[SOLVED] Another "WG peer can't reach LAN" post (sorry, all looks good, yet still)

[CptSaulGoodman]

I am playing around with Wireguard and have the - pretty common - issue that I can't reach my LAN behind the WG server. Since it's pretty common I found a lot on the issue here and at other places and although everything seems like it's supposed to work - it doesn't.

Peer: Android device with wg app on mobile network (not on WiFi), no FW or AV running, public IP both IPv4 and IPv6 assigned

[Interface]
Address = 10.7.0.2/32
PrivateKey = xxx

[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 192.168.178.0/24, 10.7.0.0/24
Endpoint = xxx:51820
PersistentKeepalive = 25

Router: Draytek Vigor, udp 51820 forwarded to WG-Server 192.168.178.34:51820 (LAN: 192.168.178.0/24), no outgoing rules

WG-Server: LXC (debian 12, LAN IP: 192.168.178.34) on proxmox host

# Do not alter the commented lines
# They are used by wireguard-install
# ENDPOINT xxx . hopto.org

[Interface]
Address = 10.7.0.1/24
PrivateKey = xxx
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# BEGIN_PEER 1
[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 10.7.0.2/32
# END_PEER 1

also:

> sysctl -p /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

> ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eth0@if71: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:24:11:e7:48:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.178.34/24 brd 192.168.178.255 scope global dynamic eth0
       valid_lft 83123sec preferred_lft 83123sec
    inet6 fe80::be24:11ff:fee7:48b9/64 scope link
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.7.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

PVE host:

> ls -l /dev/net/tun
crw-rw-rw- 1 100000 100000 10, 200 Jul  7 16:12 /dev/net/tun

Connection/handshake: works

> wg show

interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  preshared key: (hidden)
  endpoint: xxx:25087
  allowed ips: 10.7.0.2/32
  latest handshake: 1 minute, 31 seconds ago
  transfer: 5.36 KiB received, 47.05 KiB sent

>  ping 10.7.0.2
PING 10.7.0.2 (10.7.0.2) 56(84) bytes of data.
64 bytes from 10.7.0.2: icmp_seq=1 ttl=64 time=378 ms
64 bytes from 10.7.0.2: icmp_seq=2 ttl=64 time=70.4 ms
64 bytes from 10.7.0.2: icmp_seq=3 ttl=64 time=88.9 ms

I can reach 10.7.0.1 (opening in browser it returns "connection refused" as expected, pinging from WG server to 10.7.0.2 (mobile device) works, too)

I cannot reach anything on the LAN (192.168.178.0/24), the request times out on the mobile.

In tcpdump on the WG server I see the request being handled (here for example while opening 192.168.178.10 in browser on mobile phone):

10:46:57.249675 IP 192.168.178.10.http > 192.168.178.34.46194: Flags [.], seq 538988896:538990136, ack 3486688422, win 31000, length 1240: HTTP

10:46:57.249849 IP 192.168.178.34.51820 > tmo-xxx-xxx.customers.d1-online.com.25943: UDP, length 1312

10:46:57.288562 IP 192.168.178.10.http > 192.168.178.34.46196: Flags [.], seq 563067128:563068368, ack 820823564, win 31000, length 1240: HTTP

10:46:57.288734 IP 192.168.178.34.51820 > tmo-xxx-xxx.customers.d1-online.com.25943: UDP, length 1312

iptables:

> iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:51820

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.7.0.0/24          anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

> iptables --table nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.7.0.0/24         !10.7.0.0/24          to:192.168.178.34
MASQUERADE  all  --  anywhere             anywhere

What am I missing? Is this maybe an ipv4/ipv6 issue?

 

[CptSaulGoodman]

okay, what I noticed: While http(s) requests to LAN machines time out, I can SSH into them. It's very laggy though, close to unusable.

 

[CptSaulGoodman]

Solution:

MTU = 1400

both in server config (interface) and in android client solved all issues.

Really haven't seen this in any of the discussions regarding routing problems to LAN machines before.

 

[_gabriel]

https://forum.proxmox.com/threads/p...n-remote-site-connected-via-wireguard.141671/