:72:48:7c:ca:40
	media: autoselect <full-duplex>
	status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=460<TSO4,TSO6,CHANNEL_IO>
	ether 36:72:48:7c:ca:44
	media: autoselect <full-duplex>
	status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=63<RXCSUM,TXCSUM,TSO4,TSO6>
	ether 36:72:48:7c:ca:40
	Configuration:
		id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
		maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
		root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
		ipfilter disabled flags 0x0
	member: en1 flags=3<LEARNING,DISCOVER>
	        ifmaxaddr 0 port 8 priority 0 path cost 0
	member: en2 flags=3<LEARNING,DISCOVER>
	        ifmaxaddr 0 port 9 priority 0 path cost 0
	nd6 options=201<PERFORMNUD,DAD>
	media: <unknown type>
	status: inactive
ap1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
	ether 52:91:5a:1a:42:6e
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect (none)
	status: inactive
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
	ether ca:99:92:43:3b:a2
	inet6 fe80::1ca6:590:f8a2:bef4%en0 prefixlen 64 secured scopeid 0xb 
	inet6 2001:8004:4441:9766:10d2:3653:5ef:b94d prefixlen 64 autoconf secured 
	inet6 2001:8004:4441:9766:fc9f:865:9605:fe57 prefixlen 64 autoconf temporary 
	inet 192.168.1.111 netmask 0xffffff00 broadcast 192.168.1.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
	inet6 fe80::e935:47f0:ab8f:346f%utun0 prefixlen 64 scopeid 0xd 
	nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
	inet6 fe80::a7f7:6660:f35a:9eb4%utun1 prefixlen 64 scopeid 0xe 
	nd6 options=201<PERFORMNUD,DAD>
awdl0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
	ether 2e:1b:ea:d8:46:aa
	inet6 fe80::2c1b:eaff:fed8:46aa%awdl0 prefixlen 64 scopeid 0xf 
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active
llw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether 2e:1b:ea:d8:46:aa
	inet6 fe80::2c1b:eaff:fed8:46aa%llw0 prefixlen 64 scopeid 0x10 
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect (none)
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
	inet6 fe80::d339:6b9b:7bce:8c12%utun2 prefixlen 64 scopeid 0x11 
	nd6 options=201<PERFORMNUD,DAD>
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1000
	inet6 fe80::ce81:b1c:bd2c:69e%utun3 prefixlen 64 scopeid 0x12 
	nd6 options=201<PERFORMNUD,DAD>
utun5: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
	inet6 fe80::5368:e35c:6e05:aa2f%utun5 prefixlen 64 scopeid 0x14 
	nd6 options=201<PERFORMNUD,DAD>
utun6: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
	inet6 fe80::812b:b59e:1e0f:eb87%utun6 prefixlen 64 scopeid 0x15 
	nd6 options=201<PERFORMNUD,DAD>

Follow-Ups:
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: J. Hannken-Illjes

References:
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: Paul W . Rankin
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: RVP
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: Greg Troxel
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: Paul W . Rankin
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: J. Hannken-Illjes
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: Paul W . Rankin
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: RVP
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: Paul W . Rankin
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: RVP
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: Paul W . Rankin
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: Christof Meerwald
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: Paul W . Rankin
- Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
  - From: RVP

Prev by Date: Re: building rust with x.py from today's git ends in SIGSEGV
Next by Date: Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
Previous by Thread: Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
Next by Thread: Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client
Indexes:

Home | Main Index | Thread Index | Old Index