wireguard-windows: possibly wrong selection of outgoing IP Address?

Szymon Nowak szymonn841 at gmail.com
Tue Jun 7 07:08:13 UTC 2022 

Hi To do this on the windows server, you need to run NAT on the WG interface
https://openvpn.net/cloud-docs/enabling-routing-nat-on-windows-server-2016/

On Sun, Jun 5, 2022 at 10:23 PM Max Schulze <max.schulze at online.de> wrote:
>
> I am running out of ideas to debug this specific issue.
>
> I am trying to circumvent a double-NAT scenario. I have
>
> wg_serv (10.253.2.9) <->  wg-relais (10.253.2.2) <-> wg_peer ( 10.253.2.3)
>
> wg_serv has an endpoint set for wg-relais, and creates the connection ok (handshake completes, ping works).
> wg_peer has an endpoint that points to wg-relais, which should tunnel the connection as-is to wg_serv on the established connection ( iptables SNAT/DNAT ).
>
> If wg_serv is a linux box, with the exact same config file, everything works. if wg_serv is a windows box, it seems that there are no outgoing packets, but incoming is ok.
>
> First, see that the handshake packet is received (via 10.253.2.2:60026):
>
> 2022-06-05 20:30:17.140946: [TUN] [wireguard] Keypair 536 created for peer 1
>
> 2022-06-05 20:30:22.085949: [TUN] [wireguard] Handshake for peer 1 (10.253.2.2:60026) did not complete after 5 seconds, retrying (try 2)
>
> 2022-06-05 20:30:22.265787: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026)
>
> 2022-06-05 20:30:22.265787: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026)
>
> 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 536 destroyed for peer 1
>
> 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 537 created for peer 1
>
> 2022-06-05 20:30:27.147962: [TUN] [wireguard] Sending keepalive packet to peer 2 (185.230.xxx.yyy:51849)
>
> 2022-06-05 20:30:27.626543: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026)
>
> 2022-06-05 20:30:27.626543: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026)
>
>
>
>
> However, it seems that wireguard sends the outgoing packet with the wrong ip (192.168.99.101) instead of 10.253.2.9 to 10.253.2.2:60026 ?
>
>
>
>     Protocol    Local Port      Local Address   Remote Port Remote Address      Received Bytes  Sent Bytes  Rec Pkt Sent Packets
>
> wireguard.exe   UDP IPv4    51850   192.168.99.101  51849       185.230.xxx.yyy     81.976          8.584   417     216
>
> wireguard.exe   UDP IPv4    51850   10.253.2.9      60026       10.253.2.2          55.648                  376
>
> wireguard.exe   UDP IPv4    51850   192.168.99.101  60026       10.253.2.2                          37.848          398
>
>
> What can I do?
> Can I make the wireguard log more verbose to show IP Paket src/Destination?
>
> Is it possible to also log the src IP of the "handshake response packet"?
>
> Best,
> Max
>
>
> wg_serv config:
>
> [Interface]
>
> PrivateKey = SFhFHVb__2c=
>
> ListenPort = 51850
>
> Address = 10.253.2.9/24
>
>
>
> [Peer]
>
> # wg-vpn-relais
>
> PublicKey = 3A5__wo=
>
> AllowedIPs = 10.253.2.2/30
>
> Endpoint = 185.230.xxx.yyy:51849
>
> PersistentKeepalive = 20
>
>
>
> [Peer]
>
> # peer via vpn relais
>
> PublicKey = FTBC__cqghg=
>
> AllowedIPs = 10.253.2.3/32
>
> PersistentKeepalive = 20
>
>
>
> wg output:
>
> peer: 3A5__o=
>
>   endpoint: 185.230.xxx.yyy:51849
>
>   allowed ips: 10.253.2.0/30
>
>   latest handshake: 1 minute, 55 seconds ago
>
>   transfer: 145.71 KiB received, 29.74 KiB sent
>
>   persistent keepalive: every 20 seconds
>
>
>
> peer: FTB__hg=
>
>   endpoint: 10.253.2.2:60026
>
>   allowed ips: 10.253.2.3/32
>
>   transfer: 89.46 KiB received, 60.67 KiB sent
>
>   persistent keepalive: every 20 seconds
>
>
>
>
>
> PS C:\Windows\system32> Get-NetIPInterface | select ifIndex,InterfaceAlias,AddressFamily,ConnectionState,Forwarding,weakhostreceive,weakhostsend | Sort-Object -Property IfIndex | Format-Table
>
> >>
>
>
>
> ifIndex InterfaceAlias              AddressFamily ConnectionState Forwarding WeakHostReceive WeakHostSend
>
> ------- --------------              ------------- --------------- ---------- --------------- ------------
>
>       1 Loopback Pseudo-Interface 1          IPv4       Connected   Disabled        Disabled     Disabled
>
>       1 Loopback Pseudo-Interface 1          IPv6       Connected   Disabled        Disabled     Disabled
>
>       4 LAN-Verbindung* 11                   IPv6       Connected   Disabled        Disabled     Disabled
>
>       4 LAN-Verbindung* 11                   IPv4       Connected   Disabled        Disabled     Disabled
>
>       8 WLAN                                 IPv4    Disconnected   Disabled        Disabled     Disabled
>
>       8 WLAN                                 IPv6    Disconnected   Disabled        Disabled     Disabled
>
>      12 Ethernet                             IPv6       Connected   Disabled        Disabled     Disabled
>
>      12 Ethernet                             IPv4       Connected   Disabled        Disabled     Disabled
>
>      16 LAN-Verbindung* 2                    IPv6    Disconnected   Disabled        Disabled     Disabled
>
>      16 LAN-Verbindung* 2                    IPv4    Disconnected   Disabled        Disabled     Disabled
>
>      17 LAN-Verbindung* 1                    IPv6    Disconnected   Disabled        Disabled     Disabled
>
>      17 LAN-Verbindung* 1                    IPv4    Disconnected   Disabled        Disabled     Disabled
>
>      53 wireguard                            IPv6       Connected   Disabled        Disabled     Disabled
>
>      53 wireguard                            IPv4       Connected   Disabled        Disabled     Disabled
>
> wg_relais debug state:
>
> wg-vpn-relais # conntrack -L | grep 10.253
>
> udp      17 28 src=178.101.114.260 dst=185.230.xxx.yyy sport=60026 dport=51850 [UNREPLIED] src=10.253.2.9 dst=10.253.2.2 sport=51850 dport=60026 mark=0 use=1
>

More information about the WireGuard mailing list