WireGuard Archive on lore.kernel.org
 help / Atom feed
* problems setting up wireguard: no traffic but kepalives reach the server
@ 2019-01-01 21:05 Wojtek Swiatek
  2019-01-16  8:19 ` Vincent Wiemann
  0 siblings, 1 reply; 2+ messages in thread
From: Wojtek Swiatek @ 2019-01-01 21:05 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 2991 bytes --]

Hello everyone,

I have just installed wireguard so I apologies if some things I missed may
be obvious. As a background: I have a working OpenVPN connection to my
server and wanted to have a wireguard setup in parallel to compare both.
The server is installed on a Ubuntu bionic (LTS) and the client is on a AWS
machine (Ubuntu as well).

Server perspective:

root@srv /e/wireguard# wg show
interface: wg0
  public key: A7MreEBC3maH305tVrU0HEoQrBhy+An6KlvZ+z9KFRA=
  private key: (hidden)
  listening port: 51820

peer: 2At7asuH2ay1vMvg9H8BZvUU5mnJ97VGlDwQWT1l1C8=
  preshared key: (hidden)
  allowed ips: 0.0.0.0/0

Client perspective (X.X.X.X is my Internet-facing IP):

# wg show
interface: wg0
  public key: 2At7asuH2ay1vMvg9H8BZvUU5mnJ97VGlDwQWT1l1C8=
  private key: (hidden)
  listening port: 33960

peer: YUd1mFAOyn01G2/n942hk9LZ0mfhUm4nHb/3xMVSETc=
  preshared key: (hidden)
  endpoint: X.X.X.X:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 98.86 KiB sent
  persistent keepalive: every 10 seconds


On the server, the traffic to wg0 is redirected (to wg0) for port 51820. I
am surprised that there is no actual service listening to 51820 (as seen by
lsof or netstat) but I assume this is some wireguard voodoo (such as "if a
packet directed to port 51820 gets to me(wg0) tehn I will be correctly
dealing with it).

I then tried to ping:

- on the client: the IP of its own wg0 (10.250.0.1): OK
- on the server: the IP of its own wg0 (10.250.0.254): OK
- on the client: 10.250.0.254 (the IP of the other side of the VPN = on the
server): KO = nothing happens (ICMP echo is sent, as seen on tcpdump)
- on the server: 10.250.0.1 (the IP of the other side of the VPN = on the
client): KO =

root@srv ~# ping 10.250.0.1
PING 10.250.0.1 (10.250.0.1) 56(84) bytes of data.
From 10.250.0.254 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
ping: sendmsg: Destination address required
From 10.250.0.254 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.250.0.254 icmp_seq=3 Destination Host Unreachable
From 10.250.0.254 icmp_seq=4 Destination Host Unreachable

I had a look at my internet interface (tcpdump filtered on port 51820) and
I see, every 10 seconds, a UDP packet coming in (192.168.0.10 is the IP of
the internet-exposed dev):

root@srv ~# tcpdump -i any port 51820 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144
bytes
21:15:41.944090 IP 35.180.168.248.33960 > 192.168.0.10.51820: UDP, length
148
21:15:47.320081 IP 35.180.168.248.33960 > 192.168.0.10.51820: UDP, length
148

So this means that the client sends a UDP packet to the external IP
(X.X.X.X), to port 51820. This packet is then forwarded to interface wg0.

Is there a way to check with wireguard that a connection is established (=
that the server receives data, or a connection attempt (even unsuccessful)
is being done)?

[-- Attachment #1.2: Type: text/html, Size: 3983 bytes --]

<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hello everyone,<div><br></div><div>I have just installed wireguard so I apologies if some things I missed may be obvious. As a background: I have a working OpenVPN connection to my server and wanted to have a wireguard setup in parallel to compare both.</div><div>The server is installed on a Ubuntu bionic (LTS) and the client is on a AWS machine (Ubuntu as well).</div><div><br></div><div>Server perspective:</div><div><br></div><div><div>root@srv /e/wireguard# wg show</div><div>interface: wg0</div><div>  public key: A7MreEBC3maH305tVrU0HEoQrBhy+An6KlvZ+z9KFRA=</div><div>  private key: (hidden)</div><div>  listening port: 51820</div><div><br></div><div>peer: 2At7asuH2ay1vMvg9H8BZvUU5mnJ97VGlDwQWT1l1C8=</div><div>  preshared key: (hidden)</div><div>  allowed ips: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div></div><div><br></div><div>Client perspective (X.X.X.X is my Internet-facing IP):</div><div><br></div><div><div># wg show</div><div>interface: wg0</div><div>  public key: 2At7asuH2ay1vMvg9H8BZvUU5mnJ97VGlDwQWT1l1C8=</div><div>  private key: (hidden)</div><div>  listening port: 33960</div><div><br></div><div>peer: YUd1mFAOyn01G2/n942hk9LZ0mfhUm4nHb/3xMVSETc=</div><div>  preshared key: (hidden)</div><div>  endpoint: X.X.X.X:51820</div><div>  allowed ips: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div>  transfer: 0 B received, 98.86 KiB sent</div><div>  persistent keepalive: every 10 seconds</div></div><div><br></div><div><br></div><div>On the server, the traffic to wg0 is redirected (to wg0) for port 51820. I am surprised that there is no actual service listening to 51820 (as seen by lsof or netstat) but I assume this is some wireguard voodoo (such as &quot;if a packet directed to port 51820 gets to me(wg0) tehn I will be correctly dealing with it).</div><div><br></div><div>I then tried to ping:</div><div><br></div><div>- on the client: the IP of its own wg0 (10.250.0.1): OK</div><div>- on the server: the IP of its own wg0 (10.250.0.254): OK  <br></div><div>- on the client: 10.250.0.254 (the IP of the other side of the VPN = on the server): KO = nothing happens (ICMP echo is sent, as seen on tcpdump)</div><div>- on the server: 10.250.0.1 (the IP of the other side of the VPN = on the client): KO = </div><div><div><br></div><div>root@srv ~# ping 10.250.0.1</div><div>PING 10.250.0.1 (10.250.0.1) 56(84) bytes of data.</div><div>From 10.250.0.254 icmp_seq=1 Destination Host Unreachable</div><div>ping: sendmsg: Destination address required</div><div>ping: sendmsg: Destination address required</div><div>From 10.250.0.254 icmp_seq=2 Destination Host Unreachable</div><div>ping: sendmsg: Destination address required</div><div>From 10.250.0.254 icmp_seq=3 Destination Host Unreachable</div><div>From 10.250.0.254 icmp_seq=4 Destination Host Unreachable</div></div><div><br></div><div>I had a look at my internet interface (tcpdump filtered on port 51820) and I see, every 10 seconds, a UDP packet coming in (192.168.0.10 is the IP of the internet-exposed dev):</div><div><br></div><div><div>root@srv ~# tcpdump -i any port 51820 -nn</div><div>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode</div><div>listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes</div><div>21:15:41.944090 IP 35.180.168.248.33960 &gt; 192.168.0.10.51820: UDP, length 148</div><div>21:15:47.320081 IP 35.180.168.248.33960 &gt; 192.168.0.10.51820: UDP, length 148</div></div><div><br></div><div>So this means that the client sends a UDP packet to the external IP (X.X.X.X), to port 51820. This packet is then forwarded to interface wg0.</div><div><br></div><div>Is there a way to check with wireguard that a connection is established (= that the server receives data, or a connection attempt (even unsuccessful) is being done)?</div><div><br></div><div><br></div></div></div></div></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: problems setting up wireguard: no traffic but kepalives reach the server
  2019-01-01 21:05 problems setting up wireguard: no traffic but kepalives reach the server Wojtek Swiatek
@ 2019-01-16  8:19 ` Vincent Wiemann
  0 siblings, 0 replies; 2+ messages in thread
From: Vincent Wiemann @ 2019-01-16  8:19 UTC (permalink / raw)
  To: wireguard

Hi Wojtek,

your public keys don't match:
> Server perspective:
>   public key: A7MreEBC3maH305tVrU0HEoQrBhy+An6KlvZ+z9KFRA=
> Client perspective (X.X.X.X is my Internet-facing IP):
> peer: YUd1mFAOyn01G2/n942hk9LZ0mfhUm4nHb/3xMVSETc=

Regards,

Vincent Wiemann
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-01 21:05 problems setting up wireguard: no traffic but kepalives reach the server Wojtek Swiatek
2019-01-16  8:19 ` Vincent Wiemann

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox