#networking

Hi blob

wot

really

Anyone know how to use a dd-wrt router as a wireless adapter?

Want to connect this old dd-wrt 100mbps router to my main wirelessly, but I seem to be getting something wrong

Nobody used the torrent feature

I'm running 7.0beta4 at home

We deployed a bunch of the RB3011's to customers, they are an older model now

we also deploy hEX S units, but they are for different purposes

At home I run an RB4011 with wifi

they are coming out with the ax wifi (wifi6) functionality rather soon

probably next month or two there will be a testing release

I'm actually quite happy with ROS 7 beta4 at home

on my RB4011

Wireguard VPN is working excellent, and I haven't had any instability

I've had a couple minor bugs, but no unexplained reboots etc. that were typical with earlier RouterOS v7 beta versions

My home router and all APs are running on RouterOS 7 beta4 now

for the past few weeks

Watching YouTube learning how to do policy routing on mtik his accent gosh.
Abu!

policy routing isn't difficult - the only difficult thing is figuring out the logic - it is really easy to make a mistake and accidentally policy route traffic that you don't want to

Ya I know I just not familiar with routeros

the commands are easy, it is the logic that is tricky

I moved from fortigate

I know fortigate really well too, I manage quite a few fortigate devices

the problem is that when you use policy routing especially on MikroTik, it basically ignores the regular main routing table, including what subnets the router has

so your policy routing rules can send traffic that matches an interface that the router has as a local interface, and send it back out

I know too but it started to do some problems my units are not new, second handed fg

creating a loop instead of delivering it as you want

So I bought new hex-s

so you need to make sure that any policy routing rules you use are not going to send traffic that should be delivered locally to the router back out to some other router

for instance, if the router has an IP 192.168.1.1/24 and there is a packet arriving at the router destined for 192.168.1.2

I know how to use policy route just not familiar with routeros xD

the policy routing doesn't check the main routing table

so you could end up sending that packet back out the interface it came in and you end up with a mess

I'm testing my gre tunnel on specific machine on my network

There is a specific command for policy route in mtik?

Or via gui or something?

Hey, I'm running stock drivers for my integrated network port but I'm getting dummy slow downloads on the browsers (unless I do another download on top of the first one which is really wierd) can I get some clues on this??

With MikroTik you can do almost everything through the winbox gui

there is almost nothing that you have to actually go to the command line to do

it is a blessing and a curse, because it means that the GUI is almost overloaded with options

so for people new to it, it can be overwhelming, but I like having all of the options shown to me in the GUI

@rocky badge what's with the extremely low quality threads in r/sysadmin lately? Wondering if some mod that cared about it quit

Policy routing is accomplished via '/ip firewall mangle' rules

Lol idk

action either "mark routing" or "route"

mark routing and route are different from each other

mark routing allows you to set the packet matched by the mangle rule to use that routing table where you specify the name

route means the packet must go to the next hop that you specify in the mangle rule

route can be easier if you are just doing a really simple policy based routing config

but generally you will use mark routing and specify the routing table name

I do a simple routing

@tender hazel in chain option I need to choose forward right?

no

@lean pebble for chain you have to use either prerouting or output

depending on what traffic you are trying to policy route

the mark routing rules only work with those two chains

Can't prerouting

why can't use you use prerouting?

Not letting me apply the rule with it

what is the error message?

How do I add routing mark?

ok right

so the problem is that you are trying to tell it to match packets that are supposed to be sent to a particular outgoing interface

but in prerouting it is happening before it decides what outbound interface the packet will be sent from

that's why the outgoing interface matching is not possible

you need to use criteria other than outbound interface to match the packet

Ok

for policy routing you can only use two chains - prerouting or output. Output chain only affects packets sent by the router as the source, prerouting is for packets sent by other systems routed through the router

Output works prerouting doesn't.
So prerouting happening before it decides to what interface it goes

in most cases, most of what you will want to do with policy routing matches only prerouting and not output

output only matches traffic that the router itself originates

for instance, if you use the router to ping something on the internet, that will match the output chain

if you use the router to create a VPN tunnel with another router on the internet, those VPN packets will be output chain

I need to use the policy route for specific machine for sending the traffic to my tunnel

if you use the router to create GRE packets to send to another router, those will be output chain

My gre tunnel is centos machine

Already configured and working perfectly the only problem I have is with mtik

what is your setup? MikroTik<-->CentOS?

for GRE?

Ya

you are establishing GRE tunnel between mikrotik and centos?

They both can talk and sending packets if I use regular routing but I need here policy route

Yap

ok, and the packets you want to policy route through the mikrotik, do they originate from the mikrotik, or are they routed from something else?

