Wireguard Client on Proxmox Guest

[weyon668]

Hello,
I have a proxmox server with one static IP Adress, a SDN with a virtual net, dhcp and snat in the range of 192.168.200.0/0. the Client (Windows 11) has Internet connection without a problem. Now I installed wireguard client on Windows 11 and tried to load a config file from my router. This config file works with my notebook, but not in my proxmox guest. I cannot ping the other side and vice versa. I guess some config on the proxmox server is missing. Can anyone help? Thank you.

 

[_gabriel]

I guess some config on the proxmox server is missing

no, PVE doesn't see WireGuard, it just see udp packets out going from VM ip to your WireGuard public ip server.

 

[weyon668]

no, PVE doesn't see WireGuard, it just see udp packets out going from VM ip to your WireGuard public ip server.

So, is there a way to get it working?

 

[GoXLd]

Hey, if your PVE, notebook, and router are on the same network, and PVE <-> Router doesn’t work, it could be iptables.

Try this:

iptables -A INPUT -p udp --dport 51820 -j ACCEPT

 

[weyon668]

The proxmox server is hostet (Hetzner) with one public IP and not in the same network as my notebook/router

 

[GoXLd]

The proxmox server is hostet (Hetzner) with one public IP and not in the same network as my notebook/router

Your Proxmox host is hosted by Hetzner, which means the SNAT/DHCP and the virtual network (192.168.200.0/24) are isolated from external networks. While SNAT might work for regular traffic, it could block or fail to forward the UDP packets required by WireGuard. Ensure that UDP packets (default port 51820) are being forwarded correctly from the Proxmox.

 

[weyon668]

Your Proxmox host is hosted by Hetzner, which means the SNAT/DHCP and the virtual network (192.168.200.0/24) are isolated from external networks. While SNAT might work for regular traffic, it could block or fail to forward the UDP packets required by WireGuard. Ensure that UDP packets (default port 51820) are being forwarded correctly from the Proxmox.

thank you. Can i forward it with this:
iptables -A INPUT -p udp --dport 51820 -j ACCEPT

 

[GoXLd]

Yes, the command you provided will allow incoming UDP traffic on port 51820, which is typically the port used by WireGuard. However, this rule only permits incoming packets to the Proxmox host itself.

Ensure Port 51820 is Open on the Provider's Side (Hetzner)

 

[weyon668]

The Guest on the pve is only a wireguard client, so no open incoming on the firewall ports should be required. Outgoing everything is already allowed.

 

[_gabriel]

don't forget you can't use same client config at same time.

 

[weyon668]

don't forget you can't use same client config at same time.

Only for test use, config is no used at the same time.
I also tried it with a Cloud Server (only Windows Server with public ip) and same Hetzner Firewall settings, works like a charm. Only via Proxmox it is not working.

 

[weyon668]

Mystery solved. Hetzner uses a stateless firewall. A "normal" firewall would detect that a application opens a port outside and wants to go back again. On a stateless firewall you to open every port that maybe is incomming manually (screenshot), but in my case only allowed from the ip of the wireguard server.