6.8 C
United States of America
Sunday, November 24, 2024

community – Wireguard no web entry on peer with MacOS Server


I’ve an older Macbook Professional mendacity round, so I believed I may flip it right into a DIY residence server. I am struggling to get wireguard operating on it as a server. The issue is the traditional in a position to have the handshake succeed however no web entry on the peer that connects to the server.

My config recordsdata are shared beneath, my aim is to route all site visitors from my Friends to the en0 interface on my server. I’ve tried to fiddle with the DNS and see that my resolv.conf is appropriately populated.

❯ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    choices=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
    ether 12:7d:26:80:dd:ee
    inet 192.168.1.170 netmask 0xffffff00 broadcast 192.168.1.255
    media: autoselect
    standing: energetic

❯ cat  /usr/native/and so forth/wireguard/postup.sh
#!/bin/sh

# 1) This ensures our friends proceed to report their Wireguard
#    assigned IPs whereas related to the VPN. That is required
#    for his or her site visitors to get routed appropriately by the firewall
#    guidelines we crafted earlier with pf.
/usr/sbin/sysctl -w web.inet.ip.forwarding=1

# 2) Getting ready the listing the place we'll persist the pf tokens
#    generated by Step (3) & (4). That token can then be utilized by
#    our postdown.sh script to take away the routing guidelines when
#    Wireguard is shut down.
mkdir -p /usr/native/var/run/wireguard
chmod 700 /usr/native/var/run/wireguard

# 3) Dynamically add the IPv4 NAT rule, allow the firewall,
#    enhance its reference rely (-E), and persist the reference
#    token generated by the command into
#    pf_wireguard_token_ipv4_token.txt, which postdown.sh will
#    reference when Wireguard is shut down.
echo 'nat on en0 from 10.0.10.1/24 to any -> (en0)' | 
        pfctl -a com.apple/wireguard_ipv4 -Ef - 2>&1 | 
        grep 'Token' | 
        sed 'spercentToken : (.*)%1%' > /usr/native/var/run/wireguard/pf_wireguard_ipv4_token.txt
IPV4_TOKEN=`sudo cat /usr/native/var/run/wireguard/pf_wireguard_ipv4_token.txt`
echo "Added PF IPv4 NAT site visitors routing rule with token: ${IPV4_TOKEN}"

❯ cat /usr/native/and so forth/wireguard/coordinates.conf
[Interface]
Tackle = 10.0.10.1/24
ListenPort = 61820
PrivateKey = <redacted>
SaveConfig = false
MTU = 1280
#DNS = 1.1.1.1
PostUp = /usr/native/and so forth/wireguard/postup.sh
PostDown = /usr/native/and so forth/wireguard/postdown.sh

# 11: 11 > wgclient_11.conf
[Peer]
PublicKey = <redacted>
PresharedKey = <redacted>
AllowedIPs = 10.0.10.2

The output of the wg command is right here, only some bytes of knowledge is exchanged and there’s no web entry on the peer as soon as they hook up with the server.

❯ sudo wg
interface: utun4
  public key: <>
  non-public key: (hidden)
  listening port: 61820

peer: <>
  preshared key: (hidden)
  endpoint: 192.168.1.254:45341
  allowed ips: 10.0.10.2/32
  newest handshake: 8 seconds in the past
  switch: 41.92 KiB obtained, 912 B despatched

❯ ifconfig utun4
utun4: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
    inet 10.0.10.1 --> 10.0.10.1 netmask 0xffffff00

❯ sudo /usr/sbin/networksetup -setdnsservers Wi-Fi 1.1.1.1

❯ cat /and so forth/resolv.conf
#
# macOS Discover
#
# This file just isn't consulted for DNS hostname decision, deal with
# decision, or the DNS question routing mechanism utilized by most
# processes on this method.
#
# To view the DNS configuration utilized by this method, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is mechanically generated.
#
search lan
nameserver 1.1.1.1

-- I am in a position to hook up with the web from the server, with a SSH session
❯ ping google.com
PING google.com (142.250.217.110): 56 knowledge bytes
64 bytes from 142.250.217.110: icmp_seq=0 ttl=119 time=14.757 ms
64 bytes from 142.250.217.110: icmp_seq=1 ttl=119 time=14.312 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 packets obtained, 0.0% packet loss
round-trip min/avg/max/stddev = 14.312/14.534/14.757/0.223 ms

I am not solely certain what I am doing unsuitable, I might admire any pointers right here. It looks like there may be some drawback with my firewall config, however I am not very accustomed to setting this up on a Mac.

I’ve additionally tried utilizing a Docker container to setup wireguard and had the very same drawback after which moved onto bare-metal.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles