0

I have a server(10.42.0.1) and a client(10.42.0.2), both with wg. I've configured both using the wg command in a way that they should be able to talk to each other.

client wg:

interface: wg0
  public key: abc123=
  private key: (hidden)
  listening port: 51820

peer: xyz987=
  endpoint: 15.14.13.12:51820
  allowed ips: 10.42.0.0/24
  transfer: 0 B received, 7.37 KiB sent

server wg:

interface: wg0
  public key: xyz987=
  private key: (hidden)
  listening port: 51820

peer: abc123=
  allowed ips: 10.42.0.0/24

However(as you might be able to see already), my server is totally oblivious to my client. Pinging from the client and running tcpdump -i wg0 on the server logs no traffic.

Client ping:

PING 10.42.0.1 (10.42.0.1) 56(84) bytes of data.
^C
--- 10.42.0.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4046ms

Server tcpdump -i wg0:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes

0 packets captured
0 packets received by filter
0 packets dropped by kernel

Trying to ping the client from the server results in ping: sendmsg: Destination address required, but that is to be expected since there is no endpoint specified for the client.

The firewall should not be getting in the way, that said I'm not an expert on iptables.

Server iptables -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I know opening all the ports on my server is dangerous, but I'll fix it when I can get WireGuard working. I'm hoping that the fix to my problem is something easy that I'm looking over, but I've tried everything that the google machine has to offer and nothing is working.

inzig0
  • 1
  • 1
  • You cant build site-to-site VPN when both locations are using the same network. BTW: `iptables -S` produces better output. – Virsacer Mar 03 '22 at 17:53
  • @Virsacer I’m not trying to build a site-to-site VPN, and the IPs are the addresses assigned to the wg0 interface. I’ll add the output of iptables-S when I have access to my server, I’m at school rn. – inzig0 Mar 03 '22 at 19:05
  • Ok, then AllowedIPs should be peer's WG-IP/32. Output of `ip r` might also help. – Virsacer Mar 03 '22 at 19:47
  • @Virsacer I've changed the AllowedIPs, and the route is there. However, trying the ping again with the changed AllowedIPs now throws `ping: sendmsg: Required key not available` – inzig0 Mar 03 '22 at 22:41
  • Please give all the network settings for the server: `ip -br link; ip -br address; ip route; ip rule` + `iptables-save -c` (includes all rules and -c counts where a rule matches). Just in case you should give the same for the client. Feel free to obfuscate, but don't omit. – A.B Mar 05 '22 at 10:02
  • Anyway in the (incomplete by default) output of iptables -L, I can't see how UDP port 51820 is accepted. – A.B Mar 05 '22 at 10:06
  • @A.B I configured iptables to accept all traffic from anywhere, you can see that in the input chain. I’ll add the output of the other commands now – inzig0 Mar 05 '22 at 18:16

0 Answers0