Going through the mtik to my centos gre tunnel

The issue is when I enable it my vm that suppose to connect via the gre have no internet because miss configuration on my mtik

right, so you do need to use the prerouting chain

but you can't match the traffic on outbound interface

you have to match via something else

Via destination address?

in any chain you can match based on source or destination IP address or address list

so that is a safe workaround

Ok

So I do source address and destination address right ?

it depends on your situation - you are specifying what criteria should be used for matching packets that should be policy routed

you'll only want to match packets that should override the normal routing process

Let's say my internal network 10.0.20.11 my vm ip, my internal gre ip is 10.70.1.1 centos machine, mtik gre tunnel internal IP 10.70.1.2

I'm afraid I don't entirely understand your setup

you have a VM 10.0.20.11, and is the centos machine or the mikrotik router on that network?

I have my mtik and centos server that used as gre

yes I understand that

Yap

but which?

10.0.20.1 is my home network

Gre tunnel is external vps in the cloud

ok, and which device is on your home network? the centos server or the mikrotik?

With internal IP 10.70.1.1

My mtik on my home network

ok

so it is really like this

VM 10.0.20.11 <--> MTik 10.0.20.1 <--> MTik (same device) 10.70.1.2 <--> Centos 10.70.1.1 <--> (some other network)??

Ya

Centos machine have the public IP address and the internal IP address

what is the reason you are using policy routing in this scenario?

For passing specific machine traffic to the gre tunnel

That's how I did it on my old fortigate and it worked

right but, is there some traffic from the VM 10.0.20.11 that you don't want to go across the GRE tunnel, or do you want everything to go across the GRE tunnel?

Nope

For now practicing with passing all the traffic from this machine

so then your mangle rule has to match only source address

chain=prerouting

src-address=10.0.20.11

Ok

action=route

route-dst=10.70.1.1

oops that last line may be incorrect

there sorry, fixed

With passthrough?

chain=prerouting src-address=10.0.20.11 action=route route-dst=10.70.1.1

passthrough depends

whether you want future rules to match that traffic too

or whether you want it to stop processing once it hits that mangle rule

Ok

I added this rule I hope I did it right

Mangle - prerouting - src.address 10.0.20.11 - action - route - route.dst 10.70.1.1

yes

I still get my real external IP on my vm at home

in your ip firewall filter tab do you have a "fasttrack" rule?

Yap

But I disabled it on the gre interface

what do you mean by disabled on the gre interface

I have interface that called gre-new that pointing from my external IP address to my gre vps in the cloud

right but how did you "disable" the fasttrack rule for that interface?

Removed the V from it

removed the V?

Ya

Let me take a pic of it

Fast truck and fast path are the same ?

no

fast track and fastpath are not the same

Oh

No nevermind

My bad 😆

look in ip firewall filter, see if you have a rule with action fasttrack connection

I have

in winbox it will look like that

disable it

Ok

fasttrack is great but disables a bunch of other features and you might need one of those in this case

go to ip firewall connections and select all connections and delete them with the minus sign

It'll not break anything right ?

Only removing old sessions

it won't break anything - disabling fasttrack connection rule is safe, and deleting the connections just clears your current connections, so you might lose connection to discord and any file transfers that are going on but they will reconnect

They'll reconnect with the same IP they had right ?

yes

Ok good

It's morning here that's why I'm asking we're working from home

Idk why but with mtik my gre tunnel is slower than it was before

Much slower

slower compared to what?

To what I had with my old fortigate

run a few speedtests over it and see what the results are - it may have to do with TCP MSS clamping

Ya that's it, when I disabled it I finally could ping from my vm directly to my internal vps gre IP 10.70.1.1

Only fixed the ping surfing still slow af.

what ping latency are you seeing?

to the target website

To my mtik via 10.70.1.2
100+ ms

To my vps 59ms

yeah so 100ms and higher is a fairly high latency

but you are saying that if you ping the centos server outside the GRE tunnel it is 59ms

and if you ping inside the GRE tunnel it is 100+?

10.70.1.1 is my internal centos gre tunnel

10.70.1.1 is at the VPS though right?

If I ping from my home 10.0.20.11 I get 59ms
If I ping from my windows vm to my mtik via 10.70.1.2 I get 100+ms

Yap

yeah so that is not normal latency, but I'm not exactly sure where the issue is

Weird from other device on my network that not forwarded by the gre tunnel when I pine 10.70.1.2 that's works great

I’ve been talking to Xfinity about Gigabit Pro

I wish I had gigabit

My bill only increases something like $25 from my $250 to $275

I’m lucky enough to have gigabit and be in their service around for 2 gb up/down

What are the benefits of pro?

