-
Notifications
You must be signed in to change notification settings - Fork 38
Demo
The demo Docker environment has four hosts and three networks for testing multi-hop/nested tunnels, but only the first target host is reached in the examples below. Reaching the rest of the target hosts is left as an exercise for the reader.
┌──────────┐
│ client │
│ │
│ 10.1.0.2 ├┬───────────────────────┐
│ fd:1::2 --- │
└──────────┼│ │
││ exposed network │
││ 10.1.0.0/16,fd:1::/64 │
┌──────────┼│ │
│ 10.1.0.3 --- │
│ fd:1::3 ├┴───────────────────────┘
│ │
│ server │
│ │
│ 10.2.0.3 ├┬───────────────────────┐
│ fd:2::3 --- |
└──────────┼│ │
││ target network │
││ 10.2.0.0/16,fd:2::/64 │
┌──────────┼│ │
│ 10.2.0.4 --- |
│ fd:2::4 ├┴───────────────────────┘
│ │
│ target │
│ │
│ 10.3.0.4 ├┬───────────────────────┐
│ fd:3::4 --- |
└──────────┼│ │
││ target2 network │
││ 10.3.0.0/16,fd:3::/64 │
┌──────────┼│ │
│ 10.3.0.5 --- |
│ fd:3::5 ├┴───────────────────────┘
│ │
│ target2 │
└──────────┘
wiretap_demo.mp4
You have unprivileged access to the server host and want to reach the target host from the client host using Wiretap.
Clone this repo.
Start the demo containers with:
docker compose up --build
Open new tabs for interactive sessions with the client and server machines:
docker exec -it wiretap-client-1 bash
docker exec -it wiretap-server-1 bash
The target network, and therefore the target host, is unreachable from the client machine. Both the server and target hosts are running a web service on port 80, so try interacting with each of the services from each of the hosts:
Accessing the server's web service from the client should work:
client$ curl http://10.1.0.3
Accessing the target web service from the client should not work, but doing the same thing from the server machine will:
# fails
client$ curl http://10.2.0.4
server$ curl http://10.2.0.4
Configure Wiretap from the client machine. Remember, --endpoint
is how the server machine should reach the client (IP:port) and --routes
determines which traffic is routed through Wiretap.
-
--endpoint
needs to be the client address and listening port:10.1.0.2:51820
- If no
--port
is specified, the client config will use the same port specified in theendpoint
argument as the listening port. In this example, that would be 51820. -
--routes
needs to be the subnet of the target network:10.2.0.0/16
. But there is also an IPv6 subnet, so we should also putfd:2::/64
. If you just wanted to route traffic to the target host, you could put10.2.0.4/32
here instead
./wiretap configure --endpoint 10.1.0.2:51820 --routes 10.2.0.0/16,fd:2::/64
Install the newly created WireGuard configs with:
wg-quick up ./wiretap_relay.conf
wg-quick up ./wiretap.conf
Copy and paste the Wiretap arguments printed by the configure command into the server machine prompt. It should look like this:
WIRETAP_RELAY_INTERFACE_PRIVATEKEY=<key> WIRETAP_RELAY_PEER_PUBLICKEY=<key> WIRETAP_RELAY_PEER_ENDPOINT=10.1.0.2:51820 WIRETAP_E2EE_INTERFACE_PRIVATEKEY=<key> WIRETAP_E2EE_PEER_PUBLICKEY=<key> WIRETAP_E2EE_PEER_ENDPOINT=172.16.0.1:51821 ./wiretap serve
The WireGuard handshake should be complete. Confirm with:
wg show
If the handshake was successful the client should be able to reach the target network transparently. Confirm by running the same test that failed before:
client$ curl http://10.2.0.4
That's it! Try scanning, pinging, and anything else you can think of (please submit an issue if you think something should work but doesn't!). Here are a few ideas:
- HTTP
curl http://10.2.0.4
curl http://[fd:2::4]
- Nmap
nmap 10.2.0.4 -v
nmap -6 fd:2::4 -v
- ICMP
ping 10.2.0.4
ping fd:2::4
- UDP
nmap -sU 10.2.0.4 -v
nmap -sU -6 fd:2::4 -v
Try to reach the second target by adding another server! You should be able to successfully run curl http://10.3.0.5
from the client host if performed correctly. The status
command should output something similar to:
╭────────────────────────╮
│ Wiretap Network Status │
╰────────────┬───────────╯
│
╭──────────┴──────────╮
│client │
│ │
│ relay: Ta75SvIb... │
│ e2ee: cXddDGWC... │
│ │
╰──────────┬──────────╯
│
╭──────────┴──────────╮
│server │
│ relay: kMj7HwfY... │
│ e2ee: 3ipWthpJ... │
│ │
│ api: ::2 │
│ routes: 10.2.0.0/16 │
╰──────────┬──────────╯
│
╭──────────┴──────────╮
│server │
│ relay: GMkUzfDy... │
│ e2ee: YOVI9nOv... │
│ │
│ api: ::3 │
│ routes: 10.3.0.0/16 │
╰─────────────────────╯
To bring down the WireGuard interfaces on the client machine, run:
wg-quick down ./wiretap_relay.conf
wg-quick down ./wiretap.conf