[SOLVED] NetworkManager + Wireguard: Can't ping IPv4 peers

Sir-Photch · 2024-07-14 15:49:19

Hey there.
For some reason, my VPN connection to my Wireguard VPS broke this weekend, on my laptop using NetworkManager, openresolv and wg-quick.
All my other clients have no issue, including my phone with the Wireguard app.

This is my configuration:

# /etc/wireguard/wg0.conf
[Interface]
Address = 10.20.30.4/32, fd42::4/128
PrivateKey = REDACTED
DNS = 10.20.30.1, fd42::1

[Peer]
PublicKey = REDACTED
PresharedKey = REDACTED
Endpoint = 123.123.123.123:51820
AllowedIPs = 0.0.0.0/0, ::/0

Pretty standard stuff. NetworkManager modifications:

# /etc/NetworkManager/conf.d/unmanaged.conf
unmanaged-devices=type:wireguard

For openresolv:

# /etc/NetworkManager/conf.d/rc-manager.conf
[main]
rc-manager=resolvconf

Mind you that I did not have these mods when it was working initially, but I decided to keep them. (cf. archwiki).

When connected via `wg-quick up wg0`:

$ wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.20.30.4/32 dev wg0
[#] ip -6 address add fd42::4/128 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

$ routel
Dst             Gateway         Prefsrc         Protocol Scope   Dev              Table
default                                                  link    wg0              51820
default         192.168.1.1     192.168.1.225   dhcp             wlp59s0
192.168.1.0/24                  192.168.1.225   kernel   link    wlp59s0
10.20.30.4                      10.20.30.4      kernel   host    wg0              local
127.0.0.0/8                     127.0.0.1       kernel   host    lo               local
127.0.0.1                       127.0.0.1       kernel   host    lo               local
127.255.255.255                 127.0.0.1       kernel   link    lo               local
192.168.1.225                   192.168.1.225   kernel   host    wlp59s0          local
192.168.1.255                   192.168.1.225   kernel   link    wlp59s0          local

$ routel -6
Dst                              Gateway                          Prefsrc                          Protocol Scope   Dev              Table
default                                                                                                             wg0              51820
fd42::4                                                                                            kernel           wg0              
fe80::/64                                                                                          kernel           wlp59s0          
::1                                                                                                kernel           lo               local
fd42::4                                                                                            kernel           wg0              local
fe80::f816:b636:a9da:dac3                                                                          kernel           wlp59s0          local
ff00::/8                                                                                           kernel           wlp59s0          local
ff00::/8                                                                                           kernel           wg0              local

$ ip route
default via 192.168.1.1 dev wlp59s0 proto dhcp src 192.168.1.225 metric 20600 
192.168.1.0/24 dev wlp59s0 proto kernel scope link src 192.168.1.225 metric 600

Which is my home router gateway.

# /etc/resolv.conf
# Generated by resolvconf
nameserver 10.20.30.1
nameserver fd42::1

Now, the funny thing is:
I can ping any other hosts in the fd42::0/112 subnet using IPv6, but none of them using 10.20.30.0/24.
When I SSH into my VPS however, I can ping 10.20.30.4 (my laptop) no problem.
Using tcpdump on my VPS, filtering by src 10.20.30.4, I can see that the ping packets sent when running `ping 10.20.30.1` on my laptop are reaching the VPS, but there is 100% packet loss on the laptop's side. Any IPv4 connections made on my laptop when connected to the wireguard vpn time out. This includes pings to really basic stuff like 1.1.1.1. (Pinging their v6, 2606:4700:4700::1111, works however???)
Also, turning on wireguard debugging via

# modprobe wireguard
# echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

Doesn't show anything interesting, apart from successful handshakes and keepalive packets being received from the VPS.

I have tried lots of stuff, most of it being somewhat aimless tries of botching it to work again. Including:
- switching to NetworkManager-git and wireguard-tools-git
- LTS kernel
- using IPv6 endpoint in my laptop's configuration

This can't be a firewall issue on my VPS because again, any other of my devices have absolutely zero issues, including roaming clients (my phone).
Does any of this stick out to you like a sore thumb? How should I keep debugging this? I totally have run out of ideas

Last edited by Sir-Photch (2024-07-16 13:53:18)

-thc · 2024-07-14 16:54:22

Hmmm - I would never set "this host only" interface addresses for the wireguard interface.

Try

Address = 10.20.30.4/24, fd42::4/64

in your wg0.conf.

Sir-Photch · 2024-07-14 17:49:09

Hmm, makes sense. Wouldn't the v6 address have to be /112 though? Or does that even matter? I have /32 and /128 set for my other hosts...

Anyway, unfortunately this doesn't solve the problem

-thc · 2024-07-14 18:22:56

Just for clarification: Normally WireGuard interfaces have transit/tunnel network ip addresses and both sides need to route other networks accordingly. For example: My WireGuard clients and the WireGuard "server" share a 10.x.x.x tunnel network that's only used for transit traffic. The peers I need to reach behind the "server" have a different IPv4 scheme.

Your question sounds like you have a network of non-VPN 10.20.30.x hosts you want to reach via the VPS (presumably 10.20.30.1). Is that correct? Or do you mean other VPN peers?

Sir-Photch · 2024-07-15 15:31:20

I mean other VPN peers, that are also connected via wireguard. So each of the 10.20.30.x hosts are Wireguard "clients" present in the server's wg0.conf.

-thc · 2024-07-15 16:05:03

Is the interface on the "server" configured with a /24 mask? If not, try it.

Sir-Photch · 2024-07-16 13:01:50

Yes, I have configured a 0xFFFFFF00 netmask. V6 has a 112 prefix.

Sir-Photch · 2024-07-16 13:52:35

Okay, so apparently my laptop's IP somehow got added to the blocklist of my servers firewall. Sorry for wasting everyone's time! :')

For reference, I checked via: (OpenBSD packetfilter)

# pfctl -t mytable -T show

And removed my entry via

# pfctl -t mytable -T delete 10.20.30.4

Last edited by Sir-Photch (2024-07-16 13:53:02)

Arch Linux

#1 2024-07-14 15:49:19

[SOLVED] NetworkManager + Wireguard: Can't ping IPv4 peers

#2 2024-07-14 16:54:22

Re: [SOLVED] NetworkManager + Wireguard: Can't ping IPv4 peers

#3 2024-07-14 17:49:09

Re: [SOLVED] NetworkManager + Wireguard: Can't ping IPv4 peers

#4 2024-07-14 18:22:56

Re: [SOLVED] NetworkManager + Wireguard: Can't ping IPv4 peers

#5 2024-07-15 15:31:20

Re: [SOLVED] NetworkManager + Wireguard: Can't ping IPv4 peers

#6 2024-07-15 16:05:03

Re: [SOLVED] NetworkManager + Wireguard: Can't ping IPv4 peers

#7 2024-07-16 13:01:50

Re: [SOLVED] NetworkManager + Wireguard: Can't ping IPv4 peers

#8 2024-07-16 13:52:35

Re: [SOLVED] NetworkManager + Wireguard: Can't ping IPv4 peers

Board footer