2 gb up/down and like 5ms response time to major service providers

Anyway, I thought it was something like an additional $300 on top of what I pay

aka not worth it

but if I just have to rack the juniper switch myself and set it up on my own, I only have to pay $500 for them to run the fiber from the utility pole to my basement

Onetime fee ?

I wish in my country I could pay them to put a fiber to my house but they don't want to do it

Yes

That’s the fee for them to run the fiber to my basement

Nice

Hmmmmmm

I need to resist

Must resist

Lol

https://tenor.com/view/thirsty-spongebob-i-dont-need-it-sweat-gif-5031443

Nice that you can pay for them to put a new fiber to your basement

Here even if I'm telling them that I'm willing to pay they resist

Hmmm

Going to have to think if I want to do this

But yeah I’m super surprised I even have this available

I live very rural and the chances of this fiber being on my road and not on a separate run is luck beyond me

Actually

its 2 Gig/2 Gig on the fiber PLUS

1 Gig/1 Gig on the RJ45 handoff

1 gig line, yeah

you get a total of 3Gbps service

Which is pretty fucking nice

PLUS a super swanky Juniper switch

That's a $9k switch

But 300 a month is oof

Xfinity Gigabit Pro is actually pretty nice

No idea why the hell they would give that to rent lmao

They priced it for me as only a $25 price increase

For 3Gbps, static IPv4, static IPv6 /48

From my current $250 to $275, and $500 one-time install fee

I pay $49 a month for gigabit up and down tho

$300/mo for 3Gbps = $100/gig/mo

with extra added on 😛

Yeah but this is a dedicated fiber line direct to the Comcast switching point for the town

That's probably GPON anyways

This isn’t no GPON lol

This is dedi..

yup lol

you won't be sharing that fiber connection

its basically a business offering for residential

if this was sold b2b this would probably be $1k a month

or more 😂

inb4 pretend to be residential and get this for your business

ahhhh why did they have to price this mildly within my price range

like now that this is attainable this is now going to be in the back of my head

😂

What router are you gonna use

I’ve already got a whole udmp setup

nicee

I’m moving all of my things downstairs into my basement with a 24u rack

There's one guy in another server with 10 Gig service with a UDMP....lol

I picked up an R420 and my server rack will start to fill

it actually pushes 10 gig nicely

And a mk 24 port routeros switch

oh nice lol

Yeah

Who has 10 g up/down?

I've got a R620...but no rack 😦

They’re probably in Colorado with that isp

Someone else from another server

Nah they're in Georgia

Hm alright

Metro area probably

They get it for free since they helped an ISP acquire a deal with their apartment complex to provide internet services

How well does udmp take a 10g WAN?

pretty nicely

% usage?

not much

its hardware accelerated

I guess they don’t use much of their bandwidth

Ah alright

plus yeah trying to find something on the WAN to saturate it for a while lol

Daily backups to a google drive lol

lol

My only wish with the udmp is that the ports on it were poe

Or at least 4 of them

lol

Most people I know just either do SFP+ out to a switch or single gigabit port to a switch

Yeah, I’ll be running a DAC to my mk switch

If I do a 10G backbone for my home network then I’ll get some backbone aggregation switche

Nexus 6064 or something probably

nice

6064?

Idk

I know the product name ends in 64

Might be 3064

Yeah that’s it

Sell for cheap enough on ebay, could probably save up for it

ah yea

I’d have to implement this anyway if I do upgrade my internet

I only run on 1G at the moment at home

https://i.ebayimg.com/images/g/ntgAAOSwMexfFdj7/s-l1600.jpg

oh my god that's perfect

Pure SFP+

I don’t think it’s under licensing anymore either

yea

Idrk at the moment though

I’ll have to look into see if I can afford any of this

I need a rack first tho lol

My servers are just sitting on a table

Yeah lol

Is it 2u or is that 2 servers?

2 servers

R620 and DL360p G8

Are you in the US?

ya

Check with Xfinity to see if they have their gigabit pro available at your address

You might be surprised lol

they don't

Xfinity isn't even near me

Ah alright

I've been looking at startech's 42u rack lol

Do you plan to use that much rackspace

no

I just want 42u 😂

lol same

I thought of getting that same rack but I realized it’s sort of cumbersome and too large

Networking at the top back

0U PDUs fit in 42us

I picked up a 24U since if I need more I’ll just put it in another rack

Ah alright

I've got Spectrum, AT&T fiber, and a municipal fiber ISP to choose from here

AT&T fiber GPON?

So Spectrum pissed us off, so now we're on municipal fiber

Yeah

1G up/down max speed I’d guess?

yeah

The municipal ISP said they do active ethernet for business

but GPON for residential :(

If you work from home, would that qualify as a business? 🤔

They'd probably install business services if you asked

Business service still 1G?

