Connection works, ping does not

Hendrik Friedel hendrik at friedels.name
Mon Nov 23 23:16:50 CET 2020 

Hello again,

I just realized:
I did the test using IPv6, whereas IPv4 is used for the tunnel. Having 
said that... I am not sure it is, as I use a Domain-Name... But I think 
it is IPv4.
I can repeat the test if needed using ipv4... But before that: From 
where should I do the traceroute?
a) from here (the machine that is working for many tunnels, e.g. from my 
phone to this machine and to which I have done a port forwarding) to the 
other remote machine
b) from the remote machine to here

The remote machine is headless; is there a commandline alternative to 
mtr that also shows the package loss?

Regards,
Hendrik

------ Originalnachricht ------
Von: "Hendrik Friedel" <hendrik at friedels.name>
An: "Max R. P. Grossmann" <m at max.pm>
Cc: wireguard at lists.zx2c4.com
Gesendet: 23.11.2020 21:37:24
Betreff: Re[2]: Connection works, ping does not

>Hello Max,
>
>thanks for your reply.
>
>>
>>Could it be that some kind of firewall is restricting UDP traffic to your other server?
>>
>Well, locally, I do use this machine as Host for many tunnels.
>
>
>>
>>E.g. could you try to run `mtr --udp [other server's public IP address]` on your computer (while disabling your other WireGuard connection, if applicable) and report back whether there is any kind of packet loss?
>I used traceroute on the commandline for this:
>
>Remote_
>
>wg-quick up wgnet0
>[#] ip link add wgnet0 type wireguard
>[#] wg setconf wgnet0 /dev/fd/63
>[#] ip -4 address add 10.192.122.3/32 dev wgnet0
>[#] ip link set mtu 1420 up dev wgnet0
>[#] wg set wgnet0 fwmark 51820
>[#] ip -4 route add 0.0.0.0/0 dev wgnet0 table 51820
>[#] ip -4 rule add not fwmark 51820 table 51820
>[#] ip -4 rule add table main suppress_prefixlength 0
>
>root at openmediavault:/etc/wireguard# wg show
>interface: wgnet0
>   public key: cebXSaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMFw=
>   private key: (hidden)
>   listening port: 42759
>   fwmark: 0xca6c
>
>peer: oNjmmmmmmmmmmmmmmmmmmmmmmmmmmmmU=
>   endpoint: [2003:cb:97ff:33d8:9ec7:a6ff:fefd:3a6d]:51820
>   allowed ips: 0.0.0.0/0
>   transfer: 0 B received, 444 B sent
>   persistent keepalive: every 25 seconds
>
>
>Local:
>traceroute to 2a00:sdfs:sdfsdf:sdfs:erre:ereee:sdf:c33a (2a00:sdfs:sdfsdf:sdfs:erre:ereee:sdf:c33a), 30 hops max, 80 byte packets
>  1  p200300cb9733ca009ec7a6fffefd3a69.dip0.t-ipconnect.de (2003:cb:9733:ca00:9ec7:a6ff:fefd:3a69)  0.946 ms  3.435 ms  3.645 ms
>  2  2003:0:8501::1 (2003:0:8501::1)  13.884 ms  13.839 ms  14.193 ms
>  3  * * *
>  4  2001:2000:3019:6b::1 (2001:2000:3019:6b::1)  86.609 ms  88.002 ms  87.874 ms
>  5  ddf-b2-v6.telia.net (2001:2000:3018:21::1)  88.137 ms  89.508 ms  89.639 ms
>  6  * * *
>  7  2a00:6020:0:b::2 (2a00:6020:0:b::2)  81.576 ms  81.989 ms 2a00:6020:0:a::2 (2a00:6020:0:a::2)  82.201 ms
>  8  lo1007.kr1.dc1-bor.dg-ao.de (2a00:6020:1000:3::1)  86.281 ms  84.259 ms  85.760 ms
>  9  2a00:xxxx:1000:3:yyyy:7f3d:d93e:f23d (2a00:xxxx:1000:3:yyyy:7f3d:d93e:f23d)  88.483 ms !X  87.579 ms !X  88.447 ms !X
>
>And here the mtr results (wg up and down)
>https://1drv.ms/u/s!AvbzKdYzkh6gl0BVLcuR9eeWUaqj?e=9wKxSC
>https://1drv.ms/u/s!AvbzKdYzkh6gl0HVwPz1FabOtemM?e=c7bCcB
>
>>If not, you may wish to check whether the port on the machine is reachable, e.g. by running `nc -v -l -u -p 12345` on your server and then executing `echo test | nc -u [server's IP] 12345`, to check whether the message arrives at the server.
