* Connection works, ping does not @ 2020-11-22 19:39 Hendrik Friedel 2020-11-23 17:02 ` Max R. P. Grossmann 0 siblings, 1 reply; 7+ messages in thread From: Hendrik Friedel @ 2020-11-22 19:39 UTC (permalink / raw) To: wireguard Hello, (I posted this a while ago, but it never appeared on the list; if the list is the wrong place for this question, please let me know; I would appreciate a hint for a more appropriate place) I am using wireguard to connect two machines. My local server is connected to the internet via a router. I am using theis Server also for connecting other devices (e.g. mobile phones) to my home network. This works great. But when connecting to another server (both debian 10), I only get a successful connection, but no ping. *My server:* wg show interface: wgnet0 public key: xxxxx= private key: (hidden) listening port: 51820 peer: sdfsdfsdfsdfsdfsdf= endpoint: 109.41.64.83:15167 allowed ips: 10.192.122.2/32 latest handshake: 1 minute, 7 seconds ago transfer: 10.95 MiB received, 40.35 MiB sent peer: yyyy= endpoint: 185.22.142.254:51380 allowed ips: 10.192.122.3/32 transfer: 0 B received, 5.20 KiB sent peer: yyyy= endpoint: 93.214.229.137:64119 allowed ips: 10.192.122.4/32 peer: yyyy= endpoint: 93.214.225.116:49819 allowed ips: 10.192.122.5/32 peer: yyyy= allowed ips: 10.192.122.6/32 peer: yyyy= allowed ips: 10.192.122.7/32 more /etc/wireguard/wgnet0.conf [Interface] Address = 10.192.122.1/24 SaveConfig = true PostUp = iptables -A FORWARD -i wgnet0 -j ACCEPT; iptables -A FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wgnet0 -j ACCEPT; iptables -D FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51820 PrivateKey = aaa= [Peer] PublicKey = yyyy= AllowedIPs = 10.192.122.2/32 Endpoint = 123.41.67.233:18314 [Peer] PublicKey = xxx= AllowedIPs = 10.192.122.3/32 Endpoint = 123.22.142.254:51380 ip route default via 192.168.177.1 dev eth0 proto static 10.192.122.0/24 dev wgnet0 proto kernel scope link src 10.192.122.1 and the other side/server: interface: wgnet0 public key: xxxxx= private key: (hidden) listening port: 54004 fwmark: 0xca6c peer: yyyyy= endpoint: [2003:cb:aaa:bbb:9ec7:a6ff:fefd:3a6d]:51820 allowed ips: 0.0.0.0/0 transfer: 0 B received, 2.75 KiB sent persistent keepalive: every 25 seconds more wgnet0.conf [Interface] Address = 10.192.122.3/32 PrivateKey = xxxxx= [Peer] PublicKey = yyyyy= Endpoint = v.myfritz.net:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 It seems to me, that the connection is successfully established , but data is only transmitted in one direction. How can I find the reason? Regards, Hendrik ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Connection works, ping does not 2020-11-22 19:39 Connection works, ping does not Hendrik Friedel @ 2020-11-23 17:02 ` Max R. P. Grossmann 2020-11-23 20:37 ` Re[2]: " Hendrik Friedel 0 siblings, 1 reply; 7+ messages in thread From: Max R. P. Grossmann @ 2020-11-23 17:02 UTC (permalink / raw) To: Hendrik Friedel; +Cc: wireguard [-- Attachment #1: Type: text/plain, Size: 3487 bytes --] Hi Hendrik, Could it be that some kind of firewall is restricting UDP traffic to your other server? E.g. could you try to run `mtr --udp [other server's public IP address]` on your computer (while disabling your other WireGuard connection, if applicable) and report back whether there is any kind of packet loss? If not, you may wish to check whether the port on the machine is reachable, e.g. by running `nc -v -l -u -p 12345` on your server and then executing `echo test | nc -u [server's IP] 12345`, to check whether the message arrives at the server. Best, Max On 20/11/22 07:39pm, Hendrik Friedel wrote: > Hello, > > (I posted this a while ago, but it never appeared on the list; if the list is the wrong place for this question, please let me know; I would appreciate a hint for a