Hi,
I am not an expert on networking, I installed proxmox on Metal Bare Server and a Debian VM to host Wireguard VPN.
I can connect to the VPN and exchange handshake, any other command in the network does not return any response.
The host has 2 NIC
1) Public NIC
Primary Address 99.99.99.99/32 - Primary Gateway 100.64.0.1 (OVH Cloud) (vmbr0)
Additional IP Address 66.66.66.66/32 -- routed to specific VM (vmbr1 and working)
2) Private NIC
Host
/etc/network/intefaces
ip route
ip rule
iptables -S
iptables -t nat -S
VM#1 - VPN Dedicated (Wireguard)
root@vpn-entry:~# ip a
ip route
ip rule
iptables no rule added.
Connection from wireguard client works fine, handshake sent and received correctly and created a keypair for connection.
I tried to ping from my local pc "ping -n 1 10.0.0.2" the main ip address of VPNVM I tried to check the routing problems using tcpdump.
It seems that the ping works fine but wireguard client cannot receive any response.
Wireguard Server IP: 10.10.0.1
Wireguard Client IP: 10.10.0.2
## TCPDUMP of HOST
root@HOST:~# tcpdump -i any -lvn '(port 51820 or icmp)' and host XXX.XXX.XXX.XXX
## TCP DUMP of VM
root@WIREGUARD_VM~# tcpdump -i any -lvn '(port 51820 or icmp)'
Do you have any suggestion? I am not an expert and I spent too much time trying to figure what's wrong or what is missing.
I am not an expert on networking, I installed proxmox on Metal Bare Server and a Debian VM to host Wireguard VPN.
I can connect to the VPN and exchange handshake, any other command in the network does not return any response.
The host has 2 NIC
1) Public NIC
Primary Address 99.99.99.99/32 - Primary Gateway 100.64.0.1 (OVH Cloud) (vmbr0)
Additional IP Address 66.66.66.66/32 -- routed to specific VM (vmbr1 and working)
2) Private NIC
Host
/etc/network/intefaces
Bash:
auto lo
iface lo inet loopback
auto enp10s0f0np0
iface enp10s0f0np0 inet static
address 99.99.99.99/32
gateway 100.64.0.1
auto enp10s0f1np1
iface enp10s0f1np1 inet static
address 172.16.1.1/24
auto vmbr0
iface vmbr0 inet static
address 10.0.0.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o enp10s0f0np0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o enp10s0f0np0 -j MASQUERADE
auto vmbr1
iface vmbr1 inet static
address 10.0.1.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
up ip route add 66.66.66.66/32 dev vmbr1ip route
Code:
default via 100.64.0.1 dev enp10s0f0np0 proto kernel onlink
10.0.0.0/24 dev vmbr0 proto kernel scope link src 10.0.0.1
10.0.1.0/24 dev vmbr1 proto kernel scope link src 10.0.1.1
66.66.66.66 dev vmbr1 scope link
172.16.1.0/24 dev enp10s0f1np1 proto kernel scope link src 172.16.1.1ip rule
Code:
0: from all lookup local
32766: from all lookup main
32767: from all lookup defaultiptables -S
Bash:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPTiptables -t nat -S
Bash:
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -p udp -m udp --dport 51820 -j DNAT --to-destination 10.0.0.2
-A POSTROUTING -s 10.0.0.0/24 -o enp10s0f0np0 -j MASQUERADEVM#1 - VPN Dedicated (Wireguard)
root@vpn-entry:~# ip a
Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 10.0.0.2/24 brd 10.0.0.255 scope global ens18
valid_lft forever preferred_lft forever
9: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.10.0.1/32 scope global wg0
valid_lft forever preferred_lft foreverip route
Code:
default via 10.0.0.1 dev ens18 onlink
10.0.0.0/24 dev ens18 proto kernel scope link src 10.0.0.2ip rule
Code:
0: from all lookup local
32766: from all lookup main
32767: from all lookup defaultiptables no rule added.
Connection from wireguard client works fine, handshake sent and received correctly and created a keypair for connection.
I tried to ping from my local pc "ping -n 1 10.0.0.2" the main ip address of VPNVM I tried to check the routing problems using tcpdump.
It seems that the ping works fine but wireguard client cannot receive any response.
