[SOLVED] WireGuard not working in Proxmox

[avalos]

I'm trying to expose my Proxmox 8 (within my home network) to the internet using an existing WireGuard server that I have (hosted in AWS), and I'm using an unprivileged LXC container for that. I've been trying for hours with no luck. The container is able to establish a handshake with the server, but it can't connect to the internet. I'm using a Debian 12 container, with wireguard-tools installed, firewall disabled, and IPv4 forwarding enabled.

It is worth pointing out that I have also tried configuring WireGuard directly in Proxmox, as well as running it inside a VM. If I can't get it to work in any possible way, then it means that something very terrible must be going on. Do I need any special routing/network configuration for WireGuard? Does it work for any of you?

Also, a similar config works flawlessly on my Raspberry Pi running Debian 12.

This is my WireGuard client config:

[Interface]
Address = 192.168.2.12/24
ListenPort = 21841
PrivateKey = <private_key>

[Peer]
PublicKey = <public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server>:51820
PersistentKeepAlive = 25

And this is my WireGuard server config:

[Interface]
Address = 192.168.2.1
PrivateKey = <private_key>
ListenPort = 51820

[Peer]
PublicKey = <public_key>
AllowedIPs = 192.168.2.12/32

And here's the handshake wonderfully succeeding:

root@wireguard:~# wg
interface: wg0
  public key: <public_key>
  private key: (hidden)
  listening port: 21841
  fwmark: 0xca6c

peer: <private_key>
  endpoint: <server>:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 36 seconds ago
  transfer: 92 B received, 212 B sent
  persistent keepalive: every 25 seconds

However, when I try to ping to the internet, I get no response:

root@wireguard:~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.

Here are some verbose tcpdump logs:

root@wireguard:~# tcpdump -vvv -niany udp port 21841 or host 192.168.2.12
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
04:34:35.210454 wg0   Out IP (tos 0x0, ttl 64, id 1382, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.2.12 > 1.1.1.1: ICMP echo request, id 37635, seq 85, length 64
04:34:35.210519 eth0  Out IP (tos 0x0, ttl 64, id 40528, offset 0, flags [none], proto UDP (17), length 156)
    192.168.1.39.21841 > <server>.51820: [bad udp cksum 0xd215 -> 0x2bc0!] UDP, length 128
04:34:36.234457 wg0   Out IP (tos 0x0, ttl 64, id 1444, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.2.12 > 1.1.1.1: ICMP echo request, id 37635, seq 86, length 64
04:34:36.234532 eth0  Out IP (tos 0x0, ttl 64, id 40732, offset 0, flags [none], proto UDP (17), length 156)
    192.168.1.39.21841 > <server>.51820: [bad udp cksum 0xd215 -> 0x9081!] UDP, length 128
04:34:37.258445 wg0   Out IP (tos 0x0, ttl 64, id 1550, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.2.12 > 1.1.1.1: ICMP echo request, id 37635, seq 87, length 64
04:34:37.258481 eth0  Out IP (tos 0x0, ttl 64, id 40928, offset 0, flags [none], proto UDP (17), length 156)
    192.168.1.39.21841 > <server>.51820: [bad udp cksum 0xd215 -> 0x4f4e!] UDP, length 128
04:34:38.098169 eth0  In  IP (tos 0x0, ttl 52, id 31159, offset 0, flags [none], proto UDP (17), length 60)
    <server>.51820 > 192.168.1.39.21841: [udp sum ok] UDP, length 32
04:34:38.282445 wg0   Out IP (tos 0x0, ttl 64, id 1704, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.2.12 > 1.1.1.1: ICMP echo request, id 37635, seq 88, length 64
04:34:38.282534 eth0  Out IP (tos 0x0, ttl 64, id 41094, offset 0, flags [none], proto UDP (17), length 156)
    192.168.1.39.21841 > <server>.51820: [bad udp cksum 0xd215 -> 0x69a0!] UDP, length 128

Any ideas on how to get it working?

 

[avalos]

Please ignore this thread. Turns out I only had to restart the WireGuard server.