I’m trying to connect to my
wireguard server, but it’s not working, and I’m out of my depth. I suspect it’s more of a network issue than a wireguard issue, but I could be mistaken. I’m hoping someone can give me some pointers.
What I’ve done / What is working
I’ve created several configurations on the server, and one of them I’ve added to the client running Pop-OS. If it’s on the (W)LAN, it can connect to the server without problems.
Set-up of client.
# /etc/wireguard/wg0.conf [Interface] PrivateKey = [removed] Address = 10.6.0.4/24 MTU = 1420 DNS = 126.96.36.199, 188.8.131.52 [Peer] PublicKey = [removed] PresharedKey = [removed] Endpoint = somesubdomain.chickenkiller.com:51820 # I tried with this one... #Endpoint = 192.168.1.220:51820 # ...and with this one. AllowedIPs = 0.0.0.0/0, ::0/0
In the LAN, this works, regardless of the Endpoint that’s commented in:
# sudo wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.6.0.4/24 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] resolvconf -a tun.wg0 -m 0 -x [#] wg set wg0 fwmark 51820 [#] ip -6 route add ::/0 dev wg0 table 51820 [#] ip -6 rule add not fwmark 51820 table 51820 [#] ip -6 rule add table main suppress_prefixlength 0 [#] ip6tables-restore -n [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 [#] iptables-restore -n # sudo wg interface: wg0 public key: [removed] private key: (hidden) listening port: 44709 fwmark: 0xca6c peer: [removed] preshared key: (hidden) endpoint: 12.34.567.89:51820 # (WAN IP address or LAN IP address, depending on commented-in Endpoint in wg0.conf) allowed ips: 0.0.0.0/0, ::/0 latest handshake: Now transfer: 17.84 MiB received, 230.08 KiB sent
For my smartphone, using the
wireguard app, the same is true: the connection is working when the phone is in the WLAN.
What is not working
When the client tries to connect through the internet, it’s no longer working. The output of
sudo wg-quick up wg0 is the same as when it’s in the LAN, but
sudo wg takes a long time to produce an output, and when it does, it is always at 0 trafic:
# sudo wg interface: wg0 public key: [removed] private key: (hidden) listening port: 60955 fwmark: 0xca6c peer: [removed] preshared key: (hidden) endpoint: 12.34.567.89:51820 allowed ips: 0.0.0.0/0, ::/0 transfer: 0 B received, 2.31 KiB sent
Seems to me that there is a problem getting into the LAN from the WAN, so I better crack out the old network diagram.
This is the set-up of the LAN:
On both the routers, port forwarding for UDP traffic on port
51820 is active. (on the primary router, to the secondary one, and on the secondary one, to the vpn server)
It’s surely not relevant, but the client is connected to the internet through a USB-tethered smartphone’s cellular data connection, over which it can ping google and access the internet just fine.
The VPN Server is running a service to update the
somesubdomain.chickenkiller.com DDNS service, and pinging this shows that it indeed resolves to my WAN address. The pings get a response as well:
~$ ping somesubdomain.chickenkiller.com PING somesubdomain.chickenkiller.com (12.34.567.89) 56(84) bytes of data. 64 bytes from xxxxxxx.dynamic.kabel-deutschland.de (12.34.567.89): icmp_seq=1 ttl=47 time=77.1 ms 64 bytes from xxxxxxx.dynamic.kabel-deutschland.de (12.34.567.89): icmp_seq=2 ttl=47 time=76.1 ms
I’m not working on networks and networking infrastructure every day, so excuse me in advance if this has an obvious reason, or if I left out any critical information; just ask and I’ll happily provide any additional data that is needed.
Additional information / Primary router settings
I can connect to the VPN server whether on LAN1 or LAN2, so the port forwarding on the own/secondary router seems to be working just fine; the problem must be in the ISP/primary router or its modem.
Solution (well, workaround): bridge mode
traceroute somesubdomain.chickenkiller.com -U -p 51820 showed that the packets were reaching the primary router, but died there.
I assume there is some accidental or intended blocking of these packets by the ISP-provided hardware, and turned the device into bridge mode. The secondary router has been promoted to primary router and the setup is now working perfectly fine. I can reach and connect to the wireguard server without problem.
Thanks for your help.
And thanks Vodafone for being less than helpful.