[SOLVED] wireguard / firewall: no connection

[eb8]

hello,
I have 4 hosts connected per WG.
2 are PVE with public IP
1 PVE Laptop
1 VM (public Cloud)

the PVE hosts are not reachable. turning WG debugging on, exposes:

wireguard: vpn-serv0: Failed to give packet to userspace from peer 1 (xxx.xxx.xxx.xxx:51820)
…


the moment I turn off FW, all works.
The VM has a iptables FW, which doesn't show the pbl.

the interface config on the PVE hosts is:
vmbr0 public IP,ethx
vmbr1 - nated LAN

I had the same results in a rebuild setup with 2 VMs, one with PVE inside.
checked with 5.0, 5.3 & 5.4 kernel

Any Idea, what could couse that and how to avoid?
TIA, guenter

 

[oguz]

hi,

the moment I turn off FW, all works.

so obviously it's a firewall configuration problem

are you using the firewall on the pve host? are you using the firewall for VM? inside the vm?

also

the PVE hosts are not reachable.

what do you mean with this? hosts are not reachable at all?

 

[eb8]

@oguz,
sry for not having been clearer.
these are all separate hosts, in diff. locations.
I have a Laptop with PVE (WG-config, not a peer)
the 2 PVE are my main dedi-hosts (WG-config: peers),
and a VM, which is running at another place@someprovider, (WG-config: peer).

on the VM, which has just a ip-tables, fw (cloudron server), every thing works as expected.
the 2 dedi-PVEs have pbl, when I turn the FW on.
of course, the UDP-Ports for Wireguard are opened on Cluser & Host level, and loggin on debug, even so nothing appears in the logs!

from host pve2 to pve3 (both dedis), the wg seems to connect:
pve2

Mai 10 14:27:39 discovery kernel: wireguard: vpn-serv0: Receiving keepalive packet from peer 2 (95.xxx.64.xxx:51820)
Mai 10 14:27:39 discovery kernel: wireguard: vpn-serv0: Receiving handshake initiation from peer 2 (95.xxx.64.xxx:51820)
Mai 10 14:27:39 discovery kernel: wireguard: vpn-serv0: Sending handshake response to peer 2 (95.xxx.64.xxx:51820)
Mai 10 14:27:39 discovery kernel: wireguard: vpn-serv0: Keypair 106 destroyed for peer 2
Mai 10 14:27:39 discovery kernel: wireguard: vpn-serv0: Keypair 110 created for peer 2
Mai 10 14:27:39 discovery kernel: wireguard: vpn-serv0: Receiving keepalive packet from peer 2 (95.xxx.64.xxx:51820)

pve3

Mai 10 14:27:39 khon kernel: wireguard: vpn-serv0: Sending keepalive packet to peer 8 (5.xxx.77.xxx:51820)
Mai 10 14:27:39 khon kernel: wireguard: vpn-serv0: Sending handshake initiation to peer 8 (5.xxx.77.xxx:51820)
Mai 10 14:27:39 khon kernel: wireguard: vpn-serv0: Receiving handshake response from peer 8 (5.xxx.77.xxx:51820)
Mai 10 14:27:39 khon kernel: wireguard: vpn-serv0: Keypair 223 destroyed for peer 8
Mai 10 14:27:39 khon kernel: wireguard: vpn-serv0: Keypair 227 created for peer 8
Mai 10 14:27:39 khon kernel: wireguard: vpn-serv0: Sending keepalive packet to peer 8 (5.xxx.77.xxx:51820)


but when I send pings (vpn-addr) to the other host, it end's up on the target:

wireguard: vpn-serv0: Failed to give packet to userspace from peer 1 (xxx.xxx.xxx.xxx:51820)

and as mentioned above, nothing in /var/log/pve-firewall.log.

hope this helps to clarify a bit.

 

[eb8]

meanwhile the fog lifted.
In the beginning I faced a mixture of "culprits", all had a logical solution.
ping to PVE-host was suppressed by FW, blocking ICMP
ping to VMs with public interfaces on that host did not respond, due to routing issues

that mixed up to a "picture of not working"

sorry for the noise