Wireguard road warrior can't get ping answer from wg interface to client

per · February 17, 2021, 7:17pm

Hi

I am new to this forum and wireguard. This may be an easy fix but I can’t see what I am doing wrong.

Wireguard config:
set interfaces wireguard wg1 address ‘xxx.xxx.255.1/24’
set interfaces wireguard wg1 description ‘’
set interfaces wireguard wg1 peer PAA-5511 allowed-ips ‘xxx.xxx.255.11/32’
set interfaces wireguard wg1 peer PAA-5511 persistent-keepalive ‘15’
set interfaces wireguard wg1 peer PAA-5511 pubkey ‘**********’
set interfaces wireguard wg1 peer Win10_VM allowed-ips ‘xxx.xxx.255.10/32’
set interfaces wireguard wg1 peer Win10_VM persistent-keepalive ‘15’
set interfaces wireguard wg1 peer Win10_VM pubkey '***’
set interfaces wireguard wg1 port ‘22254’
set interfaces wireguard wg1 private-key ‘roadwarrior’

Client config:
[Interface]
PrivateKey = ******
Address = 10.254.255.11/24

[Peer]
PublicKey = ******
AllowedIPs = 10.254.0.0/16, 192.168.0.0/22, 192.168.64.0/19
Endpoint = *****:22254
PersistentKeepalive = 25

It seems like ping is arriving from the client at the wg interface but it isn’t answering back.

run monitor traffic interface any filter ‘host 10.254.255.1’

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
14:48:38.554795 IP 10.254.255.11 > 10.254.255.1: ICMP echo request, id 1000, seq 409, length 40
14:48:38.714615 IP 10.254.255.11 > 10.254.255.1: ICMP echo request, id 1, seq 1452, length 40
14:48:43.558419 IP 10.254.255.11 > 10.254.255.1: ICMP echo request, id 1000, seq 410, length 40
14:48:43.725558 IP 10.254.255.11 > 10.254.255.1: ICMP echo request, id 1, seq 1453, length 40

What am I doing wrong?

Viacheslav · February 17, 2021, 8:03pm

Do you have any firewall/loadbalancing/PBR or DNAT rules?
Which version do you use?

show interfaces wireguard wg1

per · February 17, 2021, 8:35pm

Thank you for replying. Yes I have firewall rules but I am in the impression that when reaching the wireguard interface you are on the same subnet. And not through the firewall is that wrong.

PBR I have this rules from earlier:

show policy route

description “Route to CheckPoint VPN”
rule 10 {
destination {
address 192.168.172.0/24
}
set {
table 1
}
source {
address 0.0.0.0/0
}
}
rule 11 {
destination {
address 172.20.195.96/27
}
set {
table 1
}
source {
address 0.0.0.0/0
}
}
[edit]

Version: VyOS 1.4-rolling-202102141111
Release Train: sagitta

Built by: autobuild@vyos.net
Built on: Sun 14 Feb 2021 11:11 UTC
Build UUID: dee0e5fa-d82c-4b73-8a5c-936df99094d6
Build Commit ID: aec60effa4e36e

Architecture: x86_64
Boot via: installed image
System type: VMware guest

interface: wg1
description: ****
address: 10.254.255.1/24
public key: ******
private key: (hidden)
listening port: 22254

peer: PAA-5511
public key: *****
latest handshake: 0:00:09
status: active
endpoint: *****:24654
allowed ips: 10.254.255.11/32
transfer: 811 KB received, 207 KB sent
persistent keepalive: every 15 seconds

peer: Win10_VM
public key: ******
latest handshake: 12:51:48
status: inactive
endpoint: *****:43776
allowed ips: 10.254.255.10/32
transfer: 73 KB received, 2 MB sent
persistent keepalive: every 15 seconds

RX:    bytes  packets  errors  dropped  overrun       mcast
      910180     9488       0        0        0           0
TX:    bytes  packets  errors  dropped  carrier  collisions
     3130240    26073       0      992        0           0

Viacheslav · February 17, 2021, 8:56pm

I recommend excluding all features, that can drop or modify packets/routing.
And then, if all works fine - add them one by one.

per · February 17, 2021, 10:35pm

Thank you. I will give it a try and come back with results.

per · February 24, 2021, 8:50pm

Hi

It’s a little embarrassing, but I discovered that I had not added the wireguard interface to the correct zone-policy. Thank you anyway for your help.

Viacheslav · February 24, 2021, 8:58pm

You are welcome.
Let’s us know if you find some other issues.