Trying to configure wg(4) in an "hub-and-spoke" configuration

To: netbsd-users%NetBSD.org@localhost
Subject: Trying to configure wg(4) in an "hub-and-spoke" configuration
From: Leonardo Taccari <leot%NetBSD.org@localhost>
Date: Mon, 04 Aug 2025 12:03:43 +0200

Hello folks,
I am trying to configure wg(4) on netbsd-10 and -current.

The hub is "stardust" and is a VPS with a public IPv4 address
(51.15.113.87).
All the other nodes ("pinebookpro", "abacus", "boh") are hosts NATed
behind my home network.

Communication between a node and "stardust" works, i.e. I can ping
them from "stardust" and from a node I can ping "stardust".
However, I would also to communicate between all other hosts, for
example between "boh" and "abacus".

When I try to ping from "boh" (10.2.0.4) to "abacus" (10.2.0.3) I have:

 boh$ ping -c3 10.2.0.3
 PING 10.2.0.3 (10.2.0.3): 56 data bytes
 36 bytes from 10.2.0.1: Redirect Host New router addr: 10.2.0.3 for icmp_seq=0
 64 bytes from 10.2.0.3: icmp_seq=0 ttl=254 time=70.546813 ms
 36 bytes from 10.2.0.1: Redirect Host New router addr: 10.2.0.3 for icmp_seq=1
 64 bytes from 10.2.0.3: icmp_seq=1 ttl=254 time=69.449518 ms
 36 bytes from 10.2.0.1: Redirect Host New router addr: 10.2.0.3 for icmp_seq=2
 64 bytes from 10.2.0.3: icmp_seq=2 ttl=254 time=70.219366 ms
 
 ----10.2.0.3 PING Statistics----
 3 packets transmitted, 3 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 69.449518/70.071899/70.546813/0.563315 ms

Corresponding `tcpdump` transcript on "stardust" (10.2.0.1) is:

 stardust# tcpdump -n -i wg0
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on wg0, link-type NULL (BSD loopback), capture size 262144 bytes
 09:24:03.076968 IP 10.2.0.4 > 10.2.0.3: ICMP echo request, id 61009, seq 0, length 64
 09:24:03.077049 IP 10.2.0.4 > 10.2.0.3: ICMP echo request, id 61009, seq 0, length 64
 09:24:03.077073 IP 10.2.0.1 > 10.2.0.4: ICMP redirect 10.2.0.3 to host 10.2.0.3, length 36
 09:24:03.112569 IP 10.2.0.3 > 10.2.0.4: ICMP echo reply, id 61009, seq 0, length 64
 09:24:03.112626 IP 10.2.0.3 > 10.2.0.4: ICMP echo reply, id 61009, seq 0, length 64
 09:24:03.112658 IP 10.2.0.1 > 10.2.0.3: ICMP redirect 10.2.0.4 to host 10.2.0.4, length 36
 09:24:04.077645 IP 10.2.0.4 > 10.2.0.3: ICMP echo request, id 61009, seq 1, length 64
 09:24:04.077674 IP 10.2.0.4 > 10.2.0.3: ICMP echo request, id 61009, seq 1, length 64
 09:24:04.077689 IP 10.2.0.1 > 10.2.0.4: ICMP redirect 10.2.0.3 to host 10.2.0.3, length 36
 09:24:04.112789 IP 10.2.0.3 > 10.2.0.4: ICMP echo reply, id 61009, seq 1, length 64
 09:24:04.112811 IP 10.2.0.3 > 10.2.0.4: ICMP echo reply, id 61009, seq 1, length 64
 09:24:04.112821 IP 10.2.0.1 > 10.2.0.3: ICMP redirect 10.2.0.4 to host 10.2.0.4, length 36
 09:24:05.077565 IP 10.2.0.4 > 10.2.0.3: ICMP echo request, id 61009, seq 2, length 64
 09:24:05.077612 IP 10.2.0.4 > 10.2.0.3: ICMP echo request, id 61009, seq 2, length 64
 09:24:05.077637 IP 10.2.0.1 > 10.2.0.4: ICMP redirect 10.2.0.3 to host 10.2.0.3, length 36
 09:24:05.113528 IP 10.2.0.3 > 10.2.0.4: ICMP echo reply, id 61009, seq 2, length 64
 09:24:05.113573 IP 10.2.0.3 > 10.2.0.4: ICMP echo reply, id 61009, seq 2, length 64
 09:24:05.113600 IP 10.2.0.1 > 10.2.0.3: ICMP redirect 10.2.0.4 to host 10.2.0.4, length 36


Here the configuration on each host.
On "stardust" (10.2.0.1):

 stardust# cat /etc/ifconfig.wg0
 inet 10.2.0.1/24
 !wgconfig ${int} set private-key /etc/wg/wg0
 !wgconfig ${int} set listen-port 51820
 !wgconfig ${int} add peer pinebookpro 'K+cYC58Jtbs9mbmGxnyMpcedsqMsEOkP8VJi5NKngSU=' --allowed-ips=10.2.0.2/32
 !wgconfig ${int} add peer abacus 'fBmBCJfmj1soiNOqftwFfB4gA1M175wVbvOfiTtLvkM=' --allowed-ips=10.2.0.3/32
 !wgconfig ${int} add peer boh 'Fc1IKLsUYYiKDj8cNJ2f/9FUPHsxzk3puD/TsC33Zyo=' --allowed-ips=10.2.0.4/32
 up
 
And I have also enabled IP forwarding:
 
 stardust# sysctl net.inet.ip.forwarding
 net.inet.ip.forwarding = 1

On "abacus" (10.2.0.3):

 ifconfig wg0 create
 ifconfig wg0 inet 10.2.0.3/24
 wgconfig wg0 set private-key /etc/wg/wg0
 wgconfig wg0 set listen-port 51820
 wgconfig wg0 add peer stardust '3K6NFmjOM3i3m8coLYeaXN/XJ6pgpBFUh4xPtwggQQQ=' --allowed-ips=10.2.0.0/24 --endpoint=51.15.113.87:51820
 ifconfig wg0 up

On "boh" (10.2.0.4):

 ifconfig wg0 create
 ifconfig wg0 inet 10.2.0.4/24
 wgconfig wg0 set private-key /etc/wg/wg0
 wgconfig wg0 set listen-port 51820
 wgconfig wg0 add peer stardust '3K6NFmjOM3i3m8coLYeaXN/XJ6pgpBFUh4xPtwggQQQ=' --allowed-ips=10.2.0.0/24 --endpoint=51.15.113.87:51820
 ifconfig wg0 up


Route on "stardust" is:

 stardust# route -n show
 Routing tables
 
 Internet:
 Destination        Gateway            Flags    Refs      Use    Mtu Interface
 default            62.210.0.1         UG          -        -      -  vioif0
 10.2.0/24          10.2.0.1           U           -        -      -  wg0
 10.2.0.1           wg0                UHl         -        -      -  wg0
 51.15.113.87       link#1             UHl         -        -      -  lo0
 51.15.113.87/32    link#1             UC          -        -      -  vioif0
 62.210.0.1         link#1             UHC         -        -      -  vioif0
 127/8              127.0.0.1          UGRS        -        -  33624  lo0
 127.0.0.1          lo0                UHl         -        -  33624  lo0
 62.210.0.1         de:00:00:3a:d7:b2  UHL         -        -      -  vioif0
 [...]
 

How can I permit "stardust" to route the traffic and so all the nodes
in the Wireguard 10.2.0.0/24 network can communicate with each other?


Thanks!

Follow-Ups:
- Re: Trying to configure wg(4) in an "hub-and-spoke" configuration
  - From: Leonardo Taccari
- Re: Trying to configure wg(4) in an "hub-and-spoke" configuration
  - From: Greg Troxel

Prev by Date: Re: DNS utilities core dump in -current ?
Next by Date: Re: Trying to configure wg(4) in an "hub-and-spoke" configuration
Previous by Thread: DNS utilities core dump in -current ?
Next by Thread: Re: Trying to configure wg(4) in an "hub-and-spoke" configuration
Indexes:

Home | Main Index | Thread Index | Old Index