Unable to connect domain.duckdns.org, connection not made between client and server

[sginestrini]

Problem/Motivation

Unable to establish connection beetwen client and server

Expected behavior

Establish connection beetwen server and client and connect from domain.duckdns.org

Actual behavior

This what I get from the addon's log:

INFO: Requesting current status from WireGuard Client...
interface: wg0
  public key: _public_keyB
  private key: (hidden)
  listening port: 52762
peer: public_keyA
  preshared key: (hidden)
  endpoint: IPv4:51820
  allowed ips: 10.50.138.0/24
  transfer: 0 B received, 17.63 KiB sent
  persistent keepalive: every 25 seconds

Never get any packet received. If I try to ping client from the server I always get:

$ ping 10.50.138.2
PING 10.50.138.2 (10.50.138.2) 56(84) bytes of data.
From 10.50.138.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required

If I ping 10.50.138.0 or 10.50.138.1 from client I get no response

In the addon I'm unable to set allowed_ips: 0.0.0.0 If I'll do that I receive this error:

sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system

like this, but I can't set allowed_ips: [] because I get same error.

Steps to reproduce

I followed all the guide with HA Core and it worked out, then I retry it in HAOS with the addon but didn't manage to get it work

These are all the configs files:

HAOS Addon

interface:
  private_key: _privatekeyA
  address: 10.50.138.2
  dns:
    - 8.8.8.8
    - 8.8.4.4
  post_up: >-
    iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
    tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  post_down: >-
    iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
    tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  mtu: 1420
peers:
  - public_key: _publickA
    pre_shared_key: _presharedKey 
    endpoint: domain.duckdns.com:51820
    allowed_ips:
      - 10.50.138.0/24
    persistent_keep_alive: "25"
log_level: debug

GC /etc/wireguard/configs/homeassistanthost.conf

[Interface]
PrivateKey = _privatekeyA
Address = 10.50.138.2/24
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = _publickA
PresharedKey = _presharedKey 
Endpoint = domain.duckdns.org:51820
AllowedIPs = 0.0.0.0/0, ::0/0

GC /etc/wireguard/wg0.conf

[Interface]
PrivateKey = _privatekeyB
Address = 10.50.138.1/24
MTU = 1420
ListenPort = 51820
### begin homeassistanthost ###
[Peer]
PublicKey = _publickB
PresharedKey = _presharedKey 
AllowedIPs = 10.50.138.2/32
### end homeassistanthost ###

I have configured PortMapping on my router to redirect 51820 to my raspy as setupped before for Core. I also tried to configure http.trusted_proxies from configuration.yaml but nothing changed.

I think I miss something else in the configuration... Thank you

[bigmoby]

Hi @sginestrini , both of these configurations

interface:
  private_key: _privatekeyA
  address: 10.50.138.2
  dns:
    - 8.8.8.8
    - 8.8.4.4
  post_up: >-
    iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
    tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  post_down: >-
    iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
    tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  mtu: 1420
peers:
  - public_key: _publickA
    pre_shared_key: _presharedKey 
    endpoint: domain.duckdns.com:51820
    allowed_ips:
      - 10.50.138.0/24
    persistent_keep_alive: "25"
log_level: debug

and

[Interface]
PrivateKey = _privatekeyB
Address = 10.50.138.1/24
MTU = 1420
ListenPort = 51820
### begin homeassistanthost ###
[Peer]
PublicKey = _publickB
PresharedKey = _presharedKey 
AllowedIPs = 10.50.138.2/32
### end homeassistanthost ###

appear to be correct. What's GC /etc/wireguard/configs/homeassistanthost.conf config file? It's not useful for your purpose, you've already the add-on configuration. Please check on Google Cloud (I suppose GC stands for it...) firewall section and in your modem configuration too.

[sginestrini]

Hi @bigmoby , Exactly, I used GC for Google Cloud.

GC /etc/wireguard/configs/homeassistanthost.conf is the original file from which /home/user/configs/homeassistanthost.conf was copied. I thought was good to know, don't know if it's a problem to have differences on allowed_ips different between this file and the config on the client.

GC firewall is correctly configured from the commands

$ gcloud compute firewall-rules create wireguardrule --allow udp:51820
$ gcloud compute firewall-rules list

My modem configuration seems good (it was the same I used with HACore where it was working)

Do I need to setup http.trusted_proxies into configuration.yaml? Now is disabled but I also tried that by setting ip of the GC server and/or wireguard server ips.

Thanks

[bigmoby]

Hi @sginestrini ok GC seems to be ok. Have you tried to connect to your Wireguard master peer from your smartphone or any other device or pc? So we could analize the problem in the first half part...

[sginestrini]

I've tryied with my smartphone, it's working good. The only difference in the config are the allowed_ips, on my smartphone it's set as default to 0.0.0.0/0 , ::/0 as I had on HA Core. With these setting I'm seeing rx/tx data from the wireguard app and from google cloud wg clients. If I set allowed_ips to 10.50.138.0/24 they disappear but I can still use internet, from the log can't see anything useful

[bigmoby]

Please analize the wg.conf created inside the add-on docker container, and check if appears right...or wrong.

[sginestrini]

Same as addon config except for:

interface:
  private_key: pk
  address: 10.50.138.2**/24**

[sginestrini]

Problem found. It was my fault: I wrote dudkdns.com instade of duckdns.org in the config of the haddon 🤭