About Nested Tunnels

Question

About Nested Tunnels

Sunr0 opened this issue 2 years ago · comments

Regarding Nested Tunnels, I still don't quite understand how to add configuration and Endpoint settings to the client's conf file. Can you explain in detail?
My operation is to generate a config that does not contain Endpoint, and then specify the --endpoint on hop2 as the ip of hop1
Then I don't know how to operate

Luke Rindels · Answer 1 · Tue Dec 13 2022 15:03:38 GMT+0800 (China Standard Time)

Currently he handshake has to be initiated from the client when doing nested hops. This means you can't use the --endpoint argument when running ./wiretap configure on the client or ./wiretap serve on hop 2.

Instead, when you run the second ./wiretap configure for hop 2 from your client, you take the resulting config file and add the Endpoint Line to the peer section:

# wiretap_1.conf
[Interface]
PrivateKey = <private key>
Address = 192.168.0.2/32
Address = fd::2/128
ListenPort = 51821

[Peer]
PublicKey = <public key>
AllowedIPs = <routes exposed by second hop>
### Manually add this line:
Endpoint = <ip of hop 2>:<port>
###

Then you can bring up the second tunnel with wg-quick up./wiretap_1.conf or whatever WireGuard client you're using. This causes your WireGuard interface to initiate the handshake through the first hop.

Happy to clarify more if needed!

Sunr0 · Answer 2 · Tue Dec 13 2022 16:57:45 GMT+0800 (China Standard Time)

I generated the corresponding configuration file as you said, and added the Endpoint field.

I first execute wg-quick up ./wiretap.conf and everything works fine, execute wg-quick up ./wiretap_1.conf but report an error RTNETLINK answers: File exists.

wiretap is from client to hop1, and wiretap_1 is generated using wiretap configure --port 51821 --routes <routes exposed by second hop>.

Is there something wrong with my operation.

Sunr0 · Answer 3 · Tue Dec 13 2022 17:00:09 GMT+0800 (China Standard Time)

wiretap.conf

[Interface]
PrivateKey =<private key1>
Address = 192.168.0.2/32
Address = fd::2/128
ListenPort = 1080

[Peer]
PublicKey = <public key1>
AllowedIPs = <routes exposed by second hop>

wiretap_1.conf

[Interface]
PrivateKey = <private key2>
Address = 192.168.0.2/32
Address = fd::2/128
ListenPort = 1081

[Peer]
PublicKey = <public key2>
AllowedIPs = <routes exposed by second hop>
Endpoint = <ip of hop 2>:<port>

Luke Rindels · Answer 4 · Tue Dec 13 2022 22:13:16 GMT+0800 (China Standard Time)

Looks like you're almost there. That error is likely because the routes in your two configuration files overlap. Make sure wiretap.conf only has the routes exposed by the first hop and wiretap_1.conf has routes exposed by the second hop.

If you don't include the -d option to wiretap configure, an API address will also be included. I bet you just need to remove a::/128 from the AllowedIPs of wiretap_1.conf

Sunr0 · Answer 5 · Wed Dec 14 2022 10:40:59 GMT+0800 (China Standard Time)

Congratulations, I have successfully implemented it according to what you said. It is a great tool.

I hope that we can specify the listening port of the server through parameters.

However, the client should not be able to work normally without a public IP. haha

Luke Rindels · Answer 6 · Wed Dec 14 2022 10:43:41 GMT+0800 (China Standard Time)

Great! Glad it worked. I plan to add better support for nested/multi-hop tunnels in the near future.