0

This is my wireguard client config:

[Interface]
Address = 9.0.0.2/32
PrivateKey = <private>

[Peer]
PublicKey = <server-pubkey>
Endpoint = <server-ip>:50123
PersistentKeepalive = 25
AllowedIPs = 9.0.0.0/24

I see in wireshark Handshake Initiation and Source and Destination addresses are correct, but I am not getting responses from server.

But when I run tcpdump -n -X -i ens160 udp port 50123 on server I see nothing. I thought there was a problem with the firewall, but no. I tried to send something over socat socat udp:<server-ip>:50123 - and it worked (tcpdump printed results).

But server cant still receive packets (datagrams) from wireguard client.

I tried workaround using socat as a relay:

socat udp-listen:50123  udp:<server-ip>:50123

and changed Endpoint = <server-ip>:50123 to Endpoint = 127.0.0.1:50123

And it started to work. But why it works over socat and not using direct connection?

I have this versions:
client: wireguard-tools 1.0.20210914-1 (archlinux)
server: wireguard-tools 1.0.20200513-1~20.04.2 (Ubuntu 20.04 LTS)

PS: I tried same client setup on android and it worked, there must be some problem with archlinux version. Dmesg says this (on achlinux):

[12592.005135] wireguard: wg0: No peer has allowed IPs matching 239.255.255.250
[12595.005999] wireguard: wg0: No peer has allowed IPs matching 224.0.0.251
[12595.006217] wireguard: wg0: No peer has allowed IPs matching 224.0.0.251
[12595.014611] wireguard: wg0: No peer has allowed IPs matching 224.0.0.22
[12595.777939] wireguard: wg0: No peer has allowed IPs matching 224.0.0.22
[12596.007290] wireguard: wg0: No peer has allowed IPs matching 224.0.0.251
[12596.007428] wireguard: wg0: No peer has allowed IPs matching 224.0.0.251
[12596.817910] wireguard: wg0: Handshake for peer 43 (<server-ip>:50123) did not complete after 5 seconds, retrying (try 2)
[12596.817942] wireguard: wg0: Sending handshake initiation to peer 43 (<server-ip>:50123)

Where <server-ip> is IP of server but I must keep ip secret so I replaced it with this keyword.

T0maas
  • 111
  • 5
  • It's probably not related, but do you really use `9.0.0.0/24`? Do you represent [IBM](http://ibm.com/) (who owns this address block)? If not, you are not allowed to use this address range for anything. You only allowed to use public addresses which you bought or private addresses described in RFC1918. And no, this is not a minor issue. – Nikita Kipriyanov Jun 11 '22 at 19:25
  • "Questions should demonstrate **reasonable information technology management practices**." – Nikita Kipriyanov Jun 11 '22 at 19:28
  • Nikita Kipriyanov, what do you think? I have problem that I described above and I need help. I am newbie in wireguard configuration and I dont know any reasonable information technology management practices about that problem. – T0maas Jun 12 '22 at 11:16
  • I changed ip number from 9 to 10, but problem persist. – T0maas Jun 12 '22 at 11:17
  • But that doesn't explain the problem of why it works over socat. – T0maas Jun 12 '22 at 11:23
  • I tried exactly same setup as described above without socat on mobile LTE (over hotspot) and it worked. There must be some problem with my router or ISP. – T0maas Jun 12 '22 at 11:58
  • Problem might be with my asus RT-AC750 router. – T0maas Jun 12 '22 at 12:24

1 Answers1

0

I think your problem is in the /32 in the client address. That way the interface can only reach itself. Try it like this:

[Interface]
Address = 10.0.0.2/24
PrivateKey = <private>

[Peer]
PublicKey = <server-pubkey>
Endpoint = <server-ip>:50123
PersistentKeepalive = 25
AllowedIPs = 10.0.0.0/24
user199239
  • 43
  • 4
  • But this does not explain why I can connect using lte network, but not over my ISP. It also works over socat with my ISP. – T0maas Aug 04 '22 at 06:26
  • are you using wg-quick @T0maas ? `# wg-quick up /etc/wireguard/` – user199239 Aug 07 '22 at 19:36
  • Yes i am using wg-quick – T0maas Aug 09 '22 at 12:33
  • There may be problem with TTL, how can I set TTL in wireguard config? – T0maas Sep 04 '22 at 11:26
  • Can you try to upgrade the server version? It could be the problem.. If you have virtualbox, just run archlinux live and try it without installing new OS - just get the latest iso and `pacman -Sy wireguard-dkms wireguard-tools` – user199239 Sep 16 '22 at 12:44