problems setting up wireguard: no traffic but kepalives reach the server

From: Wojtek Swiatek <w@swtk.info>
To: wireguard@lists.zx2c4.com
Subject: problems setting up wireguard: no traffic but kepalives reach the server
Date: Tue, 1 Jan 2019 22:05:50 +0100	[thread overview]
Message-ID: <CAPRYYOZEj55phSnyqHyrGcOt5w0vyfx_VV3y4kYc_CUVM-vPiA@mail.gmail.com> (raw)

[-- Attachment #1.1: Type: text/plain, Size: 2991 bytes --]

Hello everyone,

I have just installed wireguard so I apologies if some things I missed may
be obvious. As a background: I have a working OpenVPN connection to my
server and wanted to have a wireguard setup in parallel to compare both.
The server is installed on a Ubuntu bionic (LTS) and the client is on a AWS
machine (Ubuntu as well).

Server perspective:

root@srv /e/wireguard# wg show
interface: wg0
  public key: A7MreEBC3maH305tVrU0HEoQrBhy+An6KlvZ+z9KFRA=
  private key: (hidden)
  listening port: 51820

peer: 2At7asuH2ay1vMvg9H8BZvUU5mnJ97VGlDwQWT1l1C8=
  preshared key: (hidden)
  allowed ips: 0.0.0.0/0

Client perspective (X.X.X.X is my Internet-facing IP):

# wg show
interface: wg0
  public key: 2At7asuH2ay1vMvg9H8BZvUU5mnJ97VGlDwQWT1l1C8=
  private key: (hidden)
  listening port: 33960

peer: YUd1mFAOyn01G2/n942hk9LZ0mfhUm4nHb/3xMVSETc=
  preshared key: (hidden)
  endpoint: X.X.X.X:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 98.86 KiB sent
  persistent keepalive: every 10 seconds

On the server, the traffic to wg0 is redirected (to wg0) for port 51820. I
am surprised that there is no actual service listening to 51820 (as seen by
lsof or netstat) but I assume this is some wireguard voodoo (such as "if a
packet directed to port 51820 gets to me(wg0) tehn I will be correctly
dealing with it).

I then tried to ping:

- on the client: the IP of its own wg0 (10.250.0.1): OK
- on the server: the IP of its own wg0 (10.250.0.254): OK
- on the client: 10.250.0.254 (the IP of the other side of the VPN = on the
server): KO = nothing happens (ICMP echo is sent, as seen on tcpdump)
- on the server: 10.250.0.1 (the IP of the other side of the VPN = on the
client): KO =

root@srv ~# ping 10.250.0.1
PING 10.250.0.1 (10.250.0.1) 56(84) bytes of data.
From 10.250.0.254 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
ping: sendmsg: Destination address required
From 10.250.0.254 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.250.0.254 icmp_seq=3 Destination Host Unreachable
From 10.250.0.254 icmp_seq=4 Destination Host Unreachable

I had a look at my internet interface (tcpdump filtered on port 51820) and
I see, every 10 seconds, a UDP packet coming in (192.168.0.10 is the IP of
the internet-exposed dev):

root@srv ~# tcpdump -i any port 51820 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144
bytes
21:15:41.944090 IP 35.180.168.248.33960 > 192.168.0.10.51820: UDP, length
148
21:15:47.320081 IP 35.180.168.248.33960 > 192.168.0.10.51820: UDP, length
148

So this means that the client sends a UDP packet to the external IP
(X.X.X.X), to port 51820. This packet is then forwarded to interface wg0.

Is there a way to check with wireguard that a connection is established (=
that the server receives data, or a connection attempt (even unsuccessful)
is being done)?

[-- Attachment #1.2: Type: text/html, Size: 3983 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard