I have an interface wg0, a WireGuard interface generated by a WireGuard client running on machineA which is connected to a server. Everything works as expected.

I route traffic from wg0 to eth3 - a LAN interface on machineA - using netfilter (iptables/ip6tables). Just about everything works as expected from machineB, a machine connected to eth3, minus connectivity to certain websites, for example duckduckgo.com.

From machineA I can do:

> wget https://duckduckgo.com
--2020-11-17 17:24:30--  https://duckduckgo.com/
Resolving duckduckgo.com (duckduckgo.com)...
Connecting to duckduckgo.com (duckduckgo.com)||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5763 (5.6K) [text/html]
Saving to: ‘index.html’

But from machineB I get:

> wget https://duckduckgo.com
--2020-11-17 18:25:35--  https://duckduckgo.com/
Resolving duckduckgo.com (duckduckgo.com)...
Connecting to duckduckgo.com (duckduckgo.com)||:443... connected.

And nothing more. DNS doesn't seem to be the problem. The *filter policy in my netfilter has:


So I don't think it's outbound traffic that's being stopped.

Another example is Jitsi - from machineA:

> wget https://meet.jit.si
--2020-11-17 17:39:49--  https://meet.jit.si/
Resolving meet.jit.si (meet.jit.si)... 2a05:d014:fc7:5402:5179:fc03:7ea9:eceb, 2a05:d014:fc7:5401:eb50:330e:f554:5477,, ...
Connecting to meet.jit.si (meet.jit.si)|2a05:d014:fc7:5402:5179:fc03:7ea9:eceb|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                        [ <=>                                           ]  50.43K  --.-KB/s    in 0.04s   

2020-11-17 17:39:49 (1.19 MB/s) - ‘index.html’ saved [51639]

And from machineB:

> wget https://meet.jit.si
--2020-11-17 18:40:07--  https://meet.jit.si/
Resolving meet.jit.si (meet.jit.si)...,, 2a05:d014:fc7:5401:eb50:330e:f554:5477, ...
Connecting to meet.jit.si (meet.jit.si)||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
index.html: Permission denied

Cannot write to ‘index.html’ (Success).

I don't understand why I should have 'Permission denied' on machineB.

I'm not looking for a definitive answer here, just help in identifying areas of research. Does anybody have any ideas on where else to look?

  • 1
    The 1st problem could be a [PMTUD](https://en.wikipedia.org/wiki/Path_MTU_Discovery) issue due to the use of a tunnel (and to some ICMP lost somewhere). The other things are unrelated. One is using IPv6 (is your tunnel using IPv6?) the other is about permissions to write a file. – A.B Nov 17 '20 at 18:22
  • 1
    Thanks. I had read about MTU issues and had modified the WireGuard server MTU parameter, but it didn't seem to make a difference. If it was MTU, would these sites work on machineA but not machineB? I agree that the 'permission denied' is a red herring. IPv6 on the wg0 interface, and IPv6 routed via NAT (WireGuard only gives a single /128 address) to a ULA IPv6 network on eth3. – Shunyata Kharg Nov 17 '20 at 20:31

0 Answers0