Yeah

Yeah probably not much benefit then

There's no blocked ports, besides the normal SMTP, NetBIOS, etc, and no data caps for any of the services lol

Oh alright

Well I guess that’s good then

And I can get multiple IPs on residential anyways lol

There is absolutely zero fiber in my area besides this

rip

Comcast is the only good ISP for me, all others are satellite

but at least its nice fiber

yeah

and not too much more than your current plan

I was really surprised

I’m glad I inquired more this time rather than rushing off last time

lol

Basically you can pay for them to setup the Juniper switch which acts as the termination point for the fiber

It’s an additional $500

Or just do it yourself and you save that

lol

Since the fiber is located already on my road outside my home and they don’t need to run it from another endpoint I only need to pay $500 for them to run it from the telephone pole into my basement

Do you know JunOS

Never used junos before lmao

lmao

But who says you can’t do anything when you have #networking and r/homelab lmao

lol

I know there's some juniper users here

Not sure if I’m 100% correct on that activation fee details though

Agent was definitely referencing some guide or something lol

Lol

They might set it up even in that $500 install fee idrk

They list an install fee and an activation fee

Install fee I’m 100% sure is for the running of the fiber into the home

yeah

Not really sure what the activation fee covers or if its optional

Here now they finally published the prices for fiber installation.
Gpon connection direct cable 700$ for private houses

https://medium.com/@Gtwy/comcasts-2000mbit-fiber-to-the-home-f106d64d5f51

Because they're pulling the fiber from the street and splicing it

Not sure if that’s accurate still

Yeah

Agent was telling me other things or was just confused

Oh yeah

This one's 2020 https://todayamerican.medium.com/the-definitive-guide-on-how-to-get-xfinity-gigabit-pro-2gbps-up-down-residential-internet-42605c8e86fe

4 year old article

Doubt that’s still 100% accurate

yeah

lol $700 for gpon install

we paid $0 for our gpon install

Ya

In Israel for private houses they charge 700$

For installation

Even if you already have the fiber in your neighborhood

Idk, agent told me $271.45 new monthly pricing, which is about $25 up from my current $250

I explicitly asked her if she was referring to the 2 g up/down gigabit pro and she confirmed

The $271.45 includes me keeping the TV and home phone

niceeeeeee

How do they do TV then

Still goes over coax

Since its usually over coax, do they keep that live?

Ah yeah

Yeah

They probably push the fiber through the existing coax conduit

Municipal ISP offers TV

idk what it is tho

Over fiber, yeah

Idk if its IPTV or RFoG

Some ISPs do that with their triple play fiber GPON

I know there are some models of ONTs that do coax TV but I don't have that

Well in the gigabit pro it’s not a GPON connection so there is no ONT

We just have Internet and phone 🙄

Yeah

YT TV for TV lol

It was cheaper for me to get Internet, TV, and phone than just internet and TV

I don’t need the phone but I have it anyway since it lowers the bill a bit

So they still have the bundle deal with gig pro?

The pricing isn’t public

I guess they do

Yeah my grandmother is on Xfinity and she quad plays 😂

What’s the fourth?

Removing phone makes everything go up

Security?

yea

I guess they’ve changed the way the pricing works for gigabit pro

400Mbps, TV, phone, security

she doesn't need 400Mbps for what she does

Idrk how it works but all I know is for my situation it would be that $25 increase per month and $1k upfront for install and activation

wow

So it’s just whether I can stomach the upfront costs and probably a new switch

dooo it

If I had gig pro

I'd totally just give my servers the gigabit line

I guess they wouldn’t care if you self hosted applications since it’s not really a residential line lol

So they have their own gigabit connection 😂

lol yeah

they already don't really care on residential iirc

Could just wireguard tunnel my servers to an EC2 instance

Yeah unless if you do an absolute ass load of bandwidth

yeah lol

But then I’d have to buy 2g or 10g cards for my computer and my servers

And a 10g switch

Hmmmmmm

lol

I think steam is downloading updates...

Haha probably

Steam is ruthless with bandwidth

ISPs HATE him! Click here!

yeah....

oh my god lmao

What are you using to monitor your traffic?

That's pfSense

Ah alright

I plan to spin up a pfsense VM on my server once it’s in the rack and use the secondary lan port on the server for a testing network

nice

Hey all, I have a vps that I want to connect to with my phone

I have my ssh key added on my pc but idk how I would add my phone

Use an app that allows you to use a ssh key for ssh

Termius, Juice SSH, etc

Yes, I got that

Termius asks for a private key

How would I access my private key on my vps?

you don't store the private key on the VPS

You only store the public key

And then your private key stays on the SSH clients

Oh

What should I put in the "private key" space then?

