Some clients cant ping to Wireguard Server network

Hello,

we have a RUTXR1 on the latest RUTX_R_00.07.08.1 firmware serving 3 wireguard tunnels with each 1-5 peers set up.

Pinging devices from the clients on the server networks works sometimes for some clients (!) but not consistently from all peers that could use that tunnel.

The tunnels have different subnets (10.0.2.0, 10.0.3.0, 10.0.4.0) but aside from that are configured exactly the same.

There is nothing peculiar in logread.
This is the output of the wireguard cli:

wg

**interface**: DSFwg

**public key**: fDgVG3P2CCRvTkmEXYlUdvyMf2GouMp5eWhnhEgeXxs=

**private key**: (hidden)

**listening port**: 51823

**peer**: ++Kecj/23jnoYonPxjO8d1A1prIvJADdZL3UIT4i1lc=

**allowed ips**: 10.0.3.0/24

**interface**: DSG1wg

**public key**: 6Q59Z5hctndLH4g0lInLjJ6ecPcAU4YpC10nSkgh3CA=

**private key**: (hidden)

**listening port**: 51822

**peer**: xYwIYQ8jLwecKoD2jyoXKecFuc+nKrQ4IZrkcgoY53E=

**allowed ips**: (none)

**peer**: DyU+jZQeae73LLwwgoNc1hIPy50fJYGLFO6+4GLR8UI=

**allowed ips**: (none)

**peer**: BtAAqrNKaTjjvYRFYD7Foh/cDJvBSvwmq3e8OqBtoms=

**allowed ips**: 10.0.2.0/24

**interface**: Ceyb2wg

**public key**: fB/vSzzNx37aOzwRr3NFKY38wCJWJVQruRCix/HG6gE=

**private key**: (hidden)

**listening port**: 51824

**peer**: 01/VBFoTdAqKlG1Dwe8dIExmWO/PYBJhDDDay2AZJjs=

**endpoint**: 91.xx.xxx.xxx:61871

**allowed ips**: (none)

**latest handshake**: 1 minute, 13 seconds ago

**transfer**: 212 B received, 252 B sent

**peer**: a1FNSP3l8JZ0FI3GGR02GC0+jCsg6QrUYo7NoVJPUTk=

**allowed ips**: (none)

**peer**: KiTwfmIB1gWH6+XSZKKDv2d3ZKq/0aCoYSFyj2d1bHg=

**allowed ips**: (none)

**peer**: 4/plh+34y/pQhlA1jVz69DdWZTb8Bx7LdYXtV+rneAM=

**allowed ips**: (none)

**peer**: OKFYb09x08LMGk/BPcEjCJ0imfvQSgItDsrW9rxQpEs=

**allowed ips**: 10.0.4.0/24

Any ideas what is going wrong there?

1 Like

Hi Cyberling,

Upon checking the logs, latest handshake to the endpoint is established. May I know the reason for having separate subnets for each tunnel? Have you tried configuring VPN IPs on same subnet?

Kindly share a simple topology (with sample IP addresses, do not include your Public IP) for me to recreate it in my local set-up.

Let me know any updates.

Regards,

Hi Jan,

each tunnel leads to a separated vlan.
So I wanted to avoid vpn users of tunnel A and tunnel B being on a shared subnet communicating. If that is not a valid concern that could be simplified eventually but I also dont see why multiple subnets there should lead to a problem.

Here is the topology

Before recreating this, maybe you want to have a quick teams call and look over the config on the router itself?

The most probable cause is wrong/missing AllowedIPs fields at the server side.
For A client 10.0.2.2/24: AllowedIPs = 10.0.2.2/32 + local lan of the client,
For A client 10.0.2.3/24: AllowedIPs = 10.0.2.3/32 + local lan of the client,

Also check the firewall rules at the ends (both server interfaces and clients).
Regards,

Ok, I had there 10.0.2.0/24 for all clients in that tunnel. Isn’t that okay as well?
Regarding the local ips, if my local subnet is 192.168.179.x I would put 192.168.179.0/24 there, correct ?

No.

Yes.

Regards,

Seems to be working reliably now when pinging from the client to the devices in the network. However I cannot ping the client from devices on the network.

I guess that could be a firewall issue. How do I set up the firewall correctly to reach my remote client? This is the current setup:


wg_ceyeborg is the wireguard network.

Try
tcpdump -i any -n -v icmp
at both ends (client + device on the network) and retry the ping.
What is the output ?

output of the machine on server side pinging road warrior

tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
18:11:58.849203 enp70s0 Out IP (tos 0x0, ttl 64, id 15902, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 1, length 64
18:11:59.851397 enp70s0 Out IP (tos 0x0, ttl 64, id 16067, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 2, length 64
18:12:00.875431 enp70s0 Out IP (tos 0x0, ttl 64, id 16197, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 3, length 64
18:12:01.898920 enp70s0 Out IP (tos 0x0, ttl 64, id 16279, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 4, length 64
18:12:02.922922 enp70s0 Out IP (tos 0x0, ttl 64, id 16290, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 5, length 64
18:12:03.947057 enp70s0 Out IP (tos 0x0, ttl 64, id 16527, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 6, length 64
18:12:04.970912 enp70s0 Out IP (tos 0x0, ttl 64, id 16576, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 7, length 64
18:12:05.995550 enp70s0 Out IP (tos 0x0, ttl 64, id 16693, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 8, length 64
18:12:07.018915 enp70s0 Out IP (tos 0x0, ttl 64, id 16837, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 9, length 64
18:12:08.043438 enp70s0 Out IP (tos 0x0, ttl 64, id 16995, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 10, length 64
18:12:09.066929 enp70s0 Out IP (tos 0x0, ttl 64, id 17248, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 11, length 64
18:12:10.091406 enp70s0 Out IP (tos 0x0, ttl 64, id 17467, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 12, length 64
^C
12 packets captured
13 packets received by filter
0 packets dropped by kernel

output on road warrior side:

tcpdump: data link type PKTAP
tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), snapshot length 524288 bytes
18:15:27.644616 IP (tos 0x0, ttl 63, id 42668, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 205, length 64
18:15:28.720793 IP (tos 0x0, ttl 63, id 42820, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 206, length 64
18:15:29.692042 IP (tos 0x0, ttl 63, id 42962, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 207, length 64
18:15:30.767464 IP (tos 0x0, ttl 63, id 43138, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 208, length 64
18:15:31.792978 IP (tos 0x0, ttl 63, id 43228, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 209, length 64
18:15:32.769021 IP (tos 0x0, ttl 63, id 43253, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 210, length 64
18:15:33.788723 IP (tos 0x0, ttl 63, id 43425, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 211, length 64
18:15:35.067901 IP (tos 0x0, ttl 63, id 43457, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 212, length 64
18:15:35.836685 IP (tos 0x0, ttl 63, id 43473, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 213, length 64
9 packets captured
367 packets received by filter
0 packets dropped by kernel

No ICMP echo reply coming in. Try the tcpdump on the router (same arguments).

tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
18:29:13.187971 eth0  In  IP15 (invalid)
18:29:13.187971 eth0.5 In  IP (tos 0x0, ttl 64, id 15470, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 1011, length 64
18:29:13.188086 Ceyb2wg Out IP (tos 0x0, ttl 63, id 15470, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 1011, length 64
18:29:13.248088 qmimux0 Out IP (tos 0x0, ttl 60, id 36501, offset 0, flags [DF], proto ICMP (1), length 84)
    10.152.81.132 > 1.1.1.1: ICMP echo request, id 5586, seq 0, length 64
18:29:13.311059 qmimux0 In  IP (tos 0x0, ttl 54, id 54896, offset 0, flags [none], proto ICMP (1), length 84)
    1.1.1.1 > 10.152.81.132: ICMP echo reply, id 5586, seq 0, length 64
18:29:13.334453 eth0  In  IP7 (invalid)
18:29:13.334453 eth0.3 In  IP (tos 0x0, ttl 64, id 439, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.2.2 > 192.168.2.1: ICMP echo request, id 46167, seq 0, length 64
18:29:13.334808 eth0.3 Out IP (tos 0x0, ttl 64, id 17109, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.2.1 > 192.168.2.2: ICMP echo reply, id 46167, seq 0, length 64
18:29:13.334837 eth0  Out IP10 (invalid)
18:29:14.212478 eth0  In  IP15 (invalid)
18:29:14.212478 eth0.5 In  IP (tos 0x0, ttl 64, id 15550, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 1012, length 64
18:29:14.212607 Ceyb2wg Out IP (tos 0x0, ttl 63, id 15550, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 1012, length 64
18:29:14.448143 eth0  In  IP1 (invalid)
18:29:14.448143 eth0.3 In  IP (tos 0x0, ttl 64, id 40663, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.2.3 > 192.168.2.1: ICMP echo request, id 59413, seq 0, length 64
18:29:14.448411 eth0.3 Out IP (tos 0x0, ttl 64, id 29103, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.2.1 > 192.168.2.3: ICMP echo reply, id 59413, seq 0, length 64
18:29:14.448429 eth0  Out IP10 (invalid)
18:29:15.150834 eth0  In  IP9 (invalid)
18:29:15.150834 eth0.3 In  IP (tos 0x0, ttl 64, id 13269, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.2.4 > 192.168.2.1: ICMP echo request, id 32366, seq 0, length 64
18:29:15.151121 eth0.3 Out IP (tos 0x0, ttl 64, id 34987, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.2.1 > 192.168.2.4: ICMP echo reply, id 32366, seq 0, length 64
18:29:15.151140 eth0  Out IP10 (invalid)
18:29:15.235981 eth0  In  IP15 (invalid)
18:29:15.235981 eth0.5 In  IP (tos 0x0, ttl 64, id 15554, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 1013, length 64
18:29:15.236120 Ceyb2wg Out IP (tos 0x0, ttl 63, id 15554, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 1013, length 64
18:29:15.936063 pppoe-wan Out IP (tos 0x0, ttl 60, id 29957, offset 0, flags [DF], proto ICMP (1), length 84)
    84.131.58.225 > 1.1.1.1: ICMP echo request, id 5591, seq 0, length 64
18:29:15.945795 pppoe-wan In  IP (tos 0x0, ttl 60, id 15365, offset 0, flags [none], proto ICMP (1), length 84)
    1.1.1.1 > 84.131.58.225: ICMP echo reply, id 5591, seq 0, length 64
18:29:16.260081 eth0  In  IP15 (invalid)
18:29:16.260081 eth0.5 In  IP (tos 0x0, ttl 64, id 15769, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 1014, length 64
18:29:16.260252 Ceyb2wg Out IP (tos 0x0, ttl 63, id 15769, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 1014, length 64
18:29:16.354061 qmimux0 Out IP (tos 0x0, ttl 60, id 36551, offset 0, flags [DF], proto ICMP (1), length 84)
    10.152.81.132 > 1.1.1.1: ICMP echo request, id 5596, seq 0, length 64
18:29:16.411966 qmimux0 In  IP (tos 0x0, ttl 54, id 39252, offset 0, flags [none], proto ICMP (1), length 84)
    1.1.1.1 > 10.152.81.132: ICMP echo reply, id 5596, seq 0, length 64
18:29:17.055059 eth0  In  IP8 (invalid)
18:29:17.055059 eth0.3 In  IP (tos 0x0, ttl 64, id 38757, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.2.5 > 192.168.2.1: ICMP echo request, id 40726, seq 0, length 64
18:29:17.055290 eth0.3 Out IP (tos 0x0, ttl 64, id 26456, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.2.1 > 192.168.2.5: ICMP echo reply, id 40726, seq 0, length 64
18:29:17.055305 eth0  Out IP10 (invalid)
18:29:17.284063 eth0  In  IP15 (invalid)
18:29:17.284063 eth0.5 In  IP (tos 0x0, ttl 64, id 15811, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 1015, length 64
18:29:17.284175 Ceyb2wg Out IP (tos 0x0, ttl 63, id 15811, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 1015, length 64
18:29:18.308061 eth0  In  IP15 (invalid)
18:29:18.308061 eth0.5 In  IP (tos 0x0, ttl 64, id 15924, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.4.4 > 192.168.179.36: ICMP echo request, id 6, seq 1016, length 64
18:29:18.308235 Ceyb2wg Out IP (tos 0x0, ttl 63, id 15924, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.4.1 > 192.168.179.36: ICMP echo request, id 6, seq 1016, length 64
18:29:18.344571 eth0  In  IP7 (invalid)
18:29:18.344571 eth0.3 In  IP (tos 0x0, ttl 64, id 5323, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.2.2 > 192.168.2.1: ICMP echo request, id 16472, seq 0, length 64
18:29:18.344806 eth0.3 Out IP (tos 0x0, ttl 64, id 17162, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.2.1 > 192.168.2.2: ICMP echo reply, id 16472, seq 0, length 64
18:29:18.344820 eth0  Out IP10 (invalid)
^C
44 packets captured
47 packets received by filter
0 packets dropped by kernel

This is correct. What values do you have for AllowedIPs in the client ? Do you have a fw there ? What sort of OS is that ?

Allowed IPs in the client:
AllowedIPs = 10.0.4.0/24, 192.168.4.0/24
No firewall. From other local machines I can ping 192.168.179.36
Mac OSX

Where is 192.168.179.6 ? Can you ping 10.0.4…4 instead ?

192.168.179.36 is the ip of my laptop in my private network that establishes a connection to the vpn. for wireguard its configured to use the ip address 10.0.4.2.

from a device(192.168.4.4) on the vpn I can ping

PING 10.0.4.2 (10.0.4.2) 56(84) bytes of data.

64 bytes from 10.0.4.2: icmp_seq=1 ttl=63 time=17.9 ms

64 bytes from 10.0.4.2: icmp_seq=2 ttl=63 time=16.6 ms

64 bytes from 10.0.4.2: icmp_seq=3 ttl=63 time=15.1 ms

fine. It is really just the last step missing.

It’s late here I am tired. See you tomorrow.

ip_forwarding.
I am not familiar with the Mac I suppose you have a control file similar to /proc/sys/net/ipv4/conf/all/forwarding.
Check the value with cat, set it to 1 with echo 1 > /proc/sys/net/ipv4/conf/all/forwarding.
If it works change the value permanently in /etc/sysctl.conf

The Mac OS equivalent is apparently:

sysctl -w net.inet.ip.forwarding=1

Unfortunately the ping doesn’t go though with it.

Strange. What was the initial value ?

And what has tcpdump to say when you ping the lan interface ?