Connection works, ping does not

Hendrik Friedel hendrik at friedels.name
Mon Nov 23 21:37:24 CET 2020 

Hello Max,

thanks for your reply.

>
>Could it be that some kind of firewall is restricting UDP traffic to your other server?
>
Well, locally, I do use this machine as Host for many tunnels.


>
>E.g. could you try to run `mtr --udp [other server's public IP address]` on your computer (while disabling your other WireGuard connection, if applicable) and report back whether there is any kind of packet loss?
I used traceroute on the commandline for this:

Remote_

wg-quick up wgnet0
[#] ip link add wgnet0 type wireguard
[#] wg setconf wgnet0 /dev/fd/63
[#] ip -4 address add 10.192.122.3/32 dev wgnet0
[#] ip link set mtu 1420 up dev wgnet0
[#] wg set wgnet0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wgnet0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0

root at openmediavault:/etc/wireguard# wg show
interface: wgnet0
   public key: cebXSaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMFw=
   private key: (hidden)
   listening port: 42759
   fwmark: 0xca6c

peer: oNjmmmmmmmmmmmmmmmmmmmmmmmmmmmmU=
   endpoint: [2003:cb:97ff:33d8:9ec7:a6ff:fefd:3a6d]:51820
   allowed ips: 0.0.0.0/0
   transfer: 0 B received, 444 B sent
   persistent keepalive: every 25 seconds


Local:
traceroute to 2a00:sdfs:sdfsdf:sdfs:erre:ereee:sdf:c33a 
(2a00:sdfs:sdfsdf:sdfs:erre:ereee:sdf:c33a), 30 hops max, 80 byte 
packets
  1  p200300cb9733ca009ec7a6fffefd3a69.dip0.t-ipconnect.de 
(2003:cb:9733:ca00:9ec7:a6ff:fefd:3a69)  0.946 ms  3.435 ms  3.645 ms
  2  2003:0:8501::1 (2003:0:8501::1)  13.884 ms  13.839 ms  14.193 ms
  3  * * *
  4  2001:2000:3019:6b::1 (2001:2000:3019:6b::1)  86.609 ms  88.002 ms  
87.874 ms
  5  ddf-b2-v6.telia.net (2001:2000:3018:21::1)  88.137 ms  89.508 ms  
89.639 ms
  6  * * *
  7  2a00:6020:0:b::2 (2a00:6020:0:b::2)  81.576 ms  81.989 ms 
2a00:6020:0:a::2 (2a00:6020:0:a::2)  82.201 ms
  8  lo1007.kr1.dc1-bor.dg-ao.de (2a00:6020:1000:3::1)  86.281 ms  84.259 
ms  85.760 ms
  9  2a00:xxxx:1000:3:yyyy:7f3d:d93e:f23d 
(2a00:xxxx:1000:3:yyyy:7f3d:d93e:f23d)  88.483 ms !X  87.579 ms !X  
88.447 ms !X

And here the mtr results (wg up and down)
https://1drv.ms/u/s!AvbzKdYzkh6gl0BVLcuR9eeWUaqj?e=9wKxSC
https://1drv.ms/u/s!AvbzKdYzkh6gl0HVwPz1FabOtemM?e=c7bCcB

>If not, you may wish to check whether the port on the machine is reachable, e.g. by running `nc -v -l -u -p 12345` on your server and then executing `echo test | nc -u [server's IP] 12345`, to check whether the message arrives at the server.

I am using the machine that is here, locally as server for many tunnels. 
So, the wireguard port is reachable.
On the remote machine, I have NOT done any port forwarding. Is that 
neccessary at all? I thought that only the machine that is NOT 
initiating the connection needs a port forwarding.

Greetings,
Hendrik

>
>
>Best,
>
>Max
>
>On 20/11/22 07:39pm, Hendrik Friedel wrote:
>>  Hello,
>>
>>  (I posted this a while ago, but it never appeared on the list; if the list is the wrong place for this question, please let me know; I would appreciate a hint for a more appropriate place)
>>
>>  I am using wireguard to connect two machines.
>>  My local server is connected  to the internet via a router. I am using theis Server also for connecting other devices (e.g. mobile phones) to my home network. This works great.
>>
>>  But when connecting to another server (both debian 10), I only get a successful connection, but no ping.
>>  *My server:*
>>
>>  wg show
>>  interface: wgnet0
>>    public key: xxxxx=
>>    private key: (hidden)
>>    listening port: 51820
>>
>>  peer: sdfsdfsdfsdfsdfsdf=
>>    endpoint: 109.41.64.83:15167
>>    allowed ips: 10.192.122.2/32
>>    latest handshake: 1 minute, 7 seconds ago
>>    transfer: 10.95 MiB received, 40.35 MiB sent
>>
>>  peer: yyyy=
>>    endpoint: 185.22.142.254:51380
>>    allowed ips: 10.192.122.3/32
>>    transfer: 0 B received, 5.20 KiB sent
>>
>>  peer: yyyy=
>>    endpoint: 93.214.229.137:64119
>>    allowed ips: 10.192.122.4/32
>>
>>  peer: yyyy=
>>    endpoint: 93.214.225.116:49819
>>    allowed ips: 10.192.122.5/32
>>
>>  peer: yyyy=
>>    allowed ips: 10.192.122.6/32
>>
>>  peer: yyyy=
>>    allowed ips: 10.192.122.7/32
>>
>>
>>  more /etc/wireguard/wgnet0.conf
>>  [Interface]
>>  Address = 10.192.122.1/24
>>  SaveConfig = true
>>  PostUp = iptables -A FORWARD -i wgnet0 -j ACCEPT; iptables -A FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>  PostDown = iptables -D FORWARD -i wgnet0 -j ACCEPT; iptables -D FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>  ListenPort = 51820
>>  PrivateKey = aaa=
>>
>>  [Peer]
>>  PublicKey = yyyy=
>>  AllowedIPs = 10.192.122.2/32
>>  Endpoint = 123.41.67.233:18314
>>
>>  [Peer]
>>  PublicKey = xxx=
>>  AllowedIPs = 10.192.122.3/32
>>  Endpoint = 123.22.142.254:51380
>>
>>
>>
>>
>>
>>  ip route
>>  default via 192.168.177.1 dev eth0 proto static
>>  10.192.122.0/24 dev wgnet0 proto kernel scope link src 10.192.122.1
>>
>>  and the other side/server:
>>
>>  interface: wgnet0
>>    public key: xxxxx=
>>    private key: (hidden)
>>    listening port: 54004
>>    fwmark: 0xca6c
>>
>>  peer: yyyyy=
>>    endpoint: [2003:cb:aaa:bbb:9ec7:a6ff:fefd:3a6d]:51820
>>    allowed ips: 0.0.0.0/0
>>    transfer: 0 B received, 2.75 KiB sent
>>    persistent keepalive: every 25 seconds
>>
>>
>>
>>    more wgnet0.conf
>>  [Interface]
>>  Address = 10.192.122.3/32
>>  PrivateKey = xxxxx=
>>
>>  [Peer]
>>  PublicKey = yyyyy=
>>  Endpoint = v.myfritz.net:51820
>>  AllowedIPs = 0.0.0.0/0
>>  PersistentKeepalive = 25
>>
>>  It seems to me, that the connection is successfully established , but data is only transmitted in one direction.
>>
>>  How can I find the reason?
>>
>>  Regards,
>>  Hendrik
>>

More information about the WireGuard mailing list