Wireguard Server IP: 10.10.0.1
Wireguard Client IP: 10.10.0.2
## TCPDUMP of HOST
root@HOST:~# tcpdump -i any -lvn '(port 51820 or icmp)' and host XXX.XXX.XXX.XXX
Code:
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
13:02:03.341605 enp10s0f0np0 In IP (tos 0x0, ttl 114, id 61026, offset 0, flags [none], proto UDP (17), length 124)
XXX.XXX.XXX.XXX.51820 > 99.99.99.99.51820: UDP, length 96
13:02:03.341628 vmbr0 Out IP (tos 0x0, ttl 113, id 61026, offset 0, flags [none], proto UDP (17), length 124)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 96
13:02:03.341634 fwpr100p0 Out IP (tos 0x0, ttl 113, id 61026, offset 0, flags [none], proto UDP (17), length 124)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 96
13:02:03.341642 fwln100i0 P IP (tos 0x0, ttl 113, id 61026, offset 0, flags [none], proto UDP (17), length 124)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 96
13:02:03.341645 tap100i0 Out IP (tos 0x0, ttl 113, id 61026, offset 0, flags [none], proto UDP (17), length 124)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 96
13:02:03.343302 enp10s0f0np0 In IP (tos 0x0, ttl 114, id 61027, offset 0, flags [none], proto UDP (17), length 176)
XXX.XXX.XXX.XXX.51820 > 99.99.99.99.51820: UDP, length 148
13:02:03.343319 vmbr0 Out IP (tos 0x0, ttl 113, id 61027, offset 0, flags [none], proto UDP (17), length 176)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 148
13:02:03.343326 fwpr100p0 Out IP (tos 0x0, ttl 113, id 61027, offset 0, flags [none], proto UDP (17), length 176)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 148
13:02:03.343333 fwln100i0 P IP (tos 0x0, ttl 113, id 61027, offset 0, flags [none], proto UDP (17), length 176)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 148
13:02:03.343337 tap100i0 Out IP (tos 0x0, ttl 113, id 61027, offset 0, flags [none], proto UDP (17), length 176)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 148
13:02:03.343626 tap100i0 P IP (tos 0x88, ttl 64, id 26046, offset 0, flags [none], proto UDP (17), length 120)
10.0.0.2.51820 > XXX.XXX.XXX.XXX.51820: UDP, length 92
13:02:03.343634 fwln100i0 Out IP (tos 0x88, ttl 64, id 26046, offset 0, flags [none], proto UDP (17), length 120)
10.0.0.2.51820 > XXX.XXX.XXX.XXX.51820: UDP, length 92
13:02:03.343637 fwpr100p0 In IP (tos 0x88, ttl 64, id 26046, offset 0, flags [none], proto UDP (17), length 120)
10.0.0.2.51820 > XXX.XXX.XXX.XXX.51820: UDP, length 92
13:02:03.343641 vmbr0 In IP (tos 0x88, ttl 64, id 26046, offset 0, flags [none], proto UDP (17), length 120)
10.0.0.2.51820 > XXX.XXX.XXX.XXX.51820: UDP, length 92
13:02:03.343658 enp10s0f0np0 Out IP (tos 0x88, ttl 63, id 26046, offset 0, flags [none], proto UDP (17), length 120)
99.99.99.99.51820 > XXX.XXX.XXX.XXX.51820: UDP, length 92
13:02:03.383496 enp10s0f0np0 In IP (tos 0x0, ttl 114, id 61028, offset 0, flags [none], proto UDP (17), length 60)
XXX.XXX.XXX.XXX.51820 > 99.99.99.99.51820: UDP, length 32
13:02:03.383513 vmbr0 Out IP (tos 0x0, ttl 113, id 61028, offset 0, flags [none], proto UDP (17), length 60)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 32
13:02:03.383520 fwpr100p0 Out IP (tos 0x0, ttl 113, id 61028, offset 0, flags [none], proto UDP (17), length 60)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 32
13:02:03.383527 fwln100i0 P IP (tos 0x0, ttl 113, id 61028, offset 0, flags [none], proto UDP (17), length 60)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 32
13:02:03.383531 tap100i0 Out IP (tos 0x0, ttl 113, id 61028, offset 0, flags [none], proto UDP (17), length 60)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 32## TCP DUMP of VM
root@WIREGUARD_VM~# tcpdump -i any -lvn '(port 51820 or icmp)'
Code:
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
13:02:03.566517 ens18 In IP (tos 0x0, ttl 113, id 61026, offset 0, flags [none], proto UDP (17), length 124)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 96
13:02:03.566552 wg0 In IP (tos 0x0, ttl 128, id 29137, offset 0, flags [none], proto ICMP (1), length 60)
10.10.0.2 > 10.0.0.2: ICMP echo request, id 1, seq 40, length 40
13:02:03.566564 ens18 Out IP (tos 0x0, ttl 64, id 15701, offset 0, flags [none], proto ICMP (1), length 60)
10.0.0.2 > 10.10.0.2: ICMP echo reply, id 1, seq 40, length 40
13:02:03.568209 ens18 In IP (tos 0x0, ttl 113, id 61027, offset 0, flags [none], proto UDP (17), length 176)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 148
13:02:03.568368 ens18 Out IP (tos 0x88, ttl 64, id 26046, offset 0, flags [none], proto UDP (17), length 120)
10.0.0.2.51820 > XXX.XXX.XXX.XXX.51820: UDP, length 92
13:02:03.608402 ens18 In IP (tos 0x0, ttl 113, id 61028, offset 0, flags [none], proto UDP (17), length 60)
XXX.XXX.XXX.XXX.51820 > 10.0.0.2.51820: UDP, length 32Do you have any suggestion? I am not an expert and I spent too much time trying to figure what's wrong or what is missing.
Last edited: