Troubleshoot wireguard

Arrgghh12 · November 18, 2021, 2:42am

I have issues using wireguard for client connection from my office laptop to my vyos gateway.
The problem is that there is really nothing in the log…

I tried to change the port, I tried to set the MTU lower, same issue…

Is there a way to debug the wireguard handshake?

On my windows client, the message is:
2021-11-18 09:40:03.150: [TUN] [Vyos2] Sending handshake initiation to peer 1 (xxxxx2:4000)

Client config:

[Interface]
PrivateKey = xxxxxxxxxxxx
Address = 172.16.100.3/32
DNS = 10.62.1.4, 10.62.1.5

[Peer]
PublicKey = yyyyyyyyyyyyyyyyyyyyyyyyyyy
AllowedIPs = 172.16.0.0/12, 10.0.0.0/8
Endpoint = y.y.y.2:4000
PersistentKeepalive = 15

Vyos config:

vyos@BR2# show interfaces wireguard
wireguard wg01 {
address 172.16.100.1/24
peer AMP {
allowed-ips 172.16.100.3/32
persistent-keepalive 15
pubkey zzzzzzzzzzzzzzzzzzzzzzz
}
port 4000
}

Version: VyOS 1.4-rolling-202102060218
Release Train: sagitta

phillipmcmahon · November 18, 2021, 1:29pm

What firewall rule do you have in place to allow port 4000 into local?

Arrgghh12 · November 18, 2021, 2:00pm

No firewall rules, I use it in a pure router mode

phillipmcmahon · November 18, 2021, 2:19pm

can you share the config and what is the output of “sudo wg show” after you’ve attempted a handshake.

Arrgghh12 · November 19, 2021, 3:31am

Hello Phillip,

Config anonymized and command output below,

Thanks!

vyos@MA-BR2:~$ sudo wg show
interface: wg01
public key: UxFj9GehdwhddwtWOKWYImg=
private key: (hidden)
listening port: 4000

peer: ull3dwhhgdwgdwgdwgdwa780SiT9DycnzEHU=
endpoint: 182.252.124.25:5364
allowed ips: 172.16.100.3/32
latest handshake: 1 day, 1 hour, 7 minutes, 44 seconds ago
transfer: 10.05 MiB received, 71.18 MiB sent
persistent keepalive: every 15 seconds

phillipmcmahon · November 19, 2021, 7:39am

set your MTU explicitly on the wg01 interface, and I assume you’ve simply removed the private-key node in sharing the config.

set interfaces wireguard wg01 mtu '1420'

What is the config for the peer?

Arrgghh12 · November 19, 2021, 9:57am

No there was no private key node in the config.

I just added:
set wireguard wg01 private-key ‘default’
set wireguard wg01 mtu ‘1420’

Peer config:

[Interface]
PrivateKey = xxxxxxxxxxxx
Address = 172.16.100.3/32
DNS = 10.62.1.4, 10.62.1.5
MTU = 1420

[Peer]
PublicKey = yyyyyyyyyyyyyyyyyyyyy
AllowedIPs = 172.16.0.0/12, 10.0.0.0/8
Endpoint = 103.10.24.2:4000
PersistentKeepalive = 15

Issue remains…

phillipmcmahon · November 19, 2021, 6:08pm

you need to generate a private key and have that stored under

/config/auth/wireguard/wg01/private.key
/config/auth/wireguard/wg01/public.key

Have you followed the wireguard information here (assuming you’re on 1.4-rolling)?

https://docs.vyos.io/en/latest/configuration/interfaces/wireguard.html

Arrgghh12 · November 20, 2021, 2:17am

Yes i did follow the information you mentioned.

The keys are stored here:

more /config/auth/wireguard/default/
private.key public.key

tjh · November 21, 2021, 8:15pm

What happens if you run tcpdump -i <your interface> udp port 4000
Do you see WG packets coming and going?

hagbard · November 21, 2021, 8:41pm

You can enable debug output manually (will be implemented as option in the future).
When you are logged in to a sudo echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control to enable it. To disable you can pass -p like: echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control

Did you set a route? (set protocol static <allowd-ip(s)> interface ...., once done try to ping the other side and see what’s in the logs and check via tcpdump if your wg01 interface carries any traffic.

Arrgghh12 · November 22, 2021, 2:30am

I see packets coming but not going. And i only see them on one of my upstream interface (eth3) whereas i am trying to bind the tunnel on my public IP (internal side) set on eth0.

vyos@router# tcpdump -i eth3 udp port 4000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 262144 bytes
09:25:40.204331 IP 183.182.114.95.7244 > 103.10.24.2.4000: UDP, length 148
09:25:43.354174 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:25:48.378260 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:25:53.400523 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:25:58.418652 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:03.441891 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:08.585301 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:13.720190 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:18.867208 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:23.920439 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:28.955403 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:34.018207 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
^C
12 packets captured
12 packets received by filter

Arrgghh12 · November 22, 2021, 2:33am

vyos@router# sudo echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
vbash: /sys/kernel/debug/dynamic_debug/control: Permission denied

I tried to ping the other side and capture at the same time but no traffic seems to be carried by the wg01 interface…

hagbard · November 22, 2021, 2:53pm

Do a sudo /bin/bash beofre the module call. Vbash seems not to have root permissions. If no traffic hits your interface, either you don’t have a route or you key setup is incorrect or your allowed-ips doesn’t fit the subnet you want to use. Check that at least 1 side can reach the wg port you opened (check your fw rules), if that’s the case with the debug command you should see successful key exchanges. If that works, let’s have a look at your setup in general. Can you post your wg config and your routes? (Don’t post private keys).

Arrgghh12 · November 23, 2021, 2:19am

This is the error message i get now with debug enabled

Nov 23 09:17:44 router kernel: [1120772.963078] wireguard: wg01: Handshake for peer 2 (115.84.117.81:52150) did not complete after 5 seconds, retrying (try 8)
Nov 23 09:17:44 router kernel: [1120772.963095] wireguard: wg01: Sending handshake initiation to peer 2 (115.84.117.81:52150)

My config is below,

phillipmcmahon · November 23, 2021, 10:13am

what is in-between your client and vyos router that could be blocking comms and have you validated that your keys are correct on both sides?

I

hagbard · November 23, 2021, 2:50pm

All right, I see a few issue already:

wireguard wg01 {
        address 122.16.100.1/24
        peer Mat {
            allowed-ips 122.16.100.3/32
            persistent-keepalive 15
            pubkey ****************
        }
        port 4000
    }

Your allowed IPs won’t be routed into wg01 unless you set a host route as it is part of the external address. You can do address 122.16.100.1/32, that is going to be the address wg open port 4000 on.
You don’t need keepalive, only necessary if you have NAT and you have only the chance to do the handshake from one site. Your allowed-ips is basically the host or network which will be encapsulated, that why you need the /32 netmask in your case on address

The you need an interface route for 122.16.100.3/32 like protocols static interface-route 122.16.100.3/32 next-hop-interface wg01.
As soon as you initiate traffic (ping 122.16.100.3), wg will connect to the other side and should do a key exchange. You can watch the log and verify with tcpdump, if that fails, needs to be fixed first. If that works, verify with tcpdump the traffic in wg01. tcpdump -nne -i wg01 for instance, if there is no traffic, your key setup is faulty (should also show you error message with HMAC etc. in syslog).

Let me know how it goes.