Issues with Wireguard

PinkChameleon

New Member
Sep 14, 2021
5
0
1
Hello everyone,

Wireguard is running on a LXC Container on my Proxmox-Server. In general, everything works as intended, but one particular "network group" poses an issue for me (my university's student dorms' networks).
On all of my windows devices I'm able to create a VPN tunnel, I'm however not able to connect to websites or other things with the following exceptions:
  • ping 8.8.8.8 (or other DNS)
  • ping 192.168.2.1 (my proxmoxs gateway), no other IPs in my home network are "pingable"
  • via a WSL I'am able to connect to my proxmox server using SSH (not able to ping it!)
I'm irritated by the fact, that my phones (android & iPhone) are able to connect to the VPN the same way as on any other network.
My wireguard host uses a PiHole as its DNS but I also tried the entrie setup without the PiHole and the problems stay exactly the same.

Things I've tried so far:
  • change my windows system DNS to static (8.8.8.8) and dynamic
  • change my wireguard systems DNS to static (8.8.8.8) or my home router
  • on Proxmox 6 and Proxmox 7 host
  • using OpenVPN back on Proxmox 6 (same issues, often taking up to 10min creating a vpn tunnel or completly failing and then the same issues as with wiregaurd. Leading me to believe I messed something up in proxmox itself)
  • LCX on Debian 10 and 11 basis
Additional information:
  • the students dorm requiers a login with my "uni-account" to unlock internet access, something I always do before activating my VPN (afterwards it is of course not possible)
  • both the ISP and my university's IT Service (only responsible for the login mentiont above) claim that there is no intent to block VPN traffic
I was not able to find anything yet (also posted already in national GER proxmox forum). And since both Wireguard and OpenVPN have issues in this (and only this) and network I figured it might have something to do with the proxmox host.
For my installation I followed the Proxmox Wiki for OpenVPN, "create container" (https://pve.proxmox.com/wiki/OpenVPN_in_LXC). And Wireguard itself was installed using:
wget https://git.io/wireguard -O wireguard-install.sh && bash wireguard-install.sh
My Firewall allows UDP on the requierd Port.

I am thankfull for all suggestions and help :)
 

ness1602

Well-Known Member
Oct 28, 2014
311
40
48
Serbia
I dont run wireguard on LXC, had some problems with it , so i went with full VM, and it works great,even with live migration.
 

liamlows

Member
Jan 9, 2020
27
4
8
So I had a lot of issues with wireguard at first but now i have a pretty solid understanding of the install and how to get it to work. That being said the information regarding wireguard issues seems like it can be anything.

The first thing i have to ask is are you receiving handshakes between wireguard client and server ("wg show" should show this information and the client should show it too, make sure they both report similar information when first making a connection). this is likely not the problem though since you said your phone is able to connect.

Second, did you make sure that your pve shell has the headers installed and the appropriate packages added to your sources.list.d? If the pve kernel is not set up correctly you will surely have a massive headache. i have witnessed wireguard working with my mobile devices but no computers when i had issues with opening a tunnel to the VPN server. However, the phone working here makes me think this is not it.

Third, (surprsingly this is what always got me) make sure that your client that is utilizing the wireguard service is forwarding all traffic to the vpn. by default on MAC OS X this is disabled and will drive you nuts for hours if you dont know about it. See the below image for what i am talking about here. (this typically only happens to L2TP VPNs but its worth a shot)

Screen Shot 2021-10-03 at 10.41.40 PM.png

oh and also make sure that your actual LXC has the proper IPv4 forwarding and firewalls set up.

Lastly, i would say that setting up a server alone within a university network is typically horrible. In addition, university IT may provide you with false answers as a lot of the time these poor guys dont actually get any of the cool in-depth details as to how the network infrastructure is set up. I tried running my r430 in the dorms to run dev/staging/prod/game/media servers and ran into countless issues due to firewall, protocol, and no way to assign static IPs when dealing with this. The biggest issue i see is that you are trying to connect to the universities public IP (i assume you dont have a WAN to yourself) which means that there will definitely be router firewall issues. you can try changing the port to one you know is open on the network but again i would not mess around with this since when i first learned NMAP in school, i had university police show up at my door a day or two later claiming i was "trying to hack the university servers" :rolleyes:.

Best of luck and ill try to think up some other potential problems that you could be facing. It's only now that you will truly appreciate how nice it is to have your own damn WAN and internet!
 
Last edited:

PinkChameleon

New Member
Sep 14, 2021
5
0
1
Thanks a lot for the comments!
In regard to @liamlows points:
1) I checked and both my client and my host display a successfull handshake

2) pve packages:
source.list.d is emtpy for me except for a commented out line about enterprise useage.
in source.list i found:
deb http://ftp.de.debian.org/debian bullseye main contrib​
deb http://ftp.de.debian.org/debian bullseye-updates main contrib​
deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription​
# security updates​
deb http://security.debian.org bullseye-security main contrib​

which looks fine to me. And since all of my other LXCs and VMs are running fine, i would not except the pve node to be the issue.

3) How would I check/make sure that all trafic goes through my wireguard tunnel? Opening and changing the network adapter properties of the VPN dont seem to show any effect because it get reset, when restarting the VPN.
I noticed though, that by default the adapter uses "fixed ip" but no ip is given. Is this intended?

4) I forward the according UDP port and as there are no issues in other networks, so I've no idea what else to forward there

5) I was excepting some sort of issue which is why I made sure to position my server outside of "university associated network". As far as I know each dorm appartment got its own WAN. And the VPN works in all of the Campus Networks (except the dorms).
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!