"Routed" mode results in inaccessible web

[squromiv]

I managed to setup Wirtbot, clients were able to ping each other and server. DNS server also was working.
Then I switched to "Routed" mode. And had no internet access. Pages can`t load. Ping between clients still exists.
Checked on two different VPSs and setups.

[squromiv]

Am I the only person, having such a trouble? I tested again and had the same result.

[b-m-f]

@squromiv I am looking into this.

[b-m-f]

A little update.

As of WirtBot version 2 everything was moved inside of a docker container. During this transition I have missed to add a container internal Firewall to masquerade traffic when being forwarded from other machines in the network.

The fix

This assumes the default subnet 10.10.0.0/24

1. docker exec -ti WirtBot /bin/bash
2. apt install iptables
3. iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -j MASQUERADE

Problem before integrating this into master

The subnet is a variable in the system. This means that in the case of routing being active the appropriate IPtables rule needs to be set for that subnet. In addition to that the old one needs to be removed so that the IPtables stay clean over time.

Suggestions for achieving this in the most elegant way are welcome.

The approach that I can think of from the top of my head.

• On update parse the subnet from the config
• Create backup of file /run/active-subnets to /run/active-subnets.bkp
• Write new subnets to /run/active-subnets
• Create an inotify service to check on changes on /run/active-subnets.bkp and removes the contained subnets from iptables
• Create an inotify service to check on changes on /run/active-subnets and add the contained subnets from iptables

If no other solution comes along before the weekend I will implement it this way.

Until then you can manually fix your setup for now @squromiv

[b-m-f]

Thinking about this abit more I think I will rather do this using nftables

[squromiv]

The fix

Thanks. It works! Also waiting for global solution with docker.

Another one question. I can ping wirtbot server by IP from clients. How to ping clients from server? It fails.

[b-m-f]

Hi @squromiv

Pinging the clients should work. But ping is not part of the Container.

If you want to use it first install with apt install inetutils-ping.

I have also found a better solution to the problem of this issue.

All traffic that enter via the WireGuard interface but is destined for another Interface will be Masqueraded. No need to care about the subnet variable.

The fix is done.

I will merge and release this as version 2.6.3.

Build should be automatically uploaded in a few hours

[b-m-f]

Please note that

    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0

Needs to be added to the docker-compose file for proper IPv6 support.

This is added to the setup documentation as well

[squromiv]

Pinging the clients should work

Server subnet IP: 10.10.0.1
Client subnet IP: 10.10.0.2

On the client I can successfully ping 10.10.0.2 and 10.10.0.1. On the server - nothing. Even ping 10.10.0.1 fails.

[b-m-f]

Strange. Please wait for the new version and try again on that one :)

Just worked for me without any problems

[squromiv]

Did you change something, connected with this option in v 2.6.9? The issue seems to be returned

[b-m-f]

Hmm, shouldn't be.

The only thing that was changed are QR code and some dependencies.

I will be super busy this week, but I hope to get the weekend to investigate the issues you found!