0

Server has 2 interfaces, eth0 - real v4 network if, tun0 - virtual mesh v6 network if.

WireGuard tunnel is wg0, 10.0.0.0/24, server is: 10.0.0.1, client is: 10.0.0.2

Client, uses public ipv6 of server tun0 if as Endpoint connects to a WireGuard listening on port 51193. Client successfully receives handshake, but unable to ping anything but local network.

Server has no firewall.

Example traceroute of google.com from client:

tracert 172.217.18.14

Tracing route to fra24s22-in-f14.1e100.net [172.217.18.14]
over a maximum of 30 hops:

  1   123 ms   201 ms   198 ms  10.0.0.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.

Server data:

ip route show table main

default via 51.89.97.39 dev ens3 onlink 
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1

ip -6 route show table main

::1 dev lo proto kernel metric 256 pref medium
200::/7 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev ens3 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:<REDACTED>:63 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet <REDACTED_IPV4_ENS3_PUBLIC>/32 brd 135.125.209.103 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe2c:4f63/64 scope link 
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 53049 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet6 <REDACTED_IPV6_TUN0_PUBLIC>/7 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::a307:5d5d:2a0b:2be1/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

iptables -L -v -n

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  127  7404 ACCEPT     all  --  wg0    *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

ip6tables -L -v -n

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      wg0    *       ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

WireGuard server config:

[Interface]
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51193
PrivateKey = <REDACTED>

[Peer]
PublicKey = <REDACTED>
PresharedKey = <REDACTED>
AllowedIPs = 10.0.0.4/32

Wireguard client config:

[Interface]
PrivateKey = <REDACTED>
Address = 10.0.0.4/32
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = <REDACTED>
PresharedKey = <REDACTED>
AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3, ::/1, 8000::/2, c000::/3, e000::/4, f000::/5, f800::/6, fe00::/7
Endpoint = [<REDACTED_IPV6_TUN0_PUBLIC>]:51193

All traffic must have access to local network (it already does), otherwise go out via ens3 (this is not working)

I'm missing something? When connecting to wireguard server via clearnet <REDACTED_IPV4_ENS3_PUBLIC>, with tun0 down, everything works normal.

Improve this question
2
  • 1
    What do you see in a packet capture on ens3? Do the packets actually go out or not? ("Unable to ping" doesn't necessarily mean traffic doesn't go out, it can also mean traffic doesn't go back in for various reasons.) If they do – what source IP address do they have? If they're supposed to be NATed, does the packet capture show that they are indeed being NATed? (You have ens3 in your description but eth0 in your PostUp.)
    – grawity_u1686
    Commented Aug 10, 2023 at 5:46
  • Thanks, that was the reason. PostUp/PostDown rules must have ens3, but not ens0. Forgot to change the ifs after changing server. Traffic does come in and come out, works fine now.
    – un4ss1gn3d
    Commented Aug 10, 2023 at 8:10

1 Answer 1

Reset to default
0

Correct answer was to fix usage of incorrect interface from eth0 to ens3, thanks to u1688_grawity in the comments.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .