linux – ipsec xfrm esp routing

i need a little help/explanation why the following netsetup is not working:

PC1 (192.168.66.1) <-- PLAIN --> (192.168.66.2)PC-GW(192.168.88.2) <-- ESP --> (192.168.88.1) PC2

I can send packets from PC1 192.168.66.1 to PC2 192.168.88.1 and the PC-GW encapsulate esp and the PC2 recv the esp packets, it works fine.

But if i send esp packets from PC2 192.168.88.1 to PC1 192.168.66.1, the PC-GW forwaded the esp packets without decapsulate/decryption and PC1 gets an esp packet.

If both systems use ESP it works fine:

PC1 (192.168.66.1) <-- ESP--> (192.168.88.1) PC2

I have tried several different configuration, this is the commands i use:

ip xfrm state add src 192.168.66.1/32 dst 192.168.88.1/32 proto esp spi 0x01000000 reqid 0x01000000 mode transport aead 'rfc4106(gcm(aes))' 0x000000000000000000000000000000000000000000000000000000000000000000000000 128 sel src 192.168.66.1/32 dst 192.168.88.1/32
ip xfrm state add src 192.168.88.1/32 dst 192.168.66.1/32 proto esp spi 0x01000000 reqid 0x02000000 mode transport aead 'rfc4106(gcm(aes))' 0x000000000000000000000000000000000000000000000000000000000000000000000000 128 sel src 192.168.88.1/32 dst 192.168.66.1/32
ip xfrm policy add src 192.168.66.1/32 dst 192.168.88.1/32 dir out tmpl src 192.168.66.1/32 dst 192.168.88.1/32 proto esp reqid 0x01000000 mode transport
ip xfrm policy add src 192.168.88.1/32 dst 192.168.66.1/32 dir in tmpl src 192.168.88.1/32 dst 192.168.66.1/32 proto esp reqid 0x02000000 mode transport

With help of tcpdump i have captured all interfaces.

I don’t use openswap, this test setup is not a real use scenario. This is just to try out and i want to learn how it works.

pfsense routing and firewall configuration

Good night,

I am very new to this topic,
In the company we have 4 offices, which are connected by our ISP provider, through an MPLS network.

Network1
IP: 10.201.180.1/22
Gateway
10.201.180.254

Network2
IP: 10.201.184.1/24
Gateway
10.201.184.254

Network3
IP: 10.201.185.1/24
Gateway
10.201.185.254

Network4
IP: 10.201.180.6/24
Gateway
10.201.186.254

We have a connection between all the headquarters without problem.

in network1 we have Pfsense with 1 -WAN and 1-LAN interfaces (10.201.183.1/22).

We want SQUID proxy in transparent mode, as the configuration process would really be, in addition, I think we must also perform the routing in the pfsense and configure the firewall …
the truth is I am really very new

graphs – An algorithm to find differences between routing paths

I need to come up with an algorithm that finds differences in sequence of each product’s routing (or sequence of processes).
There are several processes aligned with together and each process’s been operated under specified equipment.

For example,

if there are four processes(A – B – C – D) until to the final product, the routing for each product can be shown below:

Process A B C D
Product1 a1 b3 c3 d2
product2 a2 b1 c2 d1
product3 a1 b2 c1 d1
product4 a1 b1 c2 d3
product5(defect) a2 b4 c3 d2
product6 a1 b3 c2 d3
product7 a1 b2 c2 d3

If it turned out product 5 to be a defect product, we may conclude that in B process, the equipment b4 has most likely caused an issue to the product5.

Approach 1:

I label-encoded to each equipment by column to implement machine learning model and calculate shapley scores for each column to see what process caused an issue. The problem is that some cases there are few defective products which causes an extreme data imbalance between normal and faulty products’ routing

If you could suggest feasible algorithms what would it be?

routing – Is it possible to route data between 2 wireguard devices on the same machine?

I want to find out how much overhead wireguard creates on my machine in terms of latency. However, my server is remote, so I would like to test it solely on the machine to avoid measuring the whole network latency.

So for measuring the latency, I thought about the following setup.

I add two wireguard devices to the machine, wg0 and wg1. I then send a packet to wg0, which encrypts the packet and sends it to wg1. Wg1 then decrypts it and sends it to a local port so that I can measure the time it takes between sending and receiving the packet.