Your private key

But where do I find that

https://tenor.com/view/stay-calm-breathe-spongebob-gif-20157414

you generated it when you setup the keys

ssh-keygen?

yes

So I just search for my private key on my pc then, right?

yes

Says can't recognize format of key..

Nice

I figured it out tho

Just generated a new key in the app and added the public key in my vps

Are the ethernet ports somewhat capped in bandwidth? In terms of your task Manger tells it receives 40 something mgps but everything else that does downloads only hits max 6 mbps?? Is there any kind of fix or am I just stuck with a slow connection?

Any suggestions for best cat 7 ethernet cable

@glacial cedar cat7 is unnecessary

@slate sonnet Nice. Yeah you should generate one key file per device. This is useful.
When the device gets stolen and thus the key becomes compromised. You can easily revoke access by removing the public key from your vps.

Unlike passwords, which are a universal entry for anyone..

Yeah

Atm trying to add a wireguard connection to my linux install

So far so good

@slate sonnet learning the ropes

nice

@thick minnow ethernet operates at set speeds. Link speed is either 100M or 1000M

Windows is too much of a memory hog to be used as a minecraft server lmao

4gb of ram usage at idle and I'm trying to run mods

@thick minnow if you have less than that, you probably have a bottleneck elsewhere

@slate sonnet yep, windows not really ideal for hosting services on

@slate sonnet https://i.imgur.com/oWEZDbr.png

:D

Damn

30 days uptime

Nice

that's nothing

xD

@slate sonnet https://i.imgur.com/hXJufWh.png

Damn

Why is a system restart required? To update the kernel?

I'm assuming

yeah kernel upgrades

but its on 5.1.11

good 'nuf

Btw

I only do restarts to apply kernel patches if there's a critical security vuln

On my ssh key it says "scratch@scrublinux"

and the only security hole on my machines this year was the sudo exploit

When I did ssh-keygen

Do I have to add that too?

@slate sonnet yeah its common to have an email address associated with an ssh key

so you know what key is whose

I want to add this linux install to the list of auth devices

cat ~/.ssh/id_rsa.pub

copy pasta

No, my question is do I have to keep the "scratch@scrublinux" at the end

Or just copy paste the key without the end

that's part of the key yeah

Oh okay

@slate sonnet its used as identification

like on github, when you sign off on a commit

you do so with your private key & email

Huh, never knew

Now I know lol

@slate sonnet the email doesnt have to be valid

just, for ssh keys that you use with services like git

you should use valid emails for those

@slate sonnet it comes from old school computing :)

when people first started using keys, they used it to verify authenticity

and in the context of the linux kernel, it was used to keep in touch with maintainers of code

because every line of code on the repository, has an ssh key that signed off on it

and thus, if you need to contact said person who wrote the code, you can always send them an email

Huh, that's neat

That's why there's an @ in the middle of stuff?

yeah email is foo@bar

Like root@1.2.3.4.5

For example

nah, its hostname

Oh

Ahhh

Understand now

technically root@localhost is a valid email address

realistically, you'll never be able to send an email to localhost

@slate sonnet all of this has to do with URLs

https://i.imgur.com/isBEjic.png

this scheme applies to pretty much any form of resource identification

so for ssh you'd have something like: ssh://user@host

you can even point to a file on the remote system like so: ssh://user@host/path/to/file.txt

ftp://anonymous@host/foo.txt

http://host/foo.txt

etc.

Copying and pasting ssh keys is a pain when you have 2 systems on 1 pc

I just upgraded my modem/service at home and now I have IPv6 on my mikrotik router without having to tunnel

@tender hazel nice, ND with SLAAC?

I use SLAAC for local IP addressing yes, but I get a prefix from my ISP through DHCPv6 prefix delegation

I removed the v6 tunnel on my network. Because netflix on v6 thinks I am from united states...

@tender hazel what kind of prefix do they assign? /48 ?

I had to specify a prefix hint of ::/56 to get a /56.... by default they gave a /64 which is not great

well, a /56 is at least better than nothing :)

a /56 is just fine, it gives me addressing for up to 256 VLANs at home

I can't see myself needing anywhere near that number of VLANs at home anyway

I have like 10 vlans here

my ISP doesn't do dualstack yet :(

I'm just glad I got a /29 (v4)

before I was tunneling v6 from my friend halfway across the country, not from HE or whatever

he runs a v6 tunneling service

the only issue that I had was that it messes up geolocation

so I would go to google and type restaurants near me and get the geolocation for where he lives

