WgServerforWindows icon indicating copy to clipboard operation
WgServerforWindows copied to clipboard

Published 20 hours ago verified publisher icon micahmo

Nat Routing

Open netermin opened this issue 2 years ago • 16 comments

Hello, how can I enable Nat Routing. Thanks

netermin avatar Mar 20 '23 16:03 netermin

Hi @netermin,

What happens when you try to press "Enable NAT"?

micahmo avatar Mar 20 '23 19:03 micahmo

is disabled

netermin avatar Mar 20 '23 21:03 netermin

from the machine where I have installed the WgServer I cannot access the computer that has the client installed, but from the client it was able to access the WgServer. I hope you can help me

netermin avatar Mar 20 '23 21:03 netermin

How are you trying to access the client? You should be able to use the IP address within your WireGuard server's address range (e.g., 10.253.0.2). But it's very hard to tell what you're trying without more details.

micahmo avatar Mar 21 '23 12:03 micahmo

I have configured the wgserver on node 1 and the client on node 2, from node 2 I can access all the resources that are connected in the same network of node1, but from node1 I cannot access the computers that are in the network of node2, including rdp connection.

netermin avatar Mar 23 '23 08:03 netermin

Are you saying you can access the client itself but not any other devices on the client's local network?

To be honest, I've never tried to use WireGuard in this way. You could try looking it up, but a lot of the answers I found are related to setting iptables on Linux. You'd have to find a way to route requests to the client's subnet through WireGuard on the server.

You might have better luck with something like Tailscale (a cloud-hosted service on top of WireGuard) and their subnet router feature.

Sorry if that's not the answer you were looking for! It's an interesting use case.

micahmo avatar Mar 23 '23 14:03 micahmo

Hello friend, from the computer where I have configured the client I can access by RDP to the computer where is the wgserver and all computers on the same network of wgserver, but from wgserver I can not access the client.

netermin avatar Mar 24 '23 07:03 netermin

Hi @netermin, I'm sorry I don't quite understand.

  • Are you trying to access just the client machine? Are you using its IP address within the WireGuard network subnet? I have not had a problem with this, so if it's not working, maybe there's a problem with firewall or similar.
  • Are you trying to access other machines on the client's LAN? I don't know if this is supported by WireGuard (at least with the limited amount of routing available on Windows).

Without more details or screenshots or specific steps that you've tried, I'm not sure how else to help. Sorry!

micahmo avatar Mar 24 '23 11:03 micahmo

Hello,

What are the conditions for this to work both ways?

I noticed that there was no ip on the WG interface on the server side and I assigned one manually, normal?

Merci ;-)

mycanaletto avatar Jun 06 '23 16:06 mycanaletto

Hi @mycanaletto! When you say "both ways", do you mean for the server machine to access machines on the client's subnet? Again, I'm not sure if that's possible. Although WireGuard claims to be a serverless network of equal "peers", it still seems like "clients" connect to one "server" and have access to that server's network, but not vice versa. You could use a tool built on top of WireGuard like Tailscale to accomplish what you want.

I noticed that there was no ip on the WG interface on the server side and I assigned one manually, normal?

That's fine, but not necessarily normal. The "NAT Routing" command in the UI is supposed to assign the IP. Maybe similar to #118, although in that case the WireGuard adapter was getting a random IP.

micahmo avatar Jun 06 '23 17:06 micahmo

Thanks for the quick answer.

I only want to be able to access the client from the server (not the client's network).

The client must only access the server, and the server the client.

Do I need to activate NatRouting for this?

I know Tailscale, but I can't set the MTU...

mycanaletto avatar Jun 06 '23 17:06 mycanaletto

Maybe that's the problem? Why not put /24

image

mycanaletto avatar Jun 06 '23 18:06 mycanaletto

I only want to be able to access the client from the server (not the client's network).

I believe that's possible. At least I know I can ping back to the client.

image

Allowed IPs has a different meaning on the server and the client. In that case, that's the server telling you what IPs the client is allowed to connect from, which corresponds to the Address field in the client config. So that looks fine to me.

I'm guessing you've tried pinging 10.10.10.2 from the server and it doesn't work?

micahmo avatar Jun 06 '23 19:06 micahmo

Yes, so I uninstalled and redid with only the standard WG client, and now it works.

Ping Client to Server: ok Ping Server to Client : ok

mycanaletto avatar Jun 06 '23 19:06 mycanaletto

Enabling NAT broke my first server, which after a reboot has no network.

What does this command do and how can I get it back?

mycanaletto avatar Jun 06 '23 22:06 mycanaletto

Enabling NAT runs the following commands. Essentially it deletes any existing and then assigns a new IP address to the wg_server interface. Then it removes any existing and then creates a new NAT routing rule for that address. If you want to clean up what it does, you can run just the remove commands.

Remove-NetIPAddress -InterfaceIndex <WireGuard interface index>
New-NetIPAddress -IPAddress <Server Address> -PrefixLength <Server Subnet> -InterfaceIndex <WireGuard interface index>
Remove-NetNat -Name wg_server_nat
New-NetNat -Name wg_server_nat -InternalIPInterfaceAddressPrefix <Server Address>

You can find the exact code in this method.

https://github.com/micahmo/WgServerforWindows/blob/913f6a298f5d285a5bc62ec728a18116c987c648/WgServerforWindows/Models/NewNetNatPrerequisite.cs#L75

micahmo avatar Jun 07 '23 02:06 micahmo