My wg0 conf:

[Interface]
   Address = 10.0.0.1/24
   ListenPort = 51871

[Peer]
   AllowedIPs = 10.0.0.1/24, 10.0.1.1/24
   Endpoint = localhost:51872

My wg1 conf:

[Interface]
   Address = 10.0.1.1/24
   ListenPort = 51872

[Peer]
   AllowedIPs = 10.0.0.1/24, 10.0.1.1/24
   Endpoint = localhost:51871
I have tried using the following configuration but then I am unable to setup wg1 as the setup fails at

ip -4 route add 10.0.0.0/24 dev wg1
due to 
RTNETLINK answers: File exists

Which makes sense as because this is the IP range of the wg0 device

My wg0 conf:

[Interface]
   Address = 10.0.0.1/24
   ListenPort = 51871
   PostUp = route add -net 10.0.1.0/24 gw 10.0.0.1 
   PostDown = route delete -net 10.0.1.0/24 gw 10.0.0.1

[Peer]
   AllowedIPs = 10.0.0.1/24, 10.0.1.1/24
   Endpoint = localhost:51872

My wg1 conf:

[Interface]
   Address = 10.0.1.1/24
   ListenPort = 51872
   PostUp = route add -net 10.0.0.1/24 gw 10.0.1.1 
   PostDown = route delete -net 10.0.0.1/24 gw 10.0.1.1


[Peer]
   AllowedIPs = 10.0.0.1/24, 10.0.1.1/24
   Endpoint = localhost:51871

However, I can not get the routing set up so that my packet actually traverses the wg devices. The devices also do not perform a handshake atm. Is it even possible? Or can you recommend another setup?.

My OS is ubuntu 20.04 server. As a sidenote, I want to compare this to another measurement I took where one of the wireguard devices runs in a virtual machine. In this setup, I just ran wg0 on the host and wg1 in the VM. Basically, now I want to find out the overhead of running a wireguard gateway in a VM compared to running it natively on the machine.

vpn – site2site wireguard with docker : routing problems

Disclaimer: repost from stackoverflow: https://stackoverflow.com/questions/67917278/site2site-wireguard-with-docker-routing-problems

I am trying to have two containers, running on two RPI, act as a site-to-site VPN between Network 1 and Network 2.

With the setup below, I am able to ping from within the container each other network:

  • from docker container 1 I can ping an address 192.168.1.1
  • from docker container 2 I can ping the address 192.168.10.1

But if I try to ping 192.168.1.1 from the System1 host (192.168.10.100) I have errors (see below image to visualize what I am trying to do).

I understand I have to add a static route on system1 host (192.168.10.100) to direct the traffic for 192.168.1.0/24 through the wireguard container (172.17.0.5), thus I run:

$i p route add 192.168.1.0/24 via 172.17.0.5
$ ip route
default via 192.168.10.1 dev eth0 proto dhcp src 192.168.10.100 metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
172.18.0.0/16 dev br-e19a4f1b7646 proto kernel scope link src 172.18.0.1 linkdown 
172.19.0.0/16 dev br-19684dacea29 proto kernel scope link src 172.19.0.1 
172.20.0.0/16 dev br-446863cf7cef proto kernel scope link src 172.20.0.1 
172.21.0.0/16 dev br-6800ed9b4dd6 proto kernel scope link src 172.21.0.1 linkdown 
172.22.0.0/16 dev br-8f8f439a7a28 proto kernel scope link src 172.22.0.1 linkdown 
192.168.1.0/24 via 172.17.0.5 dev docker0 
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.100 
192.168.10.1 dev eth0 proto dhcp scope link src 192.168.10.100 metric 100 

but the ping to 192.168.1.1 still fails.

by running tcpdump on the container 2 I see that some packets are indeed reaching the container :

root@936de7c0d7eb:/# tcpdump -n -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:11:19.885845 IP (publicIPsystem1).56200 > 172.17.0.6.56100: UDP, length 128
10:11:30.440764 IP 172.17.0.6.56100 > (publicIPsystem1).56200: UDP, length 32
10:11:35.480625 ARP, Request who-has 172.17.0.1 tell 172.17.0.6, length 28
10:11:35.480755 ARP, Reply 172.17.0.1 is-at 02:42:24:e5:ac:38, length 28

so I guess it is not a routing problem on system 1.

