I have three peers on a WireGuard network:
- Peer J is behind a standard corporate firewall blocking all outgoing UDP,
- Peer S is a server with static IP, and
- Peer P is my smartphone.
No UDP out;
+-----------+ (Static IP)
| Peer J ---|--- Peer S ------ Peer P
+-----------+ [Regular wg]
So, UDP over TCP
I want to connect peer P to peer J (P ssh into J) via WireGuard, where J and S are connected by UDP over TCP (using wangyu-/udp2raw), while S and P have a vanilla standard WireGuard UDP connection.
Here's my attempt thus far:
Peer J
[Interface]
# PublicKey = E8K...
PrivateKey = ...
Address = 10.0.0.6/24
MTU = 1342
PreUp = /usr/bin/udp2raw -c -l 127.0.0.1:50001 -r <S's internet IP>:443 -k "secret" -a >/var/log/udp2raw.log 2>&1 &
PostDown = killall udp2raw || true
# Peer S
[Peer]
PublicKey = Yf3...
AllowedIPs = 10.0.0.0/32
PersistentKeepalive = 120
Endpoint = 127.0.0.1:50001
Peer S
[Interface]
# PublicKey = Yf3...
PrivateKey = ...
Address = 10.0.0.0/24
MTU = 1342
ListenPort = 80
PreUp = /usr/bin/udp2raw -s -r 127.0.0.1:80 -l <S's LAN IP>:443 -k "secret" -a >/var/log/udp2raw.log 2>&1 &
PreDown = killall udp2raw || true
# Peer J
[Peer]
PublicKey = E8K...
AllowedIPs = 10.0.0.6/32
PersistentKeepalive = 120
# Peer P
[Peer]
PublicKey = wlx...
AllowedIPs = 10.0.0.19/32
Peer P
[Interface]
PublicKey = wlx...
Address = 10.0.0.19/32
MTU = 1342
# Peer S
[Peer]
PublicKey = Yf3...
AllowedIPs = 10.0.0.0/24
Endpoint = <S's internet IP>:80
Problem: Peer P cannot ping peer J. But peer J can ping peer S and vice versa; and peer S can ping peer P and vice versa. The traceroute of P to J is:
raceroute to 10.0.0.6 (10.0.0.6), 30 hops max, 60 byte packets
1 ip-10-0-0-0.region.compute.internal (10.0.0.0) 54.950 ms 54.063 ms 53.245 ms
2 * * *
3 * * *
So there is something wrong with the routing at S, but I can't figure out what exactly the problem is.
The problem was that J has
AllowedIPs = 10.0.0.0/32
in its[Peer]
section for S, which means only traffics destined at10.0.0.0
would be be sent to S.In order for traffics destined at any host within the 10.0.0.0/24 subnet (such as
10.0.0.19
) to be sent to S for further forwarding,AllowedIPs = 10.0.0.0/24
should be used.