[SOLVED] Wireguard setup doesn't send anything

dictionary · 2023-01-26 11:39:39

Hi, I have a dedicated server on a famous hosting provider. The server is running Proxmox with some VM. My goal is to create a Wireguard tunnel in order to manage from my PC the VMs.

One of those VMs will act as VPN server. This VM has IP 10.4.4.1 on ens18.

VM config:

user@VM: $ sudo cat /etc/systemd/network/99-wg0.netdev 
[NetDev]
Name=wg0
Kind=wireguard
Description=WireGuard tunnel wg0

[WireGuard]
ListenPort=30000
PrivateKey=<VMprivkey>

[WireGuardPeer]
PublicKey=<PCpubkey>
PresharedKey=<PreSharedKey1>
AllowedIPs=10.0.0.20/32

user@VM: $ sudo cat /etc/systemd/network/99-wg0.network
[Match]
Name=wg0

[Network]
Address=10.0.0.1/24

My PC config:

user@PC: $ sudo cat /etc/systemd/network/99-wg0.netdev
[NetDev]
Name=wg0
Kind=wireguard
Description=WireGuard tunnel wg0

[WireGuard]
PrivateKey=<PCprivKey>

[WireGuardPeer]
PublicKey=<VMpubKey>
PresharedKey=<PreSharedKey1>
AllowedIPs=10.0.0.1/24
Endpoint=<HostServerPublicIP>:30000

user@PC: $ sudo cat /etc/systemd/network/99-wg0.network
[Match]
Name=wg0

[Network]
Address=10.0.0.20/32

[Link]
ActivationPolicy=manual

After activating the wg0 interface I run "nc -vvlnp 30000" on the VM and "dd if=/dev/zero bs=1024K count=1024 | nc -vu 10.0.0.1 30000" on my PC:

user@PC: $ dd if=/dev/zero bs=1024K count=1024 | nc -vu 10.0.0.1 30000
Connection to 10.0.0.1 30000 port [udp/*] succeeded!
1024+0 records in
1024+0 records out
1073741824 bytes (1,1 GB, 1,0 GiB) copied, 13,2564 s, 81,0 MB/s
^C

So this seems working but when I try to either ping, ssh, nmap anything on 10.0.0.1, nothing is reachable.
[EDIT2]: actually the server doesn't show any "Connection received on..." message.

Port 30000 on remote dedicated server side is open.
What am I missing?

[EDIT]: also running "dmesg -wT" on my PC I periodically see:

...
wireguard: wg0: Receiving keepalive packet from peer 2 (<HostServerPublicIP>:30000)
wireguard: wg0: Receiving handshake initiation from peer 2 (<HostServerPublicIP>:30000)
wireguard: wg0: Sending handshake response to peer 2 (<HostServerPublicIP>:30000)
wireguard: wg0: Keypair 103 destroyed for peer 2
wireguard: wg0: Keypair 105 created for peer 2
wireguard: wg0: Receiving keepalive packet from peer 2 (<HostServerPublicIP>:30000)
wireguard: wg0: Receiving keepalive packet from peer 2 (<HostServerPublicIP>:30000)
...

Last edited by dictionary (2023-01-30 10:07:06)

-thc · 2023-01-26 14:45:30

Please compare the output of

sudo wg

on both sides - do they make sense?

dictionary · 2023-01-26 16:33:18

VM:

user@VM: $ sudo wg
interface: wg0
  public key: <pubKey>
  private key: (hidden)
  listening port: 30000

peer: peer123
  preshared key: (hidden)
  endpoint: PCpublicIP:58858
  allowed ips: PCpublicIP/32 EDIT: it's 10.0.0.20/32
  latest handshake: 1 minute, 50 seconds ago
  transfer: 21.72 KiB received, 1.29 MiB sent
  persistent keepalive: every 25 seconds

My pc:

user@PC: $ sudo wg
interface: wg0
  public key: <pubkey>
  private key: (hidden)
  listening port: 58858

peer: peer456
  preshared key: (hidden)
  endpoint: RemoteServerPublicIP:30000
  allowed ips: 0.0.0.0/0
  latest handshake: 2 minutes, 1 second ago
  transfer: 76.76 KiB received, 237.97 KiB sent

Last edited by dictionary (2023-01-27 13:30:58)

-thc · 2023-01-26 20:15:58

dictionary wrote:

...
  allowed ips: PCpublicIP/32
...

...
  allowed ips: 0.0.0.0/0
...

Those make no sense in regard to your configuration.

Have you read
https://wiki.archlinux.org/title/WireGuard#Netctl
?

According to the Wiki you also need "/etc/wireguard/*.conf" configuration files.

dictionary · 2023-01-27 08:48:26

-thc wrote:

Those make no sense in regard to your configuration.

That's what comes out wiki the configuration in the first post.

-thc wrote:

Have you read
https://wiki.archlinux.org/title/WireGuard#Netctl
?
According to the Wiki you also need "/etc/wireguard/*.conf" configuration files.

No, I chose the systemd method https://wiki.archlinux.org/title/WireGu … d-networkd
and also keeping an eye on the Specific use-case: VPN server section https://wiki.archlinux.org/title/WireGu … VPN_server

-thc · 2023-01-27 12:45:02

My fault - I assumed this to be a netctl configuration despite all the evidence .

Can you try the following on your PC:

AllowedIPs=10.0.0.1/32

and try pinging the VM?

Last edited by -thc (2023-01-27 12:45:32)

dictionary · 2023-01-27 13:38:14

My bad too, the AllowedIPs of the wg command was actually AllowedIPs=10.0.0.20/32. I edited my post.

Can you try the following on your PC:
AllowedIPs=10.0.0.1/32
and try pinging the VM?

No change.
What I find strange is that wg command says the UDP tunnel is active and the two peers can talk, but other than that I can do nothing. No ping, no ssh, nothing.
"nmap -Pn 10.0.0.1" after a while says only "53/tcp open domain"

-thc · 2023-01-27 18:09:41

Please write two "wg0.conf" files:

VM:

[Interface]
Address = 10.0.0.1/24
ListenPort = 30000
PrivateKey = <VMprivkey>

[Peer]
PublicKey = <PCpubkey>
PresharedKey = <PreSharedKey1>
AllowedIPs = 10.0.0.20/32

PC:

[Interface]
Address = 10.0.0.20/32
PrivateKey = <PCprivKey>

[Peer]
PublicKey = <VMpubKey>
PresharedKey = <PreSharedKey1>
AllowedIPs = 10.0.0.1/24
Endpoint = <HostServerPublicIP>:30000

and place them in "/etc/wireguard" on each machine. Fire both sides up via

wg-quick up wg0

and try to ping your VM.

Koatao · 2023-01-28 12:50:10

dictionary wrote:

Hi, I have a dedicated server on a famous hosting provider. The server is running Proxmox with some VM. My goal is to create a Wireguard tunnel in order to manage from my PC the VMs.
user@PC: $ sudo cat /etc/systemd/network/99-wg0.network
[Match]
Name=wg0

[Network]
Address=10.0.0.20/32

[Link]
ActivationPolicy=manual

Isn't it counter intuitive to use /32 on your interface? Shouldn't it be /24 like the VM?
What is your routing table?

dictionary · 2023-01-30 10:06:46

Solved! Systemd didn't put the necessary routing on PC side, how so?
I had to do: ip route add 10.0.0.0/24 dev wg0

Now this is how the routings look:

VM

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.4.4.254      0.0.0.0         UG    0      0        0 ens18
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.4.4.0        0.0.0.0         255.255.255.0   U     0      0        0 ens18

PC

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    20100  0        0 enp5s0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0          <--- this was the missing one
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp5s0
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 enp5s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

This section mentions "To route additional subnets add them as [Route] sections". That's what I need to do to make it work, but I wouldn't consider the wg0 subnet as additional, so I think that's a strange behaviour.

Anyway, thanks a lot @-thc and @Koatao !

schard · 2023-01-30 10:29:02

That's because the systemd-networkd (like any other networking service) cannot infer that you want to route the entire 10.0.0.0/24 network over an interface, if you just assign an IP address of 10.0.0.1/24 it.
The solution is, as you already found out, to explicitly specify the route in the configuration.

frostschutz · 2023-01-30 10:49:12

Works for me, I don't have a [Route] section. But I also don't use additional subnets, just the subnet that wireguard itself uses.

You specify Wireguard IP with netmask /24 and you're good to go. route -n shows the appropriate 255.255.255.0 subnet route for each wireguard iface.

You can also check `networkctl status --all --full` to see if there is any specific problem with your configuration (if there is an obvious configuration error somewhere, it might complain about it).

Arch Linux

#1 2023-01-26 11:39:39

[SOLVED] Wireguard setup doesn't send anything

#2 2023-01-26 14:45:30

Re: [SOLVED] Wireguard setup doesn't send anything

#3 2023-01-26 16:33:18

Re: [SOLVED] Wireguard setup doesn't send anything

#4 2023-01-26 20:15:58

Re: [SOLVED] Wireguard setup doesn't send anything

#5 2023-01-27 08:48:26

Re: [SOLVED] Wireguard setup doesn't send anything

#6 2023-01-27 12:45:02

Re: [SOLVED] Wireguard setup doesn't send anything

#7 2023-01-27 13:38:14

Re: [SOLVED] Wireguard setup doesn't send anything

#8 2023-01-27 18:09:41

Re: [SOLVED] Wireguard setup doesn't send anything

#9 2023-01-28 12:50:10

Re: [SOLVED] Wireguard setup doesn't send anything

#10 2023-01-30 10:06:46

Re: [SOLVED] Wireguard setup doesn't send anything

#11 2023-01-30 10:29:02

Re: [SOLVED] Wireguard setup doesn't send anything

#12 2023-01-30 10:49:12

Re: [SOLVED] Wireguard setup doesn't send anything

Board footer