more appropriate place) > > I am using wireguard to connect two machines. > My local server is connected to the internet via a router. I am using theis Server also for connecting other devices (e.g. mobile phones) to my home network. This works great. > > But when connecting to another server (both debian 10), I only get a successful connection, but no ping. > *My server:* > > wg show > interface: wgnet0 > public key: xxxxx= > private key: (hidden) > listening port: 51820 > > peer: sdfsdfsdfsdfsdfsdf= > endpoint: 109.41.64.83:15167 > allowed ips: 10.192.122.2/32 > latest handshake: 1 minute, 7 seconds ago > transfer: 10.95 MiB received, 40.35 MiB sent > > peer: yyyy= > endpoint: 185.22.142.254:51380 > allowed ips: 10.192.122.3/32 > transfer: 0 B received, 5.20 KiB sent > > peer: yyyy= > endpoint: 93.214.229.137:64119 > allowed ips: 10.192.122.4/32 > > peer: yyyy= > endpoint: 93.214.225.116:49819 > allowed ips: 10.192.122.5/32 > > peer: yyyy= > allowed ips: 10.192.122.6/32 > > peer: yyyy= > allowed ips: 10.192.122.7/32 > > > more /etc/wireguard/wgnet0.conf > [Interface] > Address = 10.192.122.1/24 > SaveConfig = true > PostUp = iptables -A FORWARD -i wgnet0 -j ACCEPT; iptables -A FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > PostDown = iptables -D FORWARD -i wgnet0 -j ACCEPT; iptables -D FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE > ListenPort = 51820 > PrivateKey = aaa= > > [Peer] > PublicKey = yyyy= > AllowedIPs = 10.192.122.2/32 > Endpoint = 123.41.67.233:18314 > > [Peer] > PublicKey = xxx= > AllowedIPs = 10.192.122.3/32 > Endpoint = 123.22.142.254:51380 > > > > > > ip route > default via 192.168.177.1 dev eth0 proto static > 10.192.122.0/24 dev wgnet0 proto kernel scope link src 10.192.122.1 > > and the other side/server: > > interface: wgnet0 > public key: xxxxx= > private key: (hidden) > listening port: 54004 > fwmark: 0xca6c > > peer: yyyyy= > endpoint: [2003:cb:aaa:bbb:9ec7:a6ff:fefd:3a6d]:51820 > allowed ips: 0.0.0.0/0 > transfer: 0 B received, 2.75 KiB sent > persistent keepalive: every 25 seconds > > > > more wgnet0.conf > [Interface] > Address = 10.192.122.3/32 > PrivateKey = xxxxx= > > [Peer] > PublicKey = yyyyy= > Endpoint = v.myfritz.net:51820 > AllowedIPs = 0.0.0.0/0 > PersistentKeepalive = 25 > > It seems to me, that the connection is successfully established , but data is only transmitted in one direction. > > How can I find the reason? > > Regards, > Hendrik > [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 228 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re[2]: Connection works, ping does not 2020-11-23 17:02 ` Max R. P. Grossmann @ 2020-11-23 20:37 ` Hendrik Friedel 2020-11-23 22:16 ` Re[3]: " Hendrik Friedel 0 siblings, 1 reply; 7+ messages in thread From: Hendrik Friedel @ 2020-11-23 20:37 UTC (permalink / raw) To: Max R. P. Grossmann; +Cc: wireguard Hello Max, thanks for your reply. > >Could it be that some kind of firewall is restricting UDP traffic to your other server? > Well, locally, I do use this machine as Host for many tunnels. > >E.g. could you try to run `mtr --udp [other server's public IP address]` on your computer (while disabling your other WireGuard connection, if applicable) and report back whether there is any kind of packet loss? I used traceroute on the commandline for this: Remote_ wg-quick up wgnet0 [#] ip link add wgnet0 type wireguard [#] wg setconf wgnet0 /dev/fd/63 [#] ip -4 address add 10.192.122.3/32 dev wgnet0 [#] ip link set mtu 1420 up dev wgnet0 [#] wg set wgnet0 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev wgnet0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 root@openmediavault:/etc/wireguard# wg show interface: wgnet0 public key: cebXSaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMFw= private key: (hidden) listening port: 42759 fwmark: 0xca6c peer: oNjmmmmmmmmmmmmmmmmmmmmmmmmmmmmU= endpoint: [2003:cb:97ff:33d8:9ec7:a6ff:fefd:3a6d]:51820 allowed ips: 0.0.0.0/0 transfer: 0 B received, 444 B sent persistent keepalive: every 25 seconds Local: traceroute to 2a00:sdfs:sdfsdf:sdfs:erre:ereee:sdf:c33a (2a00:sdfs:sdfsdf:sdfs:erre:ereee:sdf:c33a), 30 hops max, 80 byte packets 1 p200300cb9733ca009ec7a6fffefd3a69.dip0.t-ipconnect.de (2003:cb:9733:ca00:9ec7:a6ff:fefd:3a69) 0.946 ms 3.435 ms 3.645 ms 2 2003:0:8501::1 (2003:0:8501::1) 13.884 ms 13.839 ms 14.193 ms 3 * * * 4 2001:2000:3019:6b::1 (2001:2000:3019:6b::1) 86.609 ms 88.002 ms 87.874 ms 5 ddf-b2-v6.telia.net (2001:2000:3018:21::1) 88.137 ms 89.508 ms 89.639 ms 6 * * * 7 2a00:6020:0:b::2 (2a00:6020:0:b::2) 81.576 ms 81.989 ms 2a00:6020:0:a::2 (2a00:6020:0:a::2) 82.201 ms 8 lo1007.kr1.dc1-bor.dg-ao.de (2a00:6020:1000:3::1) 86.281 ms 84.259 ms 85.760 ms 9 2a00:xxxx:1000:3:yyyy:7f3d:d93e:f23d (2a00:xxxx:1000:3:yyyy:7f3d:d93e:f23d) 88.483 ms !X 87.579 ms !X 88.447 ms !X And here the mtr results (wg up and down) https://1drv.ms/u/s!AvbzKdYzkh6gl0BVLcuR9eeWUaqj?e=9wKxSC https://1drv.ms/u/s!AvbzKdYzkh6gl0HVwPz1FabOtemM?e=c7bCcB >If not, you may wish to check whether the port on the machine is reachable, e.g. by running `nc -v -l -u -p 12345` on your server and then executing `echo test | nc -u [server's IP] 12345`, to check whether the message arrives at the server. I am using the machine that is here, locally as server for many tunnels. So, the wireguard port is reachable. On the remote machine, I have NOT done any port forwarding. Is that neccessary at all? I thought that only the machine that is NOT initiating the connection needs a port forwarding. Greetings, Hendrik > > >Best, > >Max > >On 20/11/22 07:39pm, Hendrik Friedel wrote: >> Hello, >> >> (I posted this a while ago, but it never appeared on the list; if the list is the wrong place for this question, please let me know; I would appreciate a hint for a more appropriate place) >> >> I am using wireguard to connect two machines. >> My local server is connected to the internet via a router. I am using theis Server also for connecting other devices (e.g. mobile phones) to my home network. This works great. >> >> But when connecting to another server (both debian 10), I only get a successful connection, but no ping. >> *My server:* >> >> wg show >> interface: wgnet0 >> public key: xxxxx= >> private key: (hidden) >> listening port: 51820 >> >> peer: sdfsdfsdfsdfsdfsdf= >> endpoint: 109.41.64.83:15167 >> allowed ips: 10.192.122.2/32 >> latest handshake: 1 minute, 7 seconds ago >> transfer: 10.95 MiB received, 40.35 MiB sent >> >> peer: yyyy= >> endpoint: 185.22.142.254:51380 >> allowed ips: 10.192.122.3/32 >> transfer: 0 B received, 5.20 KiB sent >> >> peer: yyyy= >> endpoint: 93.214.229.137:64119 >> allowed ips: 10.192.122.4/32 >> >> peer: yyyy= >> endpoint: 93.214.225.116:49819 >> allowed ips: 10.192.122.5/32 >> >> peer: yyyy= >> allowed ips: 10.192.122.6/32 >> >> peer: yyyy= >> allowed ips: 10.192.122.7/32 >> >> >> more /etc/wireguard/wgnet0.conf >> [Interface] >> Address = 10.192.122.1/24 >> SaveConfig = true >> PostUp = iptables -A FORWARD -i wgnet0 -j ACCEPT; iptables -A FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >> PostDown = iptables -D FORWARD -i wgnet0 -j ACCEPT; iptables -D FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >> ListenPort = 51820 >> PrivateKey = aaa= >> >> [Peer] >> PublicKey = yyyy= >> AllowedIPs = 10.192.122.2/32 >> Endpoint = 123.41.67.233:18314 >> >> [Peer] >> PublicKey = xxx= >> AllowedIPs = 10.192.122.3/32 >> Endpoint = 123.22.142.254:51380 >> >> >> >> >> >> ip route >> default via 192.168.177.1 dev eth0 proto static >> 10.192.122.0/24 dev wgnet0 proto kernel scope link src 10.192.122.1 >> >> and the other side/server: >> >> interface: wgnet0 >> public key: xxxxx= >> private key: (hidden) >> listening port: 54004 >> fwmark: 0xca6c >> >> peer: yyyyy= >> endpoint: [2003:cb:aaa:bbb:9ec7:a6ff:fefd:3a6d]:51820 >> allowed ips: 0.0.0.0/0 >> transfer: 0 B received, 2.75 KiB sent >> persistent keepalive: every 25 seconds >> >> >> >> more wgnet0.conf >> [Interface] >> Address = 10.192.122.3/32 >> PrivateKey = xxxxx= >> >> [Peer] >> PublicKey = yyyyy= >> Endpoint = v.myfritz.net:51820 >> AllowedIPs = 0.0.0.0/0 >> PersistentKeepalive = 25 >> >> It seems to me, that the connection is successfully established , but data is only transmitted in one direction. >> >> How can I find the reason? >> >> Regards, >> Hendrik >> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re[3]: Connection works, ping does not 2020-11-23 20:37 ` Re[2]: " Hendrik Friedel @ 2020-11-23 22:16 ` Hendrik Friedel 2020-11-28 16:50 ` Re[4]: " Hendrik Friedel 0 siblings, 1 reply; 7+ messages in thread From: Hendrik Friedel @ 2020-11-23 22:16 UTC (permalink / raw) To: Max R. P. Grossmann; +Cc: wireguard Hello again, I just realized: I did the test using IPv6, whereas IPv4 is used for the tunnel. Having said that... I am not sure it is, as I use a Domain-Name... But I think it is IPv4. I can repeat the test if needed using ipv4... But before that: From where should I do the traceroute? a) from here (the machine that is working for many tunnels, e.g. from my phone to this machine and to which I have done a port forwarding) to the other remote machine b) from the remote machine to here The remote machine is headless; is there a commandline alternative to mtr that also shows the package loss? Regards, Hendrik ------ Originalnachricht ------ Von: "Hendrik Friedel" <hendrik@friedels.name> An: "Max R. P. Grossmann" <m@max.pm> Cc: wireguard@lists.zx2c4.com Gesendet: 23.11.2020 21:37:24 Betreff: Re[2]: Connection works, ping does not >Hello Max, > >thanks for your reply. > >> >>Could it be that some kind of firewall is restricting UDP traffic to your other server? >> >Well, locally, I do use this machine as Host for many tunnels. > > >> >>E.g. could you try to run `mtr --udp [other server's public IP address]` on your computer (while disabling your other WireGuard connection, if applicable) and report back whether there is any kind of packet loss? >I used traceroute on the commandline for this: > >Remote_ > >wg-quick up wgnet0 >[#] ip link add wgnet0 type wireguard >[#] wg setconf wgnet0 /dev/fd/63 >[#] ip -4 address add 10.192.122.3/32 dev wgnet0 >[#] ip link set mtu 1420 up dev wgnet0 >[#] wg set wgnet0 fwmark 51820 >[#] ip -4 route add 0.0.0.0/0 dev wgnet0 table 51820 >[#] ip -4 rule add not fwmark 51820 table 51820 >[#] ip -4 rule add table main suppress_prefixlength 0 > >root@openmediavault:/etc/wireguard# wg show >interface: wgnet0 > public key: cebXSaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMFw= > private key: (hidden) > listening port: 42759 > fwmark: 0xca6c > >peer: oNjmmmmmmmmmmmmmmmmmmmmmmmmmmmmU= > endpoint: [2003:cb:97ff:33d8:9ec7:a6ff:fefd:3a6d]:51820 > allowed ips: 0.0.0.0/0 > transfer: 0 B received, 444 B sent > persistent keepalive: every 25 seconds > > >Local: >traceroute to 2a00:sdfs:sdfsdf:sdfs:erre:ereee:sdf:c33a (2a00:sdfs:sdfsdf:sdfs:erre:ereee:sdf:c33a), 30 hops max, 80 byte packets > 1 p200300cb9733ca009ec7a6fffefd3a69.dip0.t-ipconnect.de (2003:cb:9733:ca00:9ec7:a6ff:fefd:3a69) 0.946 ms 3.435 ms 3.645 ms > 2 2003:0:8501::1 (2003:0:8501::1) 13.884 ms 13.839 ms 14.193 ms > 3 * * * > 4 2001:2000:3019:6b::1 (2001:2000:3019:6b::1) 86.609 ms 88.002 ms 87.874 ms > 5 ddf-b2-v6.telia.net (2001:2000:3018:21::1) 88.137 ms 89.508 ms 89.639 ms > 6 * * * > 7 2a00:6020:0:b::2 (2a00:6020:0:b::2) 81.576 ms 81.989 ms 2a00:6020:0:a::2 (2a00:6020:0:a::2) 82.201 ms > 8 lo1007.kr1.dc1-bor.dg-ao.de (2a00:6020:1000:3::1) 86.281 ms 84.259 ms 85.760 ms > 9 2a00:xxxx:1000:3:yyyy:7f3d:d93e:f23d (2a00:xxxx:1000:3:yyyy:7f3d:d93e:f23d) 88.483 ms !X 87.579 ms !X 88.447 ms !X > >And here the mtr results (wg up and down) >https://1drv.ms/u/s!AvbzKdYzkh6gl0BVLcuR9eeWUaqj?e=9wKxSC >https://1drv.ms/u/s!AvbzKdYzkh6gl0HVwPz1FabOtemM?e=c7bCcB > >>If not, you may wish to check whether the port on the machine is reachable, e.g. by running `nc -v -l -u -p 12345` on your server and then executing `echo test | nc -u [server's IP] 12345`, to check whether the message arrives at the server. > >I am using the machine that is here, locally as server for many tunnels. So, the wireguard port is reachable. >On the remote machine, I have NOT done any port forwarding. Is that neccessary at all? I thought that only the machine that is NOT initiating the connection needs a port forwarding. > >Greetings, >Hendrik > >> >> >>Best, >> >>Max >> >>On 20/11/22 07:39pm, Hendrik Friedel wrote: >>> Hello, >>> >>> (I posted this a while ago, but it never appeared on the list; if the list is the wrong place for this question, please let me know; I would appreciate a hint for a more appropriate place) >>> >>> I am using wireguard to connect two machines. >>> My local server is connected to the internet via a router. I am using theis Server also for connecting other devices (e.g. mobile phones) to my home network. This works great. >>> >>> But when connecting to another server (both debian 10), I only get a successful connection, but no ping. >>> *My server:* >>> >>> wg show >>> interface: wgnet0 >>> public key: xxxxx= >>> private key: (hidden) >>> listening port: 51820 >>> >>> peer: sdfsdfsdfsdfsdfsdf= >>> endpoint: 109.41.64.83:15167 >>> allowed ips: 10.192.122.2/32 >>> latest handshake: 1 minute, 7 seconds ago >>> transfer: 10.95 MiB received, 40.35 MiB sent >>> >>> peer: yyyy= >>> endpoint: 185.22.142.254:51380 >>> allowed ips: 10.192.122.3/32 >>> transfer: 0 B received, 5.20 KiB sent >>> >>> peer: yyyy= >>> endpoint: 93.214.229.137:64119 >>> allowed ips: 10.192.122.4/32 >>> >>> peer: yyyy= >>> endpoint: 93.214.225.116:49819 >>> allowed ips: 10.192.122.5/32 >>> >>> peer: yyyy= >>> allowed ips: 10.192.122.6/32 >>> >>> peer: yyyy= >>> allowed ips: 10.192.122.7/32 >>> >>> >>> more /etc/wireguard/wgnet0.conf >>> [Interface] >>> Address = 10.192.122.1/24 >>> SaveConfig = true >>> PostUp = iptables -A FORWARD -i wgnet0 -j ACCEPT; iptables -A FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >>> PostDown = iptables -D FORWARD -i wgnet0 -j ACCEPT; iptables -D FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >>> ListenPort = 51820 >>> PrivateKey = aaa= >>> >>> [Peer] >>> PublicKey = yyyy= >>> AllowedIPs = 10.192.122.2/32 >>> Endpoint = 123.41.67.233:18314 >>> >>> [Peer] >>> PublicKey = xxx= >>> AllowedIPs = 10.192.122.3/32 >>> Endpoint = 123.22.142.254:51380 >>> >>> >>> >>> >>> >>> ip route >>> default via 192.168.177.1 dev eth0 proto static >>> 10.192.122.0/24 dev wgnet0 proto kernel scope link src 10.192.122.1 >>> >>> and the other side/server: >>> >>> interface: wgnet0 >>> public key: xxxxx= >>> private key: (hidden) >>> listening port: 54004 >>> fwmark: 0xca6c >>> >>> peer: yyyyy= >>> endpoint: [2003:cb:aaa:bbb:9ec7:a6ff:fefd:3a6d]:51820 >>> allowed ips: 0.0.0.0/0 >>> transfer: 0 B received, 2.75 KiB sent >>> persistent keepalive: every 25 seconds >>> >>> >>> >>> more wgnet0.conf >>> [Interface] >>> Address = 10.192.122.3/32 >>> PrivateKey = xxxxx= >>> >>> [Peer] >>> PublicKey = yyyyy= >>> Endpoint = v.myfritz.net:51820 >>> AllowedIPs = 0.0.0.0/0 >>> PersistentKeepalive = 25 >>> >>> It seems to me, that the connection is successfully established , but data is only transmitted in one direction. >>> >>> How can I find the reason? >>> >>> Regards, >>> Hendrik >>> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re[4]: Connection works, ping does not 2020-11-23 22:16 ` Re[3]: " Hendrik Friedel @ 2020-11-28 16:50 ` Hendrik Friedel 2020-11-29 14:20 ` Nikolai Lusan 0 siblings, 1 reply; 7+ messages in thread From: Hendrik Friedel @ 2020-11-28 16:50 UTC (permalink / raw) To: Max R. P. Grossmann, wireguard Hello, in the mail below the mtr results as picture, as "mtr" opens a GUI for me. Here the results again, but from the commandline: homeserver.fritz.box (2003:xxxxxxxxx:feaa:27bb) 2020-11-28T17:39:11+0100 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. p200300cb972aa0009ec7a6fffefd3a69.dip0.t-ipconnect.de 0.0% 15 0.5 0.5 0.5 0.7 0.1 2. 2003:0:8501::1 0.0% 15 7.9 13.1 7.5 47.7 11.1 3. ??? 4. ??? 5. ddf-b2-v6.telia.net 0.0% 14 75.9 81.7 75.9 96.7 5.0 6. glasfaser-svc070650-ic356771.c.telia.net 76.9% 14 78.2 81.0 78.2 82.4 2.4 7. 2a00:6020:0:a::2 0.0% 14 82.5 79.7 72.0 83.2 3.4 8. lo1007.kr1.dc1-bor.dg-ao.de 0.0% 14 81.8 82.9 68.1 87.6 4.9 9. 2a00:6020:1000:3:dd0e:7f3d:d93e:f23d 0.0% 14 84.0 85.6 71.6 90.5 5.0 10. 2a00:yyyyyyyyyyy:fe7f:c33a 0.0% 14 84.3 84.1 77.4 88.9 3.8 and in the opposite direction Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. fritz.box 0.0% 15 0.5 0.5 0.4 0.8 0.0 2. ??? 3. 2a00:6020:0:a::1 20.0% 15 7.5 7.6 7.5 8.5 0.0 4. ddf-b2-link.telia.net 0.0% 15 6.2 7.7 6.0 26.8 5.3 5. ??? 6. hbg-b2-v6.telia.net 26.7% 15 12.9 13.0 12.8 14.0 0.0 7. 2003:0:1400:c004::1 33.3% 15 71.6 72.1 68.7 75.9 2.8 8. 2003:0:8501::1 0.0% 14 80.2 76.9 69.1 80.3 3.1 9. ddddddddddddd.dip0.t-ipconnect.de 0.0% 14 83.6 85.4 66.0 92.9 6.2 There are many packet losses, as far as I see. But also many packets seem to go through (never 100% loss). Does that help? Regards, Hendrik > >------ Originalnachricht ------ >Von: "Hendrik Friedel" <hendrik@friedels.name> >An: "Max R. P. Grossmann" <m@max.pm> >Cc: wireguard@lists.zx2c4.com >Gesendet: 23.11.2020 21:37:24 >Betreff: Re[2]: Connection works, ping does not > >>Hello Max, >> >>thanks for your reply. >> >>> >>>Could it be that some kind of firewall is restricting UDP traffic to your other server? >>> >>Well, locally, I do use this machine as Host for many tunnels. >> >> >>> >>>E.g. could you try to run `mtr --udp [other server's public IP address]` on your computer (while disabling your other WireGuard connection, if applicable) and report back whether there is any kind of packet loss? >>I used traceroute on the commandline for this: >> >>Remote_ >> >>wg-quick up wgnet0 >>[#] ip link add wgnet0 type wireguard >>[#] wg setconf wgnet0 /dev/fd/63 >>[#] ip -4 address add 10.192.122.3/32 dev wgnet0 >>[#] ip link set mtu 1420 up dev wgnet0 >>[#] wg set wgnet0 fwmark 51820 >>[#] ip -4 route add 0.0.0.0/0 dev wgnet0 table 51820 >>[#] ip -4 rule add not fwmark 51820 table 51820 >>[#] ip -4 rule add table main suppress_prefixlength 0 >> >>root@openmediavault:/etc/wireguard# wg show >>interface: wgnet0 >> public key: cebXSaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMFw= >> private key: (hidden) >> listening port: 42759 >> fwmark: 0xca6c >> >>peer: oNjmmmmmmmmmmmmmmmmmmmmmmmmmmmmU= >> endpoint: [2003:cb:97ff:33d8:9ec7:a6ff:fefd:3a6d]:51820 >> allowed ips: 0.0.0.0/0 >> transfer: 0 B received, 444 B sent >> persistent keepalive: every 25 seconds >> >> >>Local: >>traceroute to 2a00:sdfs:sdfsdf:sdfs:erre:ereee:sdf:c33a (2a00:sdfs:sdfsdf:sdfs:erre:ereee:sdf:c33a), 30 hops max, 80 byte packets >> 1 p200300cb9733ca009ec7a6fffefd3a69.dip0.t-ipconnect.de (2003:cb:9733:ca00:9ec7:a6ff:fefd:3a69) 0.946 ms 3.435 ms 3.645 ms >> 2 2003:0:8501::1 (2003:0:8501::1) 13.884 ms 13.839 ms 14.193 ms >> 3 * * * >> 4 2001:2000:3019:6b::1 (2001:2000:3019:6b::1) 86.609 ms 88.002 ms 87.874 ms >> 5 ddf-b2-v6.telia.net (2001:2000:3018:21::1) 88.137 ms 89.508 ms 89.639 ms >> 6 * * * >> 7 2a00:6020:0:b::2 (2a00:6020:0:b::2) 81.576 ms 81.989 ms 2a00:6020:0:a::2 (2a00:6020:0:a::2) 82.201 ms >> 8 lo1007.kr1.dc1-bor.dg-ao.de (2a00:6020:1000:3::1) 86.281 ms 84.259 ms 85.760 ms >> 9 2a00:xxxx:1000:3:yyyy:7f3d:d93e:f23d (2a00:xxxx:1000:3:yyyy:7f3d:d93e:f23d) 88.483 ms !X 87.579 ms !X 88.447 ms !X >> >>And here the mtr results (wg up and down) >>https://1drv.ms/u/s!AvbzKdYzkh6gl0BVLcuR9eeWUaqj?e=9wKxSC >>https://1drv.ms/u/s!AvbzKdYzkh6gl0HVwPz1FabOtemM?e=c7bCcB >> >>>If not, you may wish to check whether the port on the machine is reachable, e.g. by running `nc -v -l -u -p 12345` on your server and then executing `echo test | nc -u [server's IP] 12345`, to check whether the message arrives at the server. >> >>I am using the machine that is here, locally as server for many tunnels. So, the wireguard port is reachable. >>On the remote machine, I have NOT done any port forwarding. Is that neccessary at all? I thought that only the machine that is NOT initiating the connection needs a port forwarding. >> >>Greetings, >>Hendrik >> >>> >>> >>>Best, >>> >>>Max >>> >>>On 20/11/22 07:39pm, Hendrik Friedel wrote: >>>> Hello, >>>> >>>> (I posted this a while ago, but it never appeared on the list; if the list is the wrong place for this question, please let me know; I would appreciate a hint for a more appropriate place) >>>> >>>> I am using wireguard to connect two machines. >>>> My local server is connected to the internet via a router. I am using theis Server also for connecting other devices (e.g. mobile phones) to my home network. This works great. >>>> >>>> But when connecting to another server (both debian 10), I only get a successful connection, but no ping. >>>> *My server:* >>>> >>>> wg show >>>> interface: wgnet0 >>>> public key: xxxxx= >>>> private key: (hidden) >>>> listening port: 51820 >>>> >>>> peer: sdfsdfsdfsdfsdfsdf= >>>> endpoint: 109.41.64.83:15167 >>>> allowed ips: 10.192.122.2/32 >>>> latest handshake: 1 minute, 7 seconds ago >>>> transfer: 10.95 MiB received, 40.35 MiB sent >>>> >>>> peer: yyyy= >>>> endpoint: 185.22.142.254:51380 >>>> allowed ips: 10.192.122.3/32 >>>> transfer: 0 B received, 5.20 KiB sent >>>> >>>> peer: yyyy= >>>> endpoint: 93.214.229.137:64119 >>>> allowed ips: 10.192.122.4/32 >>>> >>>> peer: yyyy= >>>> endpoint: 93.214.225.116:49819 >>>> allowed ips: 10.192.122.5/32 >>>> >>>> peer: yyyy= >>>> allowed ips: 10.192.122.6/32 >>>> >>>> peer: yyyy= >>>> allowed ips: 10.192.122.7/32 >>>> >>>> >>>> more /etc/wireguard/wgnet0.conf >>>> [Interface] >>>> Address = 10.192.122.1/24 >>>> SaveConfig = true >>>> PostUp = iptables -A FORWARD -i wgnet0 -j ACCEPT; iptables -A FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >>>> PostDown = iptables -D FORWARD -i wgnet0 -j ACCEPT; iptables -D FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >>>> ListenPort = 51820 >>>> PrivateKey = aaa= >>>> >>>> [Peer] >>>> PublicKey = yyyy= >>>> AllowedIPs = 10.192.122.2/32 >>>> Endpoint = 123.41.67.233:18314 >>>> >>>> [Peer] >>>> PublicKey = xxx= >>>> AllowedIPs = 10.192.122.3/32 >>>> Endpoint = 123.22.142.254:51380 >>>> >>>> >>>> >>>> >>>> >>>> ip route >>>> default via 192.168.177.1 dev eth0 proto static >>>> 10.192.122.0/24 dev wgnet0 proto kernel scope link src 10.192.122.1 >>>> >>>> and the other side/server: >>>> >>>> interface: wgnet0 >>>> public key: xxxxx= >>>> private key: (hidden) >>>> listening port: 54004 >>>> fwmark: 0xca6c >>>> >>>> peer: yyyyy= >>>> endpoint: [2003:cb:aaa:bbb:9ec7:a6ff:fefd:3a6d]:51820 >>>> allowed ips: 0.0.0.0/0 >>>> transfer: 0 B received, 2.75 KiB sent >>>> persistent keepalive: every 25 seconds >>>> >>>> >>>> >>>> more wgnet0.conf >>>> [Interface] >>>> Address = 10.192.122.3/32 >>>> PrivateKey = xxxxx= >>>> >>>> [Peer] >>>> PublicKey = yyyyy= >>>> Endpoint = v.myfritz.net:51820 >>>> AllowedIPs = 0.0.0.0/0 >>>> PersistentKeepalive = 25 >>>> >>>> It seems to me, that the