search

bigmoby / addon-wireguard-client

Hassio Add-On Wireguard Client
MIT License
67 stars 24 forks source link

connecting to non-default wg port not possible #13

Closed northalpha closed 3 years ago

northalpha commented 3 years ago

Problem/Motivation

i am trying to set up wireguard-client on HA and connecting to an WG Server with an non default port and no DNS Name.

Config

interface:
  private_key: <privatekey>
  address: 10.0.0.10
  dns:
    - 8.8.8.8
    - 8.8.4.4
  post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
  post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peer:
  public_key: <pubkey>
  pre_shared_key: ''
  endpoint: 5.6.7.8:1194
  allowed_ips:
    - 192.168.30.0/24
    - 192.168.100.0/24
    - 10.0.0.10/32
  persistent_keep_alive: '25'

wireguard-client Log

-----------------------------------------------------------
 Add-on: WireGuard Client
 Fast, modern, secure Wireguard tunnel (client)
-----------------------------------------------------------
 Add-on version: 0.1.8
 You are running the latest version of this add-on.
 System: Home Assistant OS 6.6  (amd64 / qemux86-64)
 Home Assistant Core: 2021.11.5
 Home Assistant Supervisor: 2021.10.8
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[13:24:34] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[13:24:34] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.10/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

WG Server tcpdump

external ip: 1.2.3.4 (of courses NAT behind home router) wg-server ip: 5.6.7.8 wg-server port: 1194

13:24:21.729857 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:27.169598 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:32.545867 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:37.921267 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:43.297880 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:48.417649 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:53.537629 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:58.657655 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:25:03.777850 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184

This Setup ist working perfectly fine using ubuntu 20.04 something from the same network but other VM.

Troubleshooting from inside container

root@fd24a922-wireguard-client:/$ nc -uvz 5.6.7.8 1194
5.6.7.8 (5.6.7.8:1194) open

config files looks correct:

root@fd24a922-wireguard-client:/$ cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <privatekey>
Address = 10.0.0.10/24
DNS = 8.8.8.8,8.8.4.4
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

[Peer]
PublicKey = <pubkey>
Endpoint = 5.6.7.8:1194
AllowedIPs = 192.168.30.0/24,192.168.100.0/24,10.0.0.10/32
PersistentKeepalive = 25

Expected behavior

Connection is possible

Actual behavior

wireguard-client connecting to a different port 42529

Steps to reproduce

Spawn an new WG server and using the non-default port

Proposed changes

bigmoby commented 3 years ago

Hi @northalpha , thank you for reporting this issue but there's no default port identified as 42529 for Wireguard. I could suspect some misconfiguration in your environment instead. Please try to unistall, clean up all docker detached images and reinstall this add-on again.

northalpha commented 3 years ago

sorry for that confusion. this was done. docker system prune and reinstall the addon later i am having the same issue. the wrong udp port seems to be a red hearing, this was keep-alive packet from another device.

i have restarted the wg-server to have a clean start.

i can invoke a nc -uvz inside the container and see a single UDP packet arriving at the wg server on that port but i do not see anything coming from the wg inside the container.

bigmoby commented 3 years ago

Hi @northalpha is this an emulated environment?

System: Home Assistant OS 6.6 (amd64 / qemux86-64)

If yes I suspect other kind of issue in your system because no other one reported this error.

northalpha commented 3 years ago

Yes this is a VM on a libvirt/KVM running HassOS. Just for the sake of my own ease of mind i tried the keys on my mobile and had to come to the conclusion that i had mixed up the keys from client/server.

turns out: if you are using the correct keys, everything is working as expected. Now i have some internal routing issues but this is non of your business, thanks for this nice addon and sorry for the noise!