[Freedombox-discuss] Wireguard: Packet has unallowed src IP (...) from peer 1 (...)
A. F. Cano
afc54 at comcast.net
Mon Feb 24 22:54:16 GMT 2025
On Mon, Feb 24, 2025 at 09:40:41AM -0500, James Valleroy via Freedombox-discuss wrote:
> Hi Augustine,
>
> On 2/23/25 9:02 PM, A. F. Cano via Freedombox-discuss wrote:
> > I have a hard time believing that I'm the only one who has trouble with
> > wireguard, or that I'm the only one who has tried to use it on a
> > FreedomBox. Someone please tell me what I'm doing wrong. How does the
> > FreedomBox differ from a standard wireguard implementation? How do I
> > tell it to add 192.168.200.28 to the list of allowedIPs? In the server
> > configuration page, "Allowed IPs" is read-only and only contains
> > 10.84.0.2.
>
> I am still trying to get Wireguard working myself, so I don't have a full
> answer for you.
>
> But what you are trying to do seems strange. Why do you need to use this
> 192.168.x.y address?
My internal networks (on the 2 internal interfaces of an apu1d4) are
192.168.200.x/24 and 192.168.224.x/24. I assume that to be able to do
via the vpn everything I do locally, the vpn has to be transparent and
all the addresses have to be reachable, in both directions, so anything
other than 192.168.200.x is not going to be reachable. To concentrate
on the simple case I'm dealing with: a remote laptop with IP (specified
in its /etc/wireguard/wg0.conf) of 192.168.200.28, once I have set that
address specifically in the laptop's AllowedIPs (as explained earlier in
this thread), doing a treceroute 192.168.200.9, the laptop actually
sends packets via wg0 and they are received at the FreedomBox, but
that's where I get the error described earlier.
It seems to me that wireguard should know the IP ranges of the internal
interfaces and should route the packets appropriately, or is this not
necessary? At the very least it should accept packets specifically
set in the FreedomBox AllowedIPs, but this is apparently not possible.
Am I misunderstanding how wireguard interacts with the IP stack of the
FreedomBox and its routing to the internal interfaces?
> Usually Wireguard has its own private IP range that starts with 10.x.y.z. Every
> client should choose an IP address in this range. Note that this is completely
> independent of any other IP address that the client may have on other network
> interfaces (for example, assigned by DHCP).
Yes, I went through that already. At first, as soon as I started
wireguard on the laptop, nothing else would go out the other interface.
With the current configuration file (see earlier in this thread) the
routing on the laptop works correctly and only sends traffic destined to
192.168.200.x via the wg0 interface.
I see that the wg0 interface on the FreedomBox has IP 10.84.0.1/24 and
the one on the laptop is 10.84.0.2. Presumably if my internal
interfaces were all 10.84.0.x, everything would work without needing
extra configuration, but it happens that I have 2 networks with
192.168.200.x and 192.168.224.x and I'd rather not have to change the
configuration of all the machines to satisfy wireguard.
Also, presumably, if all I wanted to do was to talk to the FreedomBox
itself, none of this would be applicable. But then again, ssh to
the Freefombox from outside handles this case just fine.
Maybe the complication comes from using the FreedomBox as a
firewall/gateway. Or am I completely off base?
> Regards,
> James
Thanks for taking the time to reply. Hopefully we can figure this out.
Augustine
More information about the Freedombox-discuss
mailing list