connection is successfully established , but data is only transmitted in one direction. >>>> >>>> How can I find the reason? >>>> >>>> Regards, >>>> Hendrik >>>> > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Re[4]: Connection works, ping does not 2020-11-28 16:50 ` Re[4]: " Hendrik Friedel @ 2020-11-29 14:20 ` Nikolai Lusan 2020-11-29 15:42 ` Re[6]: " Hendrik Friedel 0 siblings, 1 reply; 7+ messages in thread From: Nikolai Lusan @ 2020-11-29 14:20 UTC (permalink / raw) To: wireguard -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sat, 2020-11-28 at 16:50 +0000, Hendrik Friedel wrote: > > in the mail below the mtr results as picture, as "mtr" opens a GUI To keep mtr in the terminal you need to use 'mtr -t' or for ipv6 only 'mtr -t6' :) - -- Nikolai Lusan <nikolai@lusan.id.au> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAl/Dri8ACgkQ4ZaDRV2V L6TjJg/+K5tHU3bUOvf/PxBp+8QjJEwiEiYJ42ffWJaKtXWIi4YLMUHNCicicFV9 eNO3cIZXKdp3YQtoSAtP8PNswVgaud2NO7/JBTyul1fYnFwuZBVsOgjdgztJ4wCo ds4WmgBs1yVoyHDlmalAjEi0cK5idLNtt0JEzpMbmL/luAXZqpXbkxm2vSsE8QPT j7nZAM+BGgDApkqeCFsblUGgv4c68tMHL6SJUH3XoLL5EE0KSC3eQFzWpypSyomW E6oiHGfDnC7dEIrnfS1NnoI0J3UQF1S9+IGpdf6xOIZwhSqTVCc2fl1Wy43KXfgi yd4n5+VQ6BbIrw1JXdadk5Rt/O0qhk8TWCtUPM/1W3U0wL3UCY0D9fwY9G46bkdi eyH1qgr/YCKr07ZCvQwpy4Y8ZUVQkTuadaaGzAl8TUAgfLzwUZLbTg2jnBBfuTG0 CYG98RxCwfdmOTalzwsYw5CoMULTzzl0DUjB7izOlVQwhnmNXFNEBp3E3Ybql1b6 xb3UteD/ziHQ1x/bskQvXZ3EFWm976yqNcR9qZWHSLVLleGknPfztzgfwZWSJwYV NA/aOz9maQCnUHDsQtNBI62K9IOckoFJ7lW3JUZaakVj72wLvXsXU8SLUK5jI6RQ NfMt4mv1n4tQzBiHAdbz5kyTYKuWVXwtj120a7VRjKfbAam+fiM= =e7gK -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re[6]: Connection works, ping does not 2020-11-29 14:20 ` Nikolai Lusan @ 2020-11-29 15:42 ` Hendrik Friedel 0 siblings, 0 replies; 7+ messages in thread From: Hendrik Friedel @ 2020-11-29 15:42 UTC (permalink / raw) To: nikolai, wireguard Hello, yes, I did that, thanks. With that, I created the output posted before. Regards, Hendrik ------ Originalnachricht ------ Von: "Nikolai Lusan" <nikolai@lusan.id.au> An: wireguard@lists.zx2c4.com Gesendet: 29.11.2020 15:20:31 Betreff: Re: Re[4]: Connection works, ping does not >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >On Sat, 2020-11-28 at 16:50 +0000, Hendrik Friedel wrote: > > > > in the mail below the mtr results as picture, as "mtr" opens a GUI > >To keep mtr in the terminal you need to use 'mtr -t' or for ipv6 only >'mtr -t6' :) > >- -- >Nikolai Lusan <nikolai@lusan.id.au> >-----BEGIN PGP SIGNATURE----- > >iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAl/Dri8ACgkQ4ZaDRV2V >L6TjJg/+K5tHU3bUOvf/PxBp+8QjJEwiEiYJ42ffWJaKtXWIi4YLMUHNCicicFV9 >eNO3cIZXKdp3YQtoSAtP8PNswVgaud2NO7/JBTyul1fYnFwuZBVsOgjdgztJ4wCo >ds4WmgBs1yVoyHDlmalAjEi0cK5idLNtt0JEzpMbmL/luAXZqpXbkxm2vSsE8QPT >j7nZAM+BGgDApkqeCFsblUGgv4c68tMHL6SJUH3XoLL5EE0KSC3eQFzWpypSyomW >E6oiHGfDnC7dEIrnfS1NnoI0J3UQF1S9+IGpdf6xOIZwhSqTVCc2fl1Wy43KXfgi >yd4n5+VQ6BbIrw1JXdadk5Rt/O0qhk8TWCtUPM/1W3U0wL3UCY0D9fwY9G46bkdi >eyH1qgr/YCKr07ZCvQwpy4Y8ZUVQkTuadaaGzAl8TUAgfLzwUZLbTg2jnBBfuTG0 >CYG98RxCwfdmOTalzwsYw5CoMULTzzl0DUjB7izOlVQwhnmNXFNEBp3E3Ybql1b6 >xb3UteD/ziHQ1x/bskQvXZ3EFWm976yqNcR9qZWHSLVLleGknPfztzgfwZWSJwYV >NA/aOz9maQCnUHDsQtNBI62K9IOckoFJ7lW3JUZaakVj72wLvXsXU8SLUK5jI6RQ >NfMt4mv1n4tQzBiHAdbz5kyTYKuWVXwtj120a7VRjKfbAam+fiM= >=e7gK >-----END PGP SIGNATURE----- > ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-11-29 15:42 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-11-22 19:39 Connection works, ping does not Hendrik Friedel 2020-11-23 17:02 ` Max R. P. Grossmann 2020-11-23 20:37 ` Re[2]: " Hendrik Friedel 2020-11-23 22:16 ` Re[3]: " Hendrik Friedel 2020-11-28 16:50 ` Re[4]: " Hendrik Friedel 2020-11-29 14:20 ` Nikolai Lusan 2020-11-29 15:42 ` Re[6]: " Hendrik Friedel
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).