@tender hazel that's exactly my issue

and it's a bit slower than native v6 from the ISP

except, I noticed it while watching netflix

suddenly, the page refreshed and it was like: YO. this TV series is not available your country

heh yeah, I had to stop using HE for IPv6 because netflix started flagging their tunnelbroker service as a VPN and I couldn't watch netflix at all with IPv6 enabled

I ordered one of those big outdoor antennas from mikrotik

gonna see how good they are at range

which ones?

metal 52ac

I need to help my dad out, setting up a big public network

its pretty sweet, the camping he operates is getting fiber optics soon

so we can finally ditch the ripoff-ISP, and go lightspeed

and offer every camping guest decent wifi

the only issue with the metal 52ac (and it may not be an issue depending on your setup) is that it can't supply 2.4ghz and 5ghz at the same time

@tender hazel I'm aware

Its going to be used as a 2.4GHz AP

I'll be using them in central locations to provide wide range coverage

in high density areas such as the terrace near the bar and restaurant

I'll be putting one of those 5GHz sector antennas

@tender hazel https://mikrotik.com/product/RB921GS-5HPacD-15S#fndtn-gallery

Not sure what to get yet.. but something like this ^

but every pole will have one of those big omni directional antennas with 2.4

and 5GHz sector in some high density areas

@tame carbon in order to add my "second pc", all I have to do is add another line in postup and postdown rules with the ip of my linux install and configure wireguards allowed ips?

And add the public keys so that I connect to the vps with wireguard

@slate sonnet uhhhhh

Im not sure if we need a 2nd tunnel for that

idk enough about wireguard

Wait, can't I just reuse the 10.0.0.2 ip that I have on my windows install?

@slate sonnet you can only have a single client connected at this time

if you want to have multiple devices

you need to add a 2nd [Peer]

to your config

Well I mean I can't have 2 os's running at the same time

oh, dual boot config on same machine?

Yup

@slate sonnet still, you'll have two different keys

Yeah

you just create another [Peer]

with the same address

Okay

different key

just try, see if that works xD

Yeah, no harm in trying

@slate sonnet quick google search says: yeah this should be how its done
https://i.imgur.com/RDB4vBV.png

That's the server config or client?

server config

remember, the server needs to know the public key of the client that connects

This is so annoying on linux

@tame carbon you said that you had a tutorial written down or something, right?

what?

To do the wireguard stuff

which part?

I mean, you have the link to the tutorial don't you?

The postup and postdown stuff

yeah on the client that is not important

only on the server

I'm confused on what I should do on linux

Okay

So on client I don't need the postup and postdown rules?

those postup postdown rules merely modify the routing table in the kernel

but only the server has to do that

Okay

So all I have to add in the wireguard conf is the public key and allowed ip?

yeah, you modify the existing config file

and add another [Peer] block

it should be the same as the existing one, only the public key is different

I'm talking about client side

On the client side atm I have my private key in the conf

@slate sonnet you can just copy the tunnel configuration you had on your windows machine

Okay

My gre works but sucks.
Router Internal gre ip 120ms
Vps internal IP 60ms :laughing:
Mikrotik so weird with it

@slate sonnet https://github.com/mochman/Bypass_CGNAT

step 2b

@slate sonnet you don't need any postup or postdown rules on the client

since we only use NAT on the server

@slate sonnet those rules in the tutorial are for this: https://i.imgur.com/saa0dDI.png

that tutorial assumes one computer on the LAN acting as gateway

and it uses NAT on the client, to forward packets to other computers on the LAN

So basically I can copy my windows client config without the keys, right?

yeah

Okay

you'll need another key on linux

and configure that accordingly

Yes

Now I need to figure out how to get a public key on linux

Or is the public key the server key?

No, it's not

I think I got it

I got no idea how to get my public key on my linux install

Confused asf

From a local machine to your public machine?

I need my wireguard public key on my client pc

Idk where it's saved

Or how to generate it

what linux?

KDE neon

Ubuntu based

cat ~/.ssh/id_rsa.pub

wait

I need my public ssh key for wireguard?

that's the only public key I know of

@tame carbon do you know where the public wireguard key is?

or how to gen it?

should just be ssh key generation and then copy the pub key

If it is, I'm done

let me check the wireguard docs, 1 sec

But it doesn't look like an ssh key though

ah, ok

so login to your box and type:
wg genkey > privatekey

The private key is already filled out though on my client pc

then:
wg pubkey privatekey publickey

it will generate a publickey using that command and store it in a file called publickey

using the privatekey file

then you can cat publickey and copy it

Gives me this

Usage: wg pubkey
scratch@scrublinux:~$

oh, I missed you need to do:
cd /etc/wireguard
sudo umask 0777

sudo cat /etc/wireguard/publickey
sudo cat /etc/wireguard/privatekey

I haven't messed with it or read some of the earlier message so sorry if I'm being redundant 🙂

permission denied

No problem

ah, might need to do su by itself

and then just umask 0777 after authenticating

some clients let you do sudo su to stay root, depends

Huh, weird

It's the same key as my windows install

Looks like there is an even easier way to do it
https://www.wireguardconfig.com/

Omg hell no

That's what every guide says shrug

Well those guides is useless if they say that

https://www.wireguard.com/quickstart/

Oh it's unmask

Well I think I figured it out

yah

Nice, what was the issue?

