[WireGuard] Unable to configure routing

Vladimir Matveev vladimir.matweev at gmail.com
Sat Aug 6 14:36:23 CEST 2016 

Hello,

I wanted to try Wireguard so I decided to test it on my laptop to
route all connections through my VPS. I have set up it on the VPS with
the following config file:

[Interface]
PrivateKey = <server private key>
ListenPort = 41414

[Peer]
PublicKey = <client public key>
AllowedIPs = 10.9.0.0/24

On my laptop I have the following file:

[Interface]
PrivateKey = <client private key>

[Peer]
PublicKey = <server public key>
Endpoint = <VPS public IP>:41414
AllowedIPs = 10.9.0.0/24


I configured a wg0 interface both on the server (10.9.0.1) and on the
client (10.9.0.2) and also configured the firewall on the VPS to pass
UDP packets for the 41414 port through, as well as masquerading for
packets coming from 10.9.0.0/24.

Afterwards I was able to reach the laptop from the server and vice
versa using their wg0 addresses just fine. However, I wasn't able to
route any connections through the VPS from the laptop.

On the server, as I have said already, I have set up masquerading for
10.9.0.0/24. On the client I've added a route like this:

ip r add 178.63.151.224 via 10.9.0.1 dev wg0

Then, when I try to ping 178.63.151.224, I get errors like this:

% LANG=C ping 178.63.151.224
PING 178.63.151.224 (178.63.151.224) 56(84) bytes of data.
>From 10.9.0.2 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
>From 10.9.0.2 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Required key not available
>From 10.9.0.2 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Required key not available
^C
--- 178.63.151.224 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2000m

Naturally, no other connection to this host gets through. Also, it
seems that in this case no packets even reach the server, I can see it
in the tcpdump -i wg0 output on the VPS. If I try to ping 10.9.0.1
from the laptop, I get correct responses and I also see them in the
tcpdump output, and I'm able to connect to the server itself just
fine.

I tried configuring the route without "via 10.9.0.1", like it is
described in the documentation (although I don't understand how it
should find the correct gateway address in such configuration), but to
no avail - the errors are exactly the same.

What am I doing wrong here?

uname -a on the laptop:

Linux hostname 4.6.5-2-ck #1 SMP PREEMPT Wed Jul 27 18:33:05 EDT 2016
x86_64 GNU/Linux

uname -a on the VPS:

Linux hostname 4.6.4-1-ARCH #1 SMP PREEMPT Mon Jul 11 19:12:32 CEST
2016 x86_64 GNU/Linux

Both computers are running Archlinux, with Wireguard 0.0.20160722
built via DKMS.

Thanks.

Best regards,
Vladimir

More information about the WireGuard mailing list