Can anyone tell me how to diagnose this further?

enter image description here

Site 1 Site 2
Network 1 IP range 192.168.10.0/24 192.168.1.0/24
host system address 192.168.10.100 192.168.1.100
bridge docker0 range 172.17.0.0/16 172.17.0.0/16
container address 172.17.0.5 172.17.0.6

System 1 – wg0.conf

(Interface)
Address = 10.13.18.2
PrivateKey = *privatekey*
ListenPort = 56200
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

(Peer)
PublicKey = *publickey*
Endpoint = *system2address*:56100
AllowedIPs = 10.13.18.1/32 , 192.168.1.0/24

System 2 – wg0.conf

(Interface)
Address = 10.13.18.1
ListenPort = 56100
PrivateKey = *privatekey*
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

(Peer)
# peer_casaleuven
PublicKey = *publickey*
AllowedIPs = 10.13.18.2/32 , 192.168.10.0/24
Endpoint = *system1address*:56200

routing – Software to channel one audio output to a recoding input (i.e. Audacity) while listening to other audio on a second audio output

I have been looking but couldn’t find any software solution…

In Windows 10, how can I have the audio from one app like VLC, Youtube, Spotify etc be routed to Audacity so I can record it while at the same time listening to a movie I am watching on a second audio output like a headphone?

Again, I am looking for a software solution, not a hardware one. :]

Thank you :]

vpn – Routing LAN traffic from Edgerouter to wg0

Did you add the 0.0.0.0/1 and 128.0.0.0/1 to the main route table?

What is the IP of the wireguard server you connected to? if you have those 3 routes, and nothing else, then how is your wireguard client going to reach the remote? If you put everything on the main table, then you must also add a static route that goes out your main interface for the IP of the wireguard server.

Your OpenVPN server is probably pushing a route for the special remote_host which the OpenVPN client resolves to whatever IP that it connected to.

If you set the AllowedIPs = 0.0.0.0/0 in your wireguard configuration, wg-quick actually does some magic for you to handle this that is pretty neat and easy.

These ip rules are added, and an additional route table is added.

$ ip rule
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main

# ip route show table 51820
default dev wg0 scope link

The wireguard will by default add a fwmark to all the packets to the value 51820 (51820 is 0xca6c in hex).

The rule from all lookup main suppress_prefixlength 0 will ignore the default route on your main table..

Traffic directly to the wireguard peer external IP will not be marked with the fwmark so it will use the 32766 and go out the default route.

Anyway the point is, you probably don’t need or want the 0.0.0.0/1 and 128.0.0.0/1 with wireguard on Linux. It has better ways of handling redirecting the default gateway then what OpenVPN has out of the box.

pulseaudio – Routing audio between headset and Behringer U-Control using pacmd

I’ve got a Behringer U-control USB device and I’m trying to learn pulseaudio / pacmd. The U-control has L/R input and L/R output (all RCA) plus digital, I don’t need. I’ve worked out how to record from the inputs. I basically want to connect up the U-control to the laptop so that the laptop can send and receive audio.

How can I use pacmd to route the sound as follows:

(1) I’d like the L/R input of the U-control to be routed to my laptop speakers (or headphones), essentially monitoring the L/R input of the U-control.

(2) I’d like to route application/mic audio from the laptop to the L/R output of the U-control. I.e., I’d like to send sound from (A) one or more applications playing audio and/or (B) the mic from a headset.

How do I set up this routing using pacmd? (I’ve got pavucontrol, and can use that, though a fully self-contained solution in pacmd would be great.)

Thanks!

PS. I’m aware that Jack does some of this via a graphical interface. I’ve had a quick go at installing Jack on Ubuntu 20.04, but I didn’t get very far. I also feels a little overkill for what I’d like to do – but if there’s a simple guide to installing Jack and the kxstudio apps on Ubuntu 20.04, I’d be ok to try it – though worried about messing up my system.

PPS. Does anybody know if there’s a graphical guide for translating a routing diagram into a set of pacmd commands?