My dumbass

xd

I deleted wireshark and installed it

Well I'll never put 777 on something.
I'm not using unmask that much to remember what it does except unmasking

xD

And started from scratch

pebkac errors are the best 😄

What is the problem with it?

No

I just wanted to start from scratch

Oh ok

Because I definitely missed something

And it was easier

I hope you didn't use chmod -R 777 wireshark folder 😆

Yah, always "fun" when you miss a step and get many steps later before realizing it

No

Well I deleted wireshark so I think all the folders should have deleted too

I think umask is just to give 0777 to that specific user only

(Unless I don't know that part about linux)

Well it's more fun to miss something when you build modules into kernels or things like nginx

Umask should make it default folder permissions before something became broken

I don't think 0777 is default permission for anything 😂

ah, that might be it, been a while since I dabbled in it too 😛

I just reread about it

I want to cry, wireguard is giving me an error

line unrecognized

I didn't add spaces between the = when writing the publickey

But I can't edit it because apparently the directory doesn't exist

I hate this so much

Lol just create it

What folder doesn't exist?

But on another terminal I can edit it

/etc/wireguard/wg0.conf

And I checked to see if there are spaces

And there are spaces

Wait what ?
One message wireshark and one wireguad

I'm lost

Omfg

Nvm

Lol

I'm a dumbass

I kept writing wireshark

😂

whoops 😄

Still though

In the conf I have spaces

I had a feeling that something is wrong

But wireguard is seeing it without spaces

I'm not familiar enough with wiregaurd but check is wireguad supports spaces in name

Did you wrote it between " "?

No

Let me screenshot it and mask the keys

1 sec

Try write it between " "

It's not supposed to be like that

Btw, I'm following this guide

https://github.com/mochman/Bypass_CGNAT#2a-system-config

Oh

For commands and stuff

Well first it's 077 not 0777

What does 077 do anyway?

mask is different from chmod , default mask usually 022

Sometimes need to change it for certain files and folders

Last time I used it was 6 years ago I think I don't remember for what use cases need to do it

Basically this is what my conf looks like

Ok your home internal IPs are in different subnet I hope

I see you use internal IPs of 10.0.0./24 on the vps

What is the problem again ?

It's not showing ?

1 sec

@lean pebble

Basically it says as if I don't have any spaces at the = sign

But in the conf I do

As I'm supposed to

Your public key line is incorrect

Wrong public key

Wait

I misspelled it

I wrote PublickKey

You could just copy

Lol

I didn't notice it to

My brain have auto correct

😆

Remove 1 k and it should be good

Hmm

Now it's a different error

Send the error

Can you do fuser -k wireguardport/tcp or what ever protocol it uses ?

do
ln -s /usr/bin/resolvectl /usr/local/bin/resolvconf

Copy the whole line?

Oh well wiregaurd is not my specialty

yah, you could also try this instead
systemctl start wg-quick@(name)

but replace (name) obviously

It'll not help I think

Yah, I'm seeing people talk about possibly needing
sudo apt install openresolv
instead

Wireguad not recognize the command resolveconf

Fixed it I think

No error

Started ?

It's green now ?

Yup

yeet 😄

Good

Gonna check connection to vps now

https://superuser.com/questions/1500691/usr-bin-wg-quick-line-31-resolvconf-command-not-found-wireguard-debian/1500896
This is where it mentions making the symlink on debian manually

Finally the ISPs here corporate with the fiber I can't believe it's happening 😂

Nice 😄

They gonna connect private houses after 12 years of waiting, and they finally got a brain and giving the customer the option to use his own network gear that support fiber

Huh, I can't ping my vps

Are you sure you're connected to wiregaurd?

Technically yes

I'm gonna check from the vps if it can see me

Do you want me to check if I can ping it via your wireguad connection?

VPS can't see me either

Make sure your vps internal IPs are different from your home subnet

No, vps is fine

Are you 100% sure ?

Well I basically copy pasted the config I had on windows

Changed the keys

And that's it

Yes

Ok

And you can't ping

I can log in windows rn and it should work

1 sec

Lemme reboot

Wait a sec

Where are you trying to install wireguard?

On rented vps or on your computer ?

