Development discussion of WireGuard
 help / color / mirror / Atom feed
* wireguard-windows: possibly wrong selection of outgoing IP Address?
@ 2022-06-05 20:21 Max Schulze
  2022-06-07  7:08 ` Szymon Nowak
  0 siblings, 1 reply; 3+ messages in thread
From: Max Schulze @ 2022-06-05 20:21 UTC (permalink / raw)
  To: wireguard

I am running out of ideas to debug this specific issue.

I am trying to circumvent a double-NAT scenario. I have

wg_serv (10.253.2.9) <->  wg-relais (10.253.2.2) <-> wg_peer ( 10.253.2.3)

wg_serv has an endpoint set for wg-relais, and creates the connection ok (handshake completes, ping works).
wg_peer has an endpoint that points to wg-relais, which should tunnel the connection as-is to wg_serv on the established connection ( iptables SNAT/DNAT ).

If wg_serv is a linux box, with the exact same config file, everything works. if wg_serv is a windows box, it seems that there are no outgoing packets, but incoming is ok.

First, see that the handshake packet is received (via 10.253.2.2:60026):

2022-06-05 20:30:17.140946: [TUN] [wireguard] Keypair 536 created for peer 1

2022-06-05 20:30:22.085949: [TUN] [wireguard] Handshake for peer 1 (10.253.2.2:60026) did not complete after 5 seconds, retrying (try 2)

2022-06-05 20:30:22.265787: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026)

2022-06-05 20:30:22.265787: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026)

2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 536 destroyed for peer 1

2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 537 created for peer 1

2022-06-05 20:30:27.147962: [TUN] [wireguard] Sending keepalive packet to peer 2 (185.230.xxx.yyy:51849)

2022-06-05 20:30:27.626543: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026)

2022-06-05 20:30:27.626543: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026)




However, it seems that wireguard sends the outgoing packet with the wrong ip (192.168.99.101) instead of 10.253.2.9 to 10.253.2.2:60026 ?



    Protocol    Local Port      Local Address   Remote Port Remote Address      Received Bytes  Sent Bytes  Rec Pkt Sent Packets

wireguard.exe   UDP IPv4    51850   192.168.99.101  51849       185.230.xxx.yyy     81.976          8.584   417     216 

wireguard.exe   UDP IPv4    51850   10.253.2.9      60026       10.253.2.2          55.648                  376     

wireguard.exe   UDP IPv4    51850   192.168.99.101  60026       10.253.2.2                          37.848          398 


What can I do?
Can I make the wireguard log more verbose to show IP Paket src/Destination?

Is it possible to also log the src IP of the "handshake response packet"?

Best,
Max


wg_serv config:

[Interface]

PrivateKey = SFhFHVb__2c=

ListenPort = 51850

Address = 10.253.2.9/24



[Peer]

# wg-vpn-relais

PublicKey = 3A5__wo=

AllowedIPs = 10.253.2.2/30

Endpoint = 185.230.xxx.yyy:51849

PersistentKeepalive = 20



[Peer]

# peer via vpn relais

PublicKey = FTBC__cqghg=

AllowedIPs = 10.253.2.3/32

PersistentKeepalive = 20



wg output:

peer: 3A5__o=

  endpoint: 185.230.xxx.yyy:51849

  allowed ips: 10.253.2.0/30

  latest handshake: 1 minute, 55 seconds ago

  transfer: 145.71 KiB received, 29.74 KiB sent

  persistent keepalive: every 20 seconds



peer: FTB__hg=

  endpoint: 10.253.2.2:60026

  allowed ips: 10.253.2.3/32

  transfer: 89.46 KiB received, 60.67 KiB sent

  persistent keepalive: every 20 seconds

  

  

PS C:\Windows\system32> Get-NetIPInterface | select ifIndex,InterfaceAlias,AddressFamily,ConnectionState,Forwarding,weakhostreceive,weakhostsend | Sort-Object -Property IfIndex | Format-Table

>>



ifIndex InterfaceAlias              AddressFamily ConnectionState Forwarding WeakHostReceive WeakHostSend

------- --------------              ------------- --------------- ---------- --------------- ------------

      1 Loopback Pseudo-Interface 1          IPv4       Connected   Disabled        Disabled     Disabled

      1 Loopback Pseudo-Interface 1          IPv6       Connected   Disabled        Disabled     Disabled

      4 LAN-Verbindung* 11                   IPv6       Connected   Disabled        Disabled     Disabled

      4 LAN-Verbindung* 11                   IPv4       Connected   Disabled        Disabled     Disabled

      8 WLAN                                 IPv4    Disconnected   Disabled        Disabled     Disabled

      8 WLAN                                 IPv6    Disconnected   Disabled        Disabled     Disabled

     12 Ethernet                             IPv6       Connected   Disabled        Disabled     Disabled

     12 Ethernet                             IPv4       Connected   Disabled        Disabled     Disabled

     16 LAN-Verbindung* 2                    IPv6    Disconnected   Disabled        Disabled     Disabled

     16 LAN-Verbindung* 2                    IPv4    Disconnected   Disabled        Disabled     Disabled

     17 LAN-Verbindung* 1                    IPv6    Disconnected   Disabled        Disabled     Disabled

     17 LAN-Verbindung* 1                    IPv4    Disconnected   Disabled        Disabled     Disabled

     53 wireguard                            IPv6       Connected   Disabled        Disabled     Disabled

     53 wireguard                            IPv4       Connected   Disabled        Disabled     Disabled

wg_relais debug state:

wg-vpn-relais # conntrack -L | grep 10.253

udp      17 28 src=178.101.114.260 dst=185.230.xxx.yyy sport=60026 dport=51850 [UNREPLIED] src=10.253.2.9 dst=10.253.2.2 sport=51850 dport=60026 mark=0 use=1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: wireguard-windows: possibly wrong selection of outgoing IP Address?
  2022-06-05 20:21 wireguard-windows: possibly wrong selection of outgoing IP Address? Max Schulze
@ 2022-06-07  7:08 ` Szymon Nowak
  2022-06-07  8:43   ` Max Schulze
  0 siblings, 1 reply; 3+ messages in thread
From: Szymon Nowak @ 2022-06-07  7:08 UTC (permalink / raw)
  To: Max Schulze; +Cc: wireguard

Hi To do this on the windows server, you need to run NAT on the WG interface
https://openvpn.net/cloud-docs/enabling-routing-nat-on-windows-server-2016/

On Sun, Jun 5, 2022 at 10:23 PM Max Schulze <max.schulze@online.de> wrote:
>
> I am running out of ideas to debug this specific issue.
>
> I am trying to circumvent a double-NAT scenario. I have
>
> wg_serv (10.253.2.9) <->  wg-relais (10.253.2.2) <-> wg_peer ( 10.253.2.3)
>
> wg_serv has an endpoint set for wg-relais, and creates the connection ok (handshake completes, ping works).
> wg_peer has an endpoint that points to wg-relais, which should tunnel the connection as-is to wg_serv on the established connection ( iptables SNAT/DNAT ).
>
> If wg_serv is a linux box, with the exact same config file, everything works. if wg_serv is a windows box, it seems that there are no outgoing packets, but incoming is ok.
>
> First, see that the handshake packet is received (via 10.253.2.2:60026):
>
> 2022-06-05 20:30:17.140946: [TUN] [wireguard] Keypair 536 created for peer 1
>
> 2022-06-05 20:30:22.085949: [TUN] [wireguard] Handshake for peer 1 (10.253.2.2:60026) did not complete after 5 seconds, retrying (try 2)
>
> 2022-06-05 20:30:22.265787: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026)
>
> 2022-06-05 20:30:22.265787: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026)
>
> 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 536 destroyed for peer 1
>
> 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 537 created for peer 1
>
> 2022-06-05 20:30:27.147962: [TUN] [wireguard] Sending keepalive packet to peer 2 (185.230.xxx.yyy:51849)
>
> 2022-06-05 20:30:27.626543: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026)
>
> 2022-06-05 20:30:27.626543: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026)
>
>
>
>
> However, it seems that wireguard sends the outgoing packet with the wrong ip (192.168.99.101) instead of 10.253.2.9 to 10.253.2.2:60026 ?
>
>
>
>     Protocol    Local Port      Local Address   Remote Port Remote Address      Received Bytes  Sent Bytes  Rec Pkt Sent Packets
>
> wireguard.exe   UDP IPv4    51850   192.168.99.101  51849       185.230.xxx.yyy     81.976          8.584   417     216
>
> wireguard.exe   UDP IPv4    51850   10.253.2.9      60026       10.253.2.2          55.648                  376
>
> wireguard.exe   UDP IPv4    51850   192.168.99.101  60026       10.253.2.2                          37.848          398
>
>
> What can I do?
> Can I make the wireguard log more verbose to show IP Paket src/Destination?
>
> Is it possible to also log the src IP of the "handshake response packet"?
>
> Best,
> Max
>
>
> wg_serv config:
>
> [Interface]
>
> PrivateKey = SFhFHVb__2c=
>
> ListenPort = 51850
>
> Address = 10.253.2.9/24
>
>
>
> [Peer]
>
> # wg-vpn-relais
>
> PublicKey = 3A5__wo=
>
> AllowedIPs = 10.253.2.2/30
>
> Endpoint = 185.230.xxx.yyy:51849
>
> PersistentKeepalive = 20
>
>
>
> [Peer]
>
> # peer via vpn relais
>
> PublicKey = FTBC__cqghg=
>
> AllowedIPs = 10.253.2.3/32
>
> PersistentKeepalive = 20
>
>
>
> wg output:
>
> peer: 3A5__o=
>
>   endpoint: 185.230.xxx.yyy:51849
>
>   allowed ips: 10.253.2.0/30
>
>   latest handshake: 1 minute, 55 seconds ago
>
>   transfer: 145.71 KiB received, 29.74 KiB sent
>
>   persistent keepalive: every 20 seconds
>
>
>
> peer: FTB__hg=
>
>   endpoint: 10.253.2.2:60026
>
>   allowed ips: 10.253.2.3/32
>
>   transfer: 89.46 KiB received, 60.67 KiB sent
>
>   persistent keepalive: every 20 seconds
>
>
>
>
>
> PS C:\Windows\system32> Get-NetIPInterface | select ifIndex,InterfaceAlias,AddressFamily,ConnectionState,Forwarding,weakhostreceive,weakhostsend | Sort-Object -Property IfIndex | Format-Table
>
> >>
>
>
>
> ifIndex InterfaceAlias              AddressFamily ConnectionState Forwarding WeakHostReceive WeakHostSend
>
> ------- --------------              ------------- --------------- ---------- --------------- ------------
>
>       1 Loopback Pseudo-Interface 1          IPv4       Connected   Disabled        Disabled     Disabled
>
>       1 Loopback Pseudo-Interface 1          IPv6       Connected   Disabled        Disabled     Disabled
>
>       4 LAN-Verbindung* 11                   IPv6       Connected   Disabled        Disabled     Disabled
>
>       4 LAN-Verbindung* 11                   IPv4       Connected   Disabled        Disabled     Disabled
>
>       8 WLAN                                 IPv4    Disconnected   Disabled        Disabled     Disabled
>
>       8 WLAN                                 IPv6    Disconnected   Disabled        Disabled     Disabled
>
>      12 Ethernet                             IPv6       Connected   Disabled        Disabled     Disabled
>
>      12 Ethernet                             IPv4       Connected   Disabled        Disabled     Disabled
>
>      16 LAN-Verbindung* 2                    IPv6    Disconnected   Disabled        Disabled     Disabled
>
>      16 LAN-Verbindung* 2                    IPv4    Disconnected   Disabled        Disabled     Disabled
>
>      17 LAN-Verbindung* 1                    IPv6    Disconnected   Disabled        Disabled     Disabled
>
>      17 LAN-Verbindung* 1                    IPv4    Disconnected   Disabled        Disabled     Disabled
>
>      53 wireguard                            IPv6       Connected   Disabled        Disabled     Disabled
>
>      53 wireguard                            IPv4       Connected   Disabled        Disabled     Disabled
>
> wg_relais debug state:
>
> wg-vpn-relais # conntrack -L | grep 10.253
>
> udp      17 28 src=178.101.114.260 dst=185.230.xxx.yyy sport=60026 dport=51850 [UNREPLIED] src=10.253.2.9 dst=10.253.2.2 sport=51850 dport=60026 mark=0 use=1
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: wireguard-windows: possibly wrong selection of outgoing IP Address?
  2022-06-07  7:08 ` Szymon Nowak
@ 2022-06-07  8:43   ` Max Schulze
  0 siblings, 0 replies; 3+ messages in thread
From: Max Schulze @ 2022-06-07  8:43 UTC (permalink / raw)
  To: Szymon Nowak; +Cc: wireguard

Hallo Szymon,


On 07.06.22 09:08, Szymon Nowak wrote:
> Hi To do this on the windows server, you need to run NAT on the WG interface
> https://openvpn.net/cloud-docs/enabling-routing-nat-on-windows-server-2016/


why should I ? Which interfaces should I bridge? The WG Interface is "stand-alone" and does not to any routing to/from public internet for any clients.

Why are you suggesting NAT, when the log shows that the IP adresses for the *destination* are correct?

Besides, I do not need to do any of this on the linux box, where the connection is successful with the same config.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-06-07  8:43 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-05 20:21 wireguard-windows: possibly wrong selection of outgoing IP Address? Max Schulze
2022-06-07  7:08 ` Szymon Nowak
2022-06-07  8:43   ` Max Schulze

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).