You are not logged in.

#1 2022-05-29 21:58:59

jhjacobs81
Member
From: Arnhem, the Netherlands
Registered: 2022-03-14
Posts: 12

No route to host after failed Wireguard setup

Hello all,

I am breaking my head over this one sad

Our company firewall had Wireguard setup which works great on our mac and windows boxes. As such i have tried setting it up on my new Arch install (i’m new to Arch but not to Linux in general) and i failed to get it working.

However, whenever i try to SSH into the company firewall it errors out with a “no route to host” error. I can ping it perfectly. I can also ssh into it from other boxes on the same network, so its definatly a problem on my system. I have used the Arch wiki to setup Wireguard, so i undo every step. As a result, i’m at a loss where to look. I even did pacman -R wireguard-tools to be sure there wasn’t anything running still.

Hopefully someone had this before and can help me?


Leo, HSP, On a journey to leave the big tech behind. Security minded. Sucker for nice, polished things.

Offline

#2 2022-05-30 05:19:05

seth
Member
Registered: 2012-09-03
Posts: 49,994

Re: No route to host after failed Wireguard setup

However, whenever i try to SSH into the company firewall it errors out with a “no route to host” error. I can ping it perfectly.

By IP or domain? LAN or WAN?

ip a; ip r

I even did pacman -R wireguard-tools to be sure there wasn’t anything running still.

Did you reboot? I don't think this will stop any running services or clear the iptables.

Sanity check:

find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

Online

#3 2022-05-31 09:41:15

jhjacobs81
Member
From: Arnhem, the Netherlands
Registered: 2022-03-14
Posts: 12

Re: No route to host after failed Wireguard setup

thank you @seth for responding smile

I did indeed reboot, also removed the /etc/wireguard folder just to be sure smile

ip a; ip r shows this:

3: enp4s0f3u1u1u2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 18:65:71:ed:fa:36 brd ff:ff:ff:ff:ff:ff
default via 192.168.2.254 dev wlan0 proto dhcp metric 600 
[root@stargazer ~]# find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.timesync1.service   | system
dirmngr.socket                           | sockets.target.wants
display-manager.service                  | system
gcr-ssh-agent.socket                     | sockets.target.wants
getty@tty1.service                       | getty.target.wants
gpg-agent-browser.socket                 | sockets.target.wants
gpg-agent-extra.socket                   | sockets.target.wants
gpg-agent.socket                         | sockets.target.wants
gpg-agent-ssh.socket                     | sockets.target.wants
NetworkManager.service                   | multi-user.target.wants
NetworkManager-wait-online.service       | network-online.target.wants
p11-kit-server.socket                    | sockets.target.wants
pipewire-media-session.service           | pipewire.service.wants
pipewire-session-manager.service         | user
pipewire.socket                          | sockets.target.wants
pulseaudio.socket                        | sockets.target.wants
remote-fs.target                         | multi-user.target.wants
systemd-timesyncd.service                | sysinit.target.wants
xdg-user-dirs-update.service             | default.target.wants

i am not completely sure what we are looking for with this command smile

there is nothing in /etc/systemd/network either

nmcli shows this:

nmcli

p2p-dev-wlan0: disconnected
        "p2p-dev-wlan0"
        wifi-p2p, hw

enp4s0f3u1u1u2: unavailable
        "Realtek RTL8153"
        ethernet (r8152), 18:65:71:ED:FA:36, hw, mtu 1500

lo: unmanaged
        "lo"
        loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536


Use "nmcli device show" to get complete information about known devices and
"nmcli connection show" to get an overview on active connection profiles.

Consult nmcli(1) and nmcli-examples(7) manual pages for complete usage details.

i wonder what that p2p thing is smile ive never seen it before, is it Arch specific?

Last edited by jhjacobs81 (2022-06-07 10:56:47)


Leo, HSP, On a journey to leave the big tech behind. Security minded. Sucker for nice, polished things.

Offline

#4 2022-05-31 12:59:26

seth
Member
Registered: 2012-09-03
Posts: 49,994

Re: No route to host after failed Wireguard setup

Please edit your post and wrap the output in code tags, https://bbs.archlinux.org/help.php#bbcode

i am not completely sure what we are looking for with this command

What and how many network managing services you're running  - only NM (what is good)

ip a; ip r shows this:

I'm pretty sure it shows more.
enp4s0f3u1u1u2 is some wired ethernet device, but there's no carrier (cable)
There's a route via 192.168.2.254 but since you don't have a lease on the wired NIC, we don't know what (if any) this belongs to.
Please post the entire output.

i wonder what that p2p thing is

https://wiki.archlinux.org/title/Software_access_point
Iirc Networkmanager adds them by default

Known status quo is that you've no network connection at all because the only known wired NIC has no cable attached.

Online

#5 2022-06-07 10:55:37

jhjacobs81
Member
From: Arnhem, the Netherlands
Registered: 2022-03-14
Posts: 12

Re: No route to host after failed Wireguard setup

hello Seth,

sorry for the late response, been a busy week!

i was on a rather sensive network so i didnt show everything indeed, im now at home and here is the complete output:

ip a; ip r

[root@stargazer ~]# ip a; ip r
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 98:43:fa:00:ee:6b brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.11/24 brd 192.168.178.255 scope global noprefixroute wlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::49e9:32c0:c510:4674/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
default via 192.168.178.1 dev wlan0 proto static metric 600 
192.168.178.0/24 dev wlan0 proto kernel scope link src 192.168.178.11 metric 600 

(which seems to be correct, my home network is 192.168.178.1/24)


Leo, HSP, On a journey to leave the big tech behind. Security minded. Sucker for nice, polished things.

Offline

#6 2022-06-07 14:15:40

seth
Member
Registered: 2012-09-03
Posts: 49,994

Re: No route to host after failed Wireguard setup

This context seems to be sane - you've a lease on wlan0 and a route via there.

seth wrote:

However, whenever i try to SSH into the company firewall it errors out with a “no route to host” error. I can ping it perfectly.

By IP or domain? LAN or WAN?

For context: wireguard is a VPN - it allows you to have a LAN over the internet (in most broad terms)
If the companies ssh server is only available to the private network, you'll *have* to be inside that private network in order to connect to it.

You can

whois 123.45.67.89

to check whether the IP you're trying to connect to is a private segment (different from 192.168.178.0/24), though I'm not sure how you'd be able to ping the host if you don't have a route for it.
If the ssh server is in a private network segment ("These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices.  They are only intended for use within a private context  and traffic that needs to cross the Internet will need to use a different, unique address.") you can post it here w/o revealing private information, since the IP is meaningless outside that segment. (google "i hacked 127.0.0.1")

Online

#7 2022-06-13 15:04:23

jhjacobs81
Member
From: Arnhem, the Netherlands
Registered: 2022-03-14
Posts: 12

Re: No route to host after failed Wireguard setup

i have not yet disabled ssh over WAN, because i cant get wireguard to work smile

so from any other box i can ssh by both domain/ip of the WAN and LAN, on this box neither. WAN throws the no route to host, and LAN wont work because i cant get wireguard to work sad

i suppose there's no other solution then to do a new install sad

funny detail: i changed the ssh port on the firewall, and now i can connect using ssh from the box where i got the "no route to host" from.. this seems really odd to me, but alas!

Last edited by jhjacobs81 (2022-06-13 15:12:43)


Leo, HSP, On a journey to leave the big tech behind. Security minded. Sucker for nice, polished things.

Offline

Board footer

Powered by FluxBB