My computer

VPS is fine on windows

Basically I'm trying to connect to my vps and make it route traffic to my pc on linux

Like I have it on my windows install

Doing this to bypass cgnat

Ok

And want to use linux since I only have 8gb of ram and windows is a ram hog

Haha ya

I left windows to

Using it as vm

I can't leave windows yet

Not until I have more ram and a second gpu

I have a gaming vm

So I can pass my main gpu for gaming

That's what I did

What disto of Linux so you use ?

KDE Neon

Ok

Ayyyyy, fellow neon user

Check your Linux firewall

Hey good at everything

Hello

How are you feeling today?

😄

Pretty good thank you

How would I do that?

Wait you followed the guide that tells you how to install wireguard server on your system

You just need to install wireguard client

Yes

Not the whole server again

I’ve installed the client

That's why you can't ping your server

I think it's systemctl firewalld or something like that?

No?

Neon uses firewalld?

idk

I haven't

tried it

Why can I ping my vps then?

If yes firewall-cmd --list-all

On windows

Because windows only uses client not server

On windows I did 10.0.0.1 (which is my vps internal ip) and it’s fine

Hmm

The guide you sent me earlier today referring to wireguard server not client

Later it says how to install client

And config it

https://snapcraft.io/install/wireguard-ammp/kde-neon

Unknown operation

You need only client on your system

The server needs to be only on one machine

You was close enough

But there isn’t a server or client though

There is a client

And a server

Check 2b

Your vps is your server

Your client is your machine

https://github.com/mochman/Bypass_CGNAT#2a-system-config

Okay, I'm somewhat confused, what's happening? What's the issue? also, I'm unlikely to be helpful at all considering I've only used nyr's wireguard roadwarrior script to set up my VPN

Also, what is CGNAT

Lol

CGNAT basically means I have a double nat

Cgnat is shared IP

I think

This too

He gets double nat from.his ISP that means shared IP he can't do port forwarding and things like this

So I got a VPS so that I could bypass this

And host a minecraft server

Yap

I've setup wireguard on windows, and it works fine

Now I'm trying to do it on linux

Ah okay

Try install only wiregaurd client

Okay

The github guide is for the server

Don't remove anything just stop the service

How would I clean uninstall wireguard then?

Okay

How would I stop the service then

systemctl stop wiregaurd@name

The name you choose for it

Basically the same command you used for start it but with stop

Not even loaded

Okay

Make sure you do it on your pc and not on your vps

So now sudo snap install wireguard?

Ya

I never used kde neon so I'm not familiar with his package manager

I believe they use apt since it uses an Ubuntu base

It's apt

Oh ok

You can use snap, but avoid it

Here is wg master presetmonkey

It's literally basically Ubuntu with kde features

I use it

Help him install wg client on neon

Good to know

Is there a "client" and a "server" version of wireguard?

Should be just apt install wireguard

Too much ububtu based distro

Or maybe not

Give me a sec

That is what I did

Ok good

That's it

Just need to add your config

Okay

I'll try it later on to play with it

I technically added my public keys and stuff

But I can't ping my vps

With the internal ip

My gre tunnel died 😂 since I moved to mtik

You need to add a second peer in your vps config @slate sonnet

I did

Hmm

Show the config, mask out priv key of course

Public keys are okay?

Yeah, pretty sure but you can mask it as well if you want

Wg is strange need to learn it

wg is great

Should be

Never used it I'll learn it sometime this year

@slate sonnet your peers have the same IPs

make the second peer .3

Do I have to?

Same ip twice

I mean I can

Just curious though

Change one to 0.3

I am not running both systems at the same time

you probably can, but it might cause weird issues

i'd put them on different IPs

Okay

Always better use different IPs

wg associates the public keys (which are different between those two peer systems) and the IPs

Good morning / afternoon / evening everyone

@untold elbow should be fine as long as both peers dont connect?

@tame carbon in theory, yes, but if he's having issues, that's the first thing i'd suggest changing

It's the same pc with dual boot

once you get it working, put them both back to 10.0.0.2 and see if it works

He can use only 1 peer to

or just use the same peer config file

same private key on both systems

that might work

Okay, so I changed the ip to .3

@slate sonnet your port forwarding rules will also have to be adjusted

What exactly should I change?

Add the same postup and postdown rules, but with the added ip?

yeah if you change IP address

Replacing the old one

Okay

then you'll have to replace those

you can only port forward a port to a single host

So if I do this on my linux install, I can't forward anymore on windows?

if you use the same private key as @untold elbow suggested

then you could

then both machines use the same [Peer] configuration

Could I technically use the same private and public key from my windows install on my linux install?

That's what I am saying ^^

Ugh

I should have tried that the first time

copy the whole wg config file