Windows firewall rules not being correctly setup
James Hartig
fastest963 at gmail.com
Wed Aug 12 17:59:27 CEST 2020
I have the latest Wireguard installed on Windows 10 (2004). Whenever I
try to use the wg client to configure the WireGuard tunnel the tunnel
doesn't properly receive packets but if I start the Windows service
with the conf file populated with peer information then it more often
than not works but still not all the time.
If the configuration file has a peer section when I start up the
WireGuard service then the tunnel works fine and I can ping over the
tunnel.
Configuration file:
[Interface]
Address = 172.28.128.2/30
PrivateKey = ...
[Peer]
PublicKey = ...
Endpoint = ...:...
AllowedIPs = 172.28.128.3/32
PersistentKeepalive = 5
However, if I start up the WireGuard service without the peer
definition and use wg to configure the peer, the tunnel never works.
Configuration file:
[Interface]
Address = 172.28.128.2/30
PrivateKey = ...
wg command:
wg set wgA peer ... endpoint ... allowed-ips 172.28.128.3/32
persistent-keepalive 5
I see that the tunnel is established and the bytes are increasing:
interface: wgA
public key: ...
private key: (hidden)
listening port: 52299
peer: ...
endpoint: ...
allowed ips: 172.28.128.3/32
latest handshake: 5 seconds ago
transfer: 380 B received, 276 B sent
persistent keepalive: every 5 seconds
If I do a tcpdump on the server I see incoming ping requests and responses:
23:19:18.626880 IP (tos 0x0, ttl 128, id 5334, offset 0, flags [none],
proto ICMP (1), length 60)
172.28.128.2 > 172.28.128.3: ICMP echo request, id 1, seq 5662, length 40
E..<..................7=....abcdefghijklmnopqrstuvwabcdefghi
23:19:18.626956 IP (tos 0x0, ttl 64, id 16519, offset 0, flags [none],
proto ICMP (1), length 60)
172.28.128.3 > 172.28.128.2: ICMP echo reply, id 1, seq 5662, length 40
E..<@... at .............?=....abcdefghijklmnopqrstuvwabcdefghi
But locally on Windows I can't get WireShark or netsh trace to include
traffic on the tun interface but if I look at the UDP traffic over my
main interface I can see the UDP packets incoming with the echo reply.
The only thing I can figure out so far is that wfp seems to be
blocking the packets whenever I use wg to configure the peer. If I
disable the Windows firewall via the GUI then traffic works in both
directions and everything is fine. When I have the firewall enabled
and I run netsh wfp show netevents I see lots of:
<item>
<header>
<timeStamp>2020-08-12T15:56:49.641Z</timeStamp>
<flags numItems="8">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_APP_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_USER_ID_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
<item>FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V4</ipVersion>
<ipProtocol>1</ipProtocol>
<localAddrV4>172.28.128.2</localAddrV4>
<remoteAddrV4>172.28.128.3</remoteAddrV4>
<localPort>8</localPort>
<remotePort>0</remotePort>
<scopeId>0</scopeId>
<appId>
<data>530079007300740065006d000000</data>
<asString>S.y.s.t.e.m...</asString>
</appId>
<userId>S-1-5-18</userId>
<addressFamily>FWP_AF_INET</addressFamily>
<packageSid>S-1-0-0</packageSid>
<enterpriseId/>
<policyFlags>0</policyFlags>
<effectiveName/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>790758</filterId>
<layerId>44</layerId>
<reauthReason>0</reauthReason>
<originalProfile>1</originalProfile>
<currentProfile>1</currentProfile>
<msFwpDirection>MS_FWP_DIRECTION_OUT</msFwpDirection>
<isLoopback>false</isLoopback>
<vSwitchId/>
<vSwitchSourcePort>0</vSwitchSourcePort>
<vSwitchDestinationPort>0</vSwitchDestinationPort>