>
>I am using the machine that is here, locally as server for many tunnels. So, the wireguard port is reachable.
>On the remote machine, I have NOT done any port forwarding. Is that neccessary at all? I thought that only the machine that is NOT initiating the connection needs a port forwarding.
>
>Greetings,
>Hendrik
>
>>
>>
>>Best,
>>
>>Max
>>
>>On 20/11/22 07:39pm, Hendrik Friedel wrote:
>>>  Hello,
>>>
>>>  (I posted this a while ago, but it never appeared on the list; if the list is the wrong place for this question, please let me know; I would appreciate a hint for a more appropriate place)
>>>
>>>  I am using wireguard to connect two machines.
>>>  My local server is connected  to the internet via a router. I am using theis Server also for connecting other devices (e.g. mobile phones) to my home network. This works great.
>>>
>>>  But when connecting to another server (both debian 10), I only get a successful connection, but no ping.
>>>  *My server:*
>>>
>>>  wg show
>>>  interface: wgnet0
>>>    public key: xxxxx=
>>>    private key: (hidden)
>>>    listening port: 51820
>>>
>>>  peer: sdfsdfsdfsdfsdfsdf=
>>>    endpoint: 109.41.64.83:15167
>>>    allowed ips: 10.192.122.2/32
>>>    latest handshake: 1 minute, 7 seconds ago
>>>    transfer: 10.95 MiB received, 40.35 MiB sent
>>>
>>>  peer: yyyy=
>>>    endpoint: 185.22.142.254:51380
>>>    allowed ips: 10.192.122.3/32
>>>    transfer: 0 B received, 5.20 KiB sent
>>>
>>>  peer: yyyy=
>>>    endpoint: 93.214.229.137:64119
>>>    allowed ips: 10.192.122.4/32
>>>
>>>  peer: yyyy=
>>>    endpoint: 93.214.225.116:49819
>>>    allowed ips: 10.192.122.5/32
>>>
>>>  peer: yyyy=
>>>    allowed ips: 10.192.122.6/32
>>>
>>>  peer: yyyy=
>>>    allowed ips: 10.192.122.7/32
>>>
>>>
>>>  more /etc/wireguard/wgnet0.conf
>>>  [Interface]
>>>  Address = 10.192.122.1/24
>>>  SaveConfig = true
>>>  PostUp = iptables -A FORWARD -i wgnet0 -j ACCEPT; iptables -A FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>  PostDown = iptables -D FORWARD -i wgnet0 -j ACCEPT; iptables -D FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
>>>  ListenPort = 51820
>>>  PrivateKey = aaa=
>>>
>>>  [Peer]
>>>  PublicKey = yyyy=
>>>  AllowedIPs = 10.192.122.2/32
>>>  Endpoint = 123.41.67.233:18314
>>>
>>>  [Peer]
>>>  PublicKey = xxx=
>>>  AllowedIPs = 10.192.122.3/32
>>>  Endpoint = 123.22.142.254:51380
>>>
>>>
>>>
>>>
>>>
>>>  ip route
>>>  default via 192.168.177.1 dev eth0 proto static
>>>  10.192.122.0/24 dev wgnet0 proto kernel scope link src 10.192.122.1
>>>
>>>  and the other side/server:
>>>
>>>  interface: wgnet0
>>>    public key: xxxxx=
>>>    private key: (hidden)
>>>    listening port: 54004
>>>    fwmark: 0xca6c
>>>
>>>  peer: yyyyy=
>>>    endpoint: [2003:cb:aaa:bbb:9ec7:a6ff:fefd:3a6d]:51820
>>>    allowed ips: 0.0.0.0/0
>>>    transfer: 0 B received, 2.75 KiB sent
>>>    persistent keepalive: every 25 seconds
>>>
>>>
>>>
>>>    more wgnet0.conf
>>>  [Interface]
>>>  Address = 10.192.122.3/32
>>>  PrivateKey = xxxxx=
>>>
>>>  [Peer]
>>>  PublicKey = yyyyy=
>>>  Endpoint = v.myfritz.net:51820
>>>  AllowedIPs = 0.0.0.0/0
>>>  PersistentKeepalive = 25
>>>
>>>  It seems to me, that the connection is successfully established , but data is only transmitted in one direction.
>>>
>>>  How can I find the reason?
>>>
>>>  Regards,
>>>  Hendrik
>>>

More information about the WireGuard mailing list