[SOLVED] Unable to ping client from server in wireguard VPN

tsj · 2022-10-14 00:51:14

I want to configure a wireguard VPN between a local machine and a VPS.

The VPS is configured as:

interface: wg0
public key: tdsxI1ub9g5drtOBGpJMWmKTV64BmsNkQ13IZJe+8gA=
allowed ip: 192.168.100.1/24
listen port: 5553
peer:
  public key: yCZZMQPJVD5qwt3dxSs5SqNl91mcscBoP2lx6hguyiE=
  allowed ip: 192.168.100.3/32

(I report in a non-format since it's a NixOS system)

Locally, I have

/etc/systemd/network/99-wg.netdev:

[NetDev]
Name=wg0
Kind=wireguard
Description=WireGuard tunnel wg0

[WireGuard]
ListenPort=51554
PrivateKey=<scrubbed>

[WireGuardPeer]
PublicKey=tdsxI1ub9g5drtOBGpJMWmKTV64BmsNkQ13IZJe+8gA=
AllowedIPs=0.0.0.0/0
Endpoint=<vps_ip_scrubbed>:5553
PersistentKeepalive=25

and

/etc/systemd/network/99-wg.network:

[Match]
Name=wg0

[Network]
Address=192.168.100.3/32

It seems like the VPN is established based on the output of `wg` on both ends, but I haven't been able to do 2-way `ping`s or the `nc`/`dd` test mentioned in the Arch wiki.

On VPS:

$ wg
interface: wg0
  public key: tdsxI1ub9g5drtOBGpJMWmKTV64BmsNkQ13IZJe+8gA=
  private key: (hidden)
  listening port: 5553

peer: yCZZMQPJVD5qwt3dxSs5SqNl91mcscBoP2lx6hguyiE=
  endpoint: <local_ip_scrubbed>:51554
  allowed ips: 192.168.100.3/32
  latest handshake: 42 seconds ago
  transfer: 1.10 KiB received, 1.43 KiB sent

On local machine:

$ wg
interface: wg0
  public key: yCZZMQPJVD5qwt3dxSs5SqNl91mcscBoP2lx6hguyiE=
  private key: (hidden)
  listening port: 51554

peer: tdsxI1ub9g5drtOBGpJMWmKTV64BmsNkQ13IZJe+8gA=
  endpoint: <vps_ip_scrubbed>:5553
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 57 seconds ago
  transfer: 65.51 KiB received, 41.23 KiB sent
  persistent keepalive: every 25 seconds

I can ping the VPS from the local machine:

$ ping -I wg0 192.168.100.1
PING 192.168.100.1 (192.168.100.1) from 192.168.100.3 wg0: 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=21.4 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=59.2 ms

But I cannot ping the local machine from the VPS:

$ ping -I wg0 192.168.100.3
PING 192.168.100.3 (192.168.100.3) from 192.168.100.1 wg0: 56(84) bytes of data.
... <nothing>

I am also not able to do the `nc`/`dd` test mentioned in the Arch wiki.

On the local machine:

$ nc -vvlnp 51554
Listening on any address 51554

On the VPS:

$ dd if=/dev/zero bs=1024K count=1024 | nc -v 192.168.100.3 51554

Nothing happens.

Likewise, on the VPS:

$ nc -vvlnp 5553
Listening on any address 5553 (sgi-eventmond)

On the local machine:

$ dd if=/dev/zero bs=1024K count=1024 | nc -v 192.168.100.1 5553

Nothing happens.

I was able to set up a mobile device (non-Arch) from the same network as the local machine and successully do 2-way pings, successfully do the `dd` test both ways, and use user-space applications through the VPN. No special config, just a different allowed IP, different key, and different port. The local & mobile machines are behind a consumer router which I have made no changes to (I don't even have admin access), I don't really understand how NAT stuff works, i.e. if I needed to set up port forwarding or something, but if the mobile device works, I guess this has nothing to do with the router. Earlier I realized I may have had NetworkManager and systemd-networkd enabled and running, though now I am sure I just have systemd-networkd.

I have no firewall on the local machine, iptables is empty:

$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I am stumped. Maybe there is something missing from my Arch wireguard config.

Last edited by tsj (2022-10-14 16:47:18)

-thc · 2022-10-14 06:07:47

WireGuard is a tunnel mode VPN - the tunnel IP addresses used should be completely separate from the IP addresses of all peers.

IP access to other hosts can be achieved via forwarding/NAT.

I assume that 192.168.100.x is already in use on your VPS' side.

tsj · 2022-10-14 15:12:40

I couldn't see that 192.168.100.x was already in use in any way. I tried a different IP range, 10.145.0.x, but the result was the same. I noticed on the VPS the following routes were specified:

$ ip r
...
10.145.0.0/24 dev wg0 proto kernel scope link src 10.145.0.1
10.145.0.2 dev wg0 scope link
10.145.0.3 dev wg0 scope link

But on the local machine I had no routes at all for wg0.

I added a [Route] section to /etc/systemd/network/99-wg0.network

[Match]
Name=wg0

[Network]
Address=10.145.0.3/32

[Route]
Destination=10.145.0.0/24
Scope=link

and I can now ping between VPS and local machine. The two clients (10.145.0.2) and (10.145.0.3) cannot ping eachother though, and they never show a "latest handshake" in wg.

-thc · 2022-10-14 16:39:31

tsj wrote:

I added a [Route] section to /etc/systemd/network/99-wg0.network and I can now ping between VPS and local machine.

Is the problem "Unable to ping client from server in wireguard VPN" solved? Why is there suddenly more than one client?

My next suggestion would have been to exclude the WireGuard connection from systemd-networkd, set up a configuration under /etc/wireguard/*.conf and test it via "wq-quick up conf_file_name".

tsj · 2022-10-14 16:51:32

Yes I am moving the goal post, I marked as solved. The second client is the mobile device I mentioned before. At the moment I have no use case for these two to talk to eachother, but may in the future. I will try out wg-quick.

Arch Linux

#1 2022-10-14 00:51:14

[SOLVED] Unable to ping client from server in wireguard VPN

#2 2022-10-14 06:07:47

Re: [SOLVED] Unable to ping client from server in wireguard VPN

#3 2022-10-14 15:12:40

Re: [SOLVED] Unable to ping client from server in wireguard VPN

#4 2022-10-14 16:39:31

Re: [SOLVED] Unable to ping client from server in wireguard VPN

#5 2022-10-14 16:51:32

Re: [SOLVED] Unable to ping client from server in wireguard VPN

Board footer