0

I've been a happy WireGuard user for several years and never had any issues. Today, for seemingly no reason, I started having issues.

I ran wg-quick up $profile as root and that terminal session locked up (ctrl+c/d etc don't kill it). The only output was [#] ip link add $profile type wireguard.

Here's my config:

PrivateKey = $privatekey
Address = 10.19.49.3/24,fd9d:bc11:4021::3/48
DNS =  172.16.0.1 

[Peer]
PublicKey = $publickey
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $ipaddress:$port
PersistentKeepalive = 25

(with the $variables filled in obviously)

I looked in dmesg but wireguard/wg aren't mentioned a single time in it.

How should I proceed? I don't see a --verbose option on wg-quick. What is a good way of debugging this?

Here's the process list:

root      432947  0.0  0.0  17000  7772 pts/5    S+   10:17   0:00 sudo wg-quick up $profile
root      432948  0.0  0.0   8060  4244 pts/5    S+   10:17   0:00 /bin/bash /usr/bin/wg-quick up $profile
root      925699  0.0  0.0      0     0 pts/5    Z+   10:58   0:00 [wg-quick] <defunct>

Attaching to the sudo wg-quick $profile up process (432947):

[#0] 0x7f96c084b34f → ppoll()
[#1] 0x7f96c099d169 → sudo_ev_loop_v1()
[#2] 0x563081408861 → add eax, 0x1
[#3] 0x56308140261c → xor r8d, r8d
[#4] 0x5630813eeb38 → mov ebx, eax
[#5] 0x7f96c0772310 → __libc_start_call_main()
[#6] 0x7f96c07723c1 → __libc_start_main_impl()
[#7] 0x5630813eeda5 → hlt

Attaching to [wg-quick] <defunct> (925699):

warning: process 925699 is a zombie - the process has already terminated
ptrace: Operation not permitted.

NOTE: I lost the SSH key for the server so I can't debug from that side, but the SSH pubkey denied message confirms the server is indeed running still.

EDIT: I just tested, and the server works if I use the same WireGuard configuration from my phone. How can I debug this client?

Aaron Esau
  • 101
  • 3
  • use the (recover) console from your provider to access the service – djdomi Apr 14 '22 at 17:22
  • I did try that, but this AWS instance is _very_ old, and the web UI informed me that it does not support connecting in that way. – Aaron Esau Apr 14 '22 at 17:55
  • In the near future I'll attach the volume to another instance and just add the key manually but I figured I'd ask here if there's a good way to debug the client first. Edit: I should also add that the server works if I use the same WireGuard configuration from my phone. – Aaron Esau Apr 14 '22 at 17:56

1 Answers1

0

First, add Table = off option under [Interface]. Because your allowips are 0.0.0.0/0, default gateway might be changed to wireguard server, which causes lost ssh control in your case.

With Table = off option, you probably can get shell prompt back after launching wg-quick. Then you can try network tools such as ping, traceroute, etc and see what’s wrong.

3735943886
  • 71
  • 1
  • 6