Closed pipriles closed 4 years ago
Is your MTU in windows correct? Im not sure on your setup but since my whole network goes through tunnel all devices must be set to 1440 MTU (or 1420 in case of ipv6)
This is my setup:
client:
listenAddr: "127.0.0.1:59401"
dstAddr: "xxx.xxx.xxx.xxx:59402"
writeTimeout: 10
excludedInterfaces:
- "eno1"
- "wg0"
- "lo"
- "eth3"
- "ifb0"
- "ifb1"
- "ifb4wg0"
- "tun0"
webManager:
# The address to listen to. Leave it empty to disable the management webserver.
listenAddr: "0.0.0.0:80"
# The credentials to access the management interface. Leave them empty or omit them for no authentication.
username: ""
password: ""
[Interface]
PrivateKey =
Address = 10.0.0.2/24
DNS = 1.1.1.1, 8.8.8.8
MTU = 1440
[Peer]
PublicKey =
AllowedIPs = 0.0.0.0/0
Endpoint = 127.0.0.1:59401
#PersistentKeepalive = 10
server:
listenAddr: "0.0.0.0:59402"
dstAddr: "127.0.0.1:59301"
#clientTimeout: 15
writeTimeout: -1
[Interface]
Address = 10.0.0.1/24
SaveConfig = false
MTU = 1440
DNS = 8.8.8.8, 1.1.1.1
ListenPort = 59301
PrivateKey =
PostUp = iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE; iptables -A FORWARD -o enp3s0 -j ACCEPT
#PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
[Peer]
PublicKey =
AllowedIPs = 10.0.0.2/24
Maybe check ip forwarding or allow firewall?
Not sure if there is any connectivity or activity when you try and connect, but if not maybe tweak more with keepalives in WG/engarde.
This is the output of netsh interface ipv4 show subinterfaces
MTU MediaSenseState Bytes In Bytes Out Interface
------ --------------- --------- --------- -------------
4294967295 1 0 2233188 Loopback Pseudo-Interface 1
1420 1 0 171369 Vultr-Miami
1500 1 5355985089 469871889 Ethernet 2 # Laptop that I use as WiFi adapter
1500 1 0 411399 vEthernet (Default Switch)
1500 1 0 13386510 vEthernet (DockerNAT)
1500 2 1358024 1237265 Ethernet 3
1500 1 1070 1034 Ethernet 4 # USB Tethering
IP forwarding is set to 1 on the server and I did ufw allow 59402
so engarde is able to connect to the server.
Mhh. Do you see any high bandwidth activity on any interface? If you have connection sometimes it sounds like something is acting up.
How does ping look from linux to linux box directly? like ping -I wg0 10.200.200.1 or 10.200.200.2 from one end to the other?
Normally if don't connect the phone to the computer and I use just the Laptop as my WiFi adapter then I get:
ping 10.200.200.1
PING 10.200.200.1 (10.200.200.1) 56(84) bytes of data.
64 bytes from 10.200.200.1: icmp_seq=1 ttl=64 time=78.5 ms
64 bytes from 10.200.200.1: icmp_seq=2 ttl=64 time=76.7 ms
64 bytes from 10.200.200.1: icmp_seq=3 ttl=64 time=82.1 ms
64 bytes from 10.200.200.1: icmp_seq=4 ttl=64 time=76.5 ms
64 bytes from 10.200.200.1: icmp_seq=5 ttl=64 time=77.8 ms
^C
--- 10.200.200.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 76.597/78.374/82.160/2.054 ms
With the phone connected:
➜ VPN ping 10.200.200.1
PING 10.200.200.1 (10.200.200.1) 56(84) bytes of data.
64 bytes from 10.200.200.1: icmp_seq=1 ttl=64 time=109 ms
64 bytes from 10.200.200.1: icmp_seq=2 ttl=64 time=111 ms
64 bytes from 10.200.200.1: icmp_seq=3 ttl=64 time=106 ms
64 bytes from 10.200.200.1: icmp_seq=4 ttl=64 time=107 ms
64 bytes from 10.200.200.1: icmp_seq=5 ttl=64 time=107 ms
64 bytes from 10.200.200.1: icmp_seq=6 ttl=64 time=103 ms
64 bytes from 10.200.200.1: icmp_seq=7 ttl=64 time=107 ms
^C
--- 10.200.200.1 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6005ms
rtt min/avg/max/mdev = 103.842/107.591/111.168/2.095 ms
Well now, the server does not detect the client when I connect to the tunnel :(
[EDIT]
Ok, when I add the PersistentKeepalive = 25
to the WireGuard client config file the server detects the client just the moment that I connect:
But the Last received packet keeps increasing and never goes to 0 again... And I can't ping the IPs that I put on allowedIPs ...
Mhh... smelling some weird firewall/nat stuff going on maybe... Just a hunch.
Any luck?
I don't know I tried several times but no luck ...
Hello, sorry to reach you so late but I disabled issue mail notifications by mistake :/
Are you using the official Windows WireGuard Client? I've seen it doesn't like it when you put 127.0.0.1 as endpoint. I'm trying to get in touch with them about this issue, since the official Linux and Mac clients work flawlessly in the same situation, so I'll let you know as soon as I'll have updates.
In the meantime, please give it a try with another client such as TunSafe: that's what I use on Windows with engarde and works without issues.
Please let me know if this solves for you :)
Thanks ans sorry again ;)
Thank you for you answer, I'll let you know if it worked.
Hello @pipriles , did that work for you? Thanks!
Hello @pipriles , I'm closing this issue since I assume you solved the issue. Please feel free to open it again if this is not the case! Thanks
I am sorry I didn't test before, I tried with TunSafe and now it works.
Thank you for your help.
Hello, I was trying to test engarde but I can't manage to get it work:
This is my WireGuard server config file:
And this is my WireGuard client config file:
And this is my
engarde.yml
:Without engarde I can ping my server at
10.200.200.1
but when I set the Endpoint to127.0.0.1:59401
I can not longer ping it. Some times the server detects the client addresses, but I have to reset my WireGuard client and the engarde client multiple times for some reason... I am currently using Windows, but I don't believe that is the issue here. Is there something that I missed on my setup? I want to tunnel everthing trough WireGuard but when I change AllowedIPs to0.0.0.0/0
I lose my internet connection.Sorry for my noob question I am kind of new to WireGuard.
Anyway, thanks for you effort making this program I wanted to do something similar but then I discovered this.