</classifyDrop>
<internalFields>
<internalFlags/>
<remoteAddrBitmap>0000000000000000</remoteAddrBitmap>
<capabilities/>
<fqbnVersion>0</fqbnVersion>
<fqbnName/>
<terminatingFiltersInfo numItems="3">
<item>
<filterId>790740</filterId>
<subLayer>65535</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
<item>
<filterId>792929</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_QUARANTINE</subLayer>
<actionType>FWP_ACTION_PERMIT</actionType>
</item>
<item>
<filterId>790758</filterId>
<subLayer>FWPP_SUBLAYER_INTERNAL_FIREWALL_WF</subLayer>
<actionType>FWP_ACTION_BLOCK</actionType>
</item>
</terminatingFiltersInfo>
</internalFields>
</item>
The 790740 filter is the filter that should be applied but for some
reason it's not:
<item>
<filterKey>{9ad60a16-7e29-4b44-832d-8d78d1e5ec4e}</filterKey>
<displayData>
<name>Permit inbound IPv4 traffic on TUN</name>
<description/>
</displayData>
<flags/>
<providerKey>{1eb59bfa-a556-4090-b85a-4c1ea9119051}</providerKey>
<providerData/>
<layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
<subLayerKey>{d36dd15b-ce50-474c-b651-d95d016f7ad5}</subLayerKey>
<weight>
<type>FWP_UINT8</type>
<uint8>12</uint8>
</weight>
<filterCondition numItems="1">
<item>
<fieldKey>FWPM_CONDITION_IP_LOCAL_INTERFACE</fieldKey>
<matchType>FWP_MATCH_EQUAL</matchType>
<conditionValue>
<type>FWP_UINT64</type>
<uint64>14918723538255872</uint64>
</conditionValue>
</item>
</filterCondition>
<action>
<type>FWP_ACTION_PERMIT</type>
<filterType/>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>790740</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>13837309855095848960</uint64>
</effectiveWeight>
</item>
Here's the log if that helps:
2020-08-11 16:16:58.797: [TUN] [wgA] Starting WireGuard/0.1.1 (Windows
10.0.19041; amd64)
2020-08-11 16:16:58.797: [TUN] [wgA] Watching network interfaces
2020-08-11 16:16:58.799: [TUN] [wgA] Resolving DNS names
2020-08-11 16:16:58.800: [TUN] [wgA] Creating Wintun interface
2020-08-11 16:16:59.118: [TUN] [wgA] Using Wintun/0.8 (NDIS 6.83)
2020-08-11 16:16:59.121: [TUN] [wgA] Enabling firewall rules
2020-08-11 16:16:59.146: [TUN] [wgA] Dropping privileges
2020-08-11 16:16:59.146: [TUN] [wgA] Creating interface instance
2020-08-11 16:16:59.147: [TUN] [wgA] Routine: encryption worker - started
2020-08-11 16:16:59.147: [TUN] [wgA] Routine: handshake worker - started
2020-08-11 16:16:59.147: [TUN] [wgA] Routine: decryption worker - started
2020-08-11 16:16:59.147: [TUN] [wgA] Routine: decryption worker - started
2020-08-11 16:16:59.148: [TUN] [wgA] Routine: encryption worker - started
2020-08-11 16:16:59.148: [TUN] [wgA] Routine: handshake worker - started
2020-08-11 16:16:59.148: [TUN] [wgA] Routine: decryption worker - started
2020-08-11 16:16:59.148: [TUN] [wgA] Routine: handshake worker - started
2020-08-11 16:16:59.149: [TUN] [wgA] Routine: encryption worker - started
2020-08-11 16:16:59.149: [TUN] [wgA] Routine: decryption worker - started
2020-08-11 16:16:59.149: [TUN] [wgA] Routine: handshake worker - started
2020-08-11 16:16:59.149: [TUN] [wgA] Routine: encryption worker - started
2020-08-11 16:16:59.149: [TUN] [wgA] Routine: decryption worker - started
2020-08-11 16:16:59.149: [TUN] [wgA] Routine: handshake worker - started
2020-08-11 16:16:59.150: [TUN] [wgA] Routine: encryption worker - started
2020-08-11 16:16:59.150: [TUN] [wgA] Routine: encryption worker - started
2020-08-11 16:16:59.150: [TUN] [wgA] Routine: decryption worker - started
2020-08-11 16:16:59.150: [TUN] [wgA] Routine: encryption worker - started
2020-08-11 16:16:59.150: [TUN] [wgA] Routine: decryption worker - started
2020-08-11 16:16:59.150: [TUN] [wgA] Routine: decryption worker - started
2020-08-11 16:16:59.151: [TUN] [wgA] Routine: handshake worker - started
2020-08-11 16:16:59.151: [TUN] [wgA] Routine: encryption worker - started
2020-08-11 16:16:59.151: [TUN] [wgA] Routine: decryption worker - started
2020-08-11 16:16:59.151: [TUN] [wgA] Routine: handshake worker - started
2020-08-11 16:16:59.151: [TUN] [wgA] Routine: handshake worker - started
2020-08-11 16:16:59.151: [TUN] [wgA] Routine: encryption worker - started
2020-08-11 16:16:59.152: [TUN] [wgA] Routine: encryption worker - started
2020-08-11 16:16:59.152: [TUN] [wgA] Routine: encryption worker - started
2020-08-11 16:16:59.152: [TUN] [wgA] Routine: decryption worker - started
2020-08-11 16:16:59.152: [TUN] [wgA] Routine: handshake worker - started
2020-08-11 16:16:59.152: [TUN] [wgA] Routine: handshake worker - started
2020-08-11 16:16:59.152: [TUN] [wgA] Routine: encryption worker - started
2020-08-11 16:16:59.152: [TUN] [wgA] Routine: handshake worker - started
2020-08-11 16:16:59.152: [TUN] [wgA] Routine: decryption worker - started
2020-08-11 16:16:59.153: [TUN] [wgA] Routine: event worker - started
2020-08-11 16:16:59.153: [TUN] [wgA] Routine: handshake worker - started
2020-08-11 16:16:59.153: [TUN] [wgA] Routine: decryption worker - started
2020-08-11 16:16:59.153: [TUN] [wgA] Routine: TUN reader - started
2020-08-11 16:16:59.153: [TUN] [wgA] Setting interface configuration
2020-08-11 16:16:59.153: [TUN] [wgA] UAPI: Updating private key
2020-08-11 16:16:59.154: [TUN] [wgA] Bringing peers up
2020-08-11 16:16:59.155: [TUN] [wgA] Routine: receive incoming IPv6 - started
2020-08-11 16:16:59.155: [TUN] [wgA] Routine: receive incoming IPv4 - started
2020-08-11 16:16:59.155: [TUN] [wgA] UDP bind has been updated
2020-08-11 16:16:59.155: [TUN] [wgA] Monitoring default v6 routes
2020-08-11 16:16:59.156: [TUN] [wgA] Binding v6 socket to interface 19
(blackhole=false)
2020-08-11 16:16:59.157: [TUN] [wgA] Setting device v6 addresses
2020-08-11 16:16:59.313: [TUN] [wgA] Monitoring default v4 routes
2020-08-11 16:16:59.317: [TUN] [wgA] Binding v4 socket to interface 19
(blackhole=false)
2020-08-11 16:16:59.320: [TUN] [wgA] Setting device v4 addresses
2020-08-11 16:16:59.633: [TUN] [wgA] Listening for UAPI requests
2020-08-11 16:16:59.633: [TUN] [wgA] Startup complete
2020-08-11 16:17:08.535: [TUN] [wgA] UAPI: Transition to peer configuration
2020-08-11 16:17:08.536: [TUN] [wgA] peer(b1vk…FImg) - Starting...
2020-08-11 16:17:08.536: [TUN] [wgA] peer(b1vk…FImg) - Routine:
sequential receiver - started
2020-08-11 16:17:08.536: [TUN] [wgA] peer(b1vk…FImg) - Routine: nonce
worker - started
2020-08-11 16:17:08.536: [TUN] [wgA] peer(b1vk…FImg) - Routine:
sequential sender - started
2020-08-11 16:17:08.536: [TUN] [wgA] peer(b1vk…FImg) - UAPI: Created
2020-08-11 16:17:08.537: [TUN] [wgA] peer(b1vk…FImg) - UAPI: Updating endpoint
2020-08-11 16:17:08.537: [TUN] [wgA] peer(b1vk…FImg) - UAPI: Removing
all allowedips
2020-08-11 16:17:08.537: [TUN] [wgA] peer(b1vk…FImg) - UAPI: Adding allowedip
2020-08-11 16:17:11.944: [TUN] [wgA] peer(b1vk…FImg) - Sending
handshake initiation
2020-08-11 16:17:11.946: [TUN] [wgA] peer(b1vk…FImg) - Awaiting keypair
2020-08-11 16:17:11.989: [TUN] [wgA] peer(b1vk…FImg) - Received
handshake response
2020-08-11 16:17:11.991: [TUN] [wgA] peer(b1vk…FImg) - Obtained awaited keypair
Can someone share how I might debug further?
Thanks!
More information about the WireGuard
mailing list