Wireguard Client in LXC: SSL 525 Error (Cloudflare) - Config Works on Other Systems

[wibi]

Hi everyone,

I'm relatively new to Proxmox and have hit a wall trying to set up a Wireguard tunnel for my web services. I've searched the forum and read the documentation, but I can't seem to resolve an SSL 525 error.

My Goal​

To route traffic from Cloudflare through a Wireguard tunnel to an NPM (Nginx Proxy Manager) instance running inside a Proxmox LXC container, all for added security.

My Network Setup​

1. Cloudflare: DNS and proxy enabled (orange cloud).
2. VPS (Wireguard Server): Has a public IP. Runs a Wireguard server. This part is confirmed working.
3. Proxmox Host: On my local network.
   • LXC 1 (Wireguard Client): Connects to the VPS Wireguard server. Its IP is 10.10.10.1 using VNet
   • LXC 2 (NPM): The final destination for web traffic. Its IP is 10.10.10.3 using VNet. NPM is set up and listening.

The traffic flow is: Internet -> Cloudflare -> VPS (WG Server) -> WG Tunnel -> Proxmox LXC (WG Client)- > Proxmox LXC (NPM)

The Problem​

When I try to access my domain, I get a Cloudflare 525 "SSL handshake failed" error. This indicates that Cloudflare can reach my VPS, and the VPS can probably forward the traffic through the tunnel, but the NPM instance behind the tunnel is either not responding correctly or not completing the TLS handshake.

Key Details & What I've Checked​

• Working Baseline: The exact same Wireguard server and client configuration files work perfectly on a Casa OS system. This confirms the core Wireguard setup and NPM config are sound. The problem is specific to my Proxmox environment.

• Server
  interface: wg1
    public key: (hidden)
    private key: (hidden)
    listening port: 51820
  
  peer: xxxxx/c9aSk=
    endpoint: xx.xx.xx.xx:34520
    allowed ips: 10.200.200.2/32
    latest handshake: 1 minute, 43 seconds ago
    transfer: 177.78 KiB received, 1.41 MiB sent
  
  Client
  interface: wg1
    public key: (hidden)
    private key: (hidden)
    listening port: 40580
    fwmark: 0xca6c
  
  peer: xxxxxxx=
    endpoint: xx.xx.xx.xx:51820
    allowed ips: 0.0.0.0/0
    latest handshake: 2 seconds ago
    transfer: 92 B received, 180 B sent
    persistent keepalive: every 25 seconds

  
  

 

[_gabriel]

how lxc2 can access wireguard server ?

 

[wibi]

how lxc2 can access wireguard server ?

I'm forwarding the traffic using DNAT

WG Server

# Enable forwarding
PostUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Forward only needed ports
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.200.200.2:80
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.200.200.2:443

WG Client

# Enable forwarding
PostUp = sysctl -w net.ipv4.ip_forward=1

# Forward traffic between WG and LAN
PostUp = iptables -A FORWARD -i wg1 -o net1 -j ACCEPT
PostUp = iptables -A FORWARD -i net1 -o wg1 -j ACCEPT

# Forward traffic between WG and LAN
PostUp = iptables -t nat -A POSTROUTING -o net1 -j MASQUERADE

# DNAT for only needed ports
PostUp = iptables -t nat -A PREROUTING -i wg1 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.3:80
PostUp = iptables -t nat -A PREROUTING -i wg1 -p tcp --dport 443 -j DNAT --to-destination 10.10.10.3:443

 

[wibi]

Today I changed my approach to install wireguard client on NPM LXC. I can access port 80 through my VPS IP Public but Cloudflare still giving me 525 error

 

[_gabriel]

Sorry, I've no experience with Cloudflare, but I don't see where Proxmox Ve can be the problem.

 

[bl1mp]

Today I changed my approach to install wireguard client on NPM LXC. I can access port 80 through my VPS IP Public but Cloudflare still giving me 525 error

It could be a matter of the MTU-Size in the Wireguard configuration, which is currently not listed.

BR, Lucas

PS: complex solutions might introduce complex problems.
Good luck

 

[wibi]

It could be a matter of the MTU-Size in the Wireguard configuration, which is currently not listed.

BR, Lucas

PS: complex solutions might introduce complex problems.
Good luck

Thank you for your suggestion, I will give it a try