Client time out

[pipriles]

Hello, I was trying to test engarde but I can't manage to get it work:

root@vultr:~# ./engarde-server 
engarde-server ver. 816a73e (master)
INFO[0000] Listening on 0.0.0.0:59402                   
INFO[0000] Management webserver listening on 0.0.0.0:9001 
INFO[0052] New client connected: 'xxx.xxx.xxx.xxx:57702' 
INFO[0052] New client connected: 'xxx.xxx.xxx.xxx:20084'   
INFO[0102] Client 'xxx.xxx.xxx.xxx:57702' timed out     
INFO[0102] Client 'xxx.xxx.xxx.xxx:20084' timed out 

This is my WireGuard server config file:

[Interface]
Address = 10.200.200.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
ListenPort = 51820
PrivateKey = xxx

[Peer]
PublicKey = xxx
AllowedIPs = 10.200.200.2/32

And this is my WireGuard client config file:

[Interface]
PrivateKey = xxx
Address = 10.200.200.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = xxx
AllowedIPs = 10.200.200.0/24
Endpoint = 127.0.0.1:59401
PersistentKeepalive = 25

And this is my engarde.yml:

client:
    listenAddr: "127.0.0.1:59401"
    dstAddr: "xxx.xxx.xxx.xxx:59402"
    excludedInterfaces:
        - "Ethernet 3"
        - "Vultr-Miami"
        - "vEthernet (DockerNAT)"
        - "vEthernet (Default Switch)"
        - "Loopback Pseudo-Interface 1"
    webManager:
        listenAddr: "0.0.0.0:9001"
        username: "engarde"
        password: "engarde"

server:
    listenAddr: "0.0.0.0:59402"
    dstAddr: "127.0.0.1:51820"
    clientTimeout: 30
    webManager:
        listenAddr: "0.0.0.0:9001"
        username: "engarde"
        password: "engarde"

Without engarde I can ping my server at 10.200.200.1 but when I set the Endpoint to 127.0.0.1:59401 I can not longer ping it. Some times the server detects the client addresses, but I have to reset my WireGuard client and the engarde client multiple times for some reason... I am currently using Windows, but I don't believe that is the issue here. Is there something that I missed on my setup? I want to tunnel everthing trough WireGuard but when I change AllowedIPs to 0.0.0.0/0 I lose my internet connection.

Sorry for my noob question I am kind of new to WireGuard.

Anyway, thanks for you effort making this program I wanted to do something similar but then I discovered this.

[Marctraider]

Is your MTU in windows correct? Im not sure on your setup but since my whole network goes through tunnel all devices must be set to 1440 MTU (or 1420 in case of ipv6)

This is my setup:

 client:
  listenAddr: "127.0.0.1:59401"
  dstAddr: "xxx.xxx.xxx.xxx:59402"
  writeTimeout: 10
  excludedInterfaces:
    - "eno1"
    - "wg0"
    - "lo"
    - "eth3"
    - "ifb0"
    - "ifb1"
    - "ifb4wg0"
    - "tun0"
  webManager:
    # The address to listen to. Leave it empty to disable the management webserver.
    listenAddr: "0.0.0.0:80"
    # The credentials to access the management interface. Leave them empty or omit them for no authentication.
    username: ""
    password: ""

[Interface]
PrivateKey = 
Address = 10.0.0.2/24
DNS = 1.1.1.1, 8.8.8.8
MTU = 1440

[Peer]
PublicKey =
AllowedIPs = 0.0.0.0/0
Endpoint = 127.0.0.1:59401
#PersistentKeepalive = 10

 server:
  listenAddr: "0.0.0.0:59402"
  dstAddr: "127.0.0.1:59301"
  #clientTimeout: 15
  writeTimeout: -1

[Interface]
Address = 10.0.0.1/24
SaveConfig = false
MTU = 1440
DNS = 8.8.8.8, 1.1.1.1
ListenPort = 59301
PrivateKey = 
PostUp = iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE; iptables -A FORWARD -o enp3s0 -j ACCEPT
#PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
PublicKey =
AllowedIPs = 10.0.0.2/24

Maybe check ip forwarding or allow firewall?

Not sure if there is any connectivity or activity when you try and connect, but if not maybe tweak more with keepalives in WG/engarde.

[pipriles]

This is the output of netsh interface ipv4 show subinterfaces

   MTU  MediaSenseState   Bytes In  Bytes Out  Interface
------  ---------------  ---------  ---------  -------------
4294967295                1          0    2233188  Loopback Pseudo-Interface 1
  1420                1          0     171369  Vultr-Miami
  1500                1  5355985089  469871889  Ethernet 2 # Laptop that I use as WiFi adapter
  1500                1          0     411399  vEthernet (Default Switch)
  1500                1          0   13386510  vEthernet (DockerNAT)
  1500                2    1358024    1237265  Ethernet 3
  1500                1       1070       1034  Ethernet 4 # USB Tethering

[pipriles]

IP forwarding is set to 1 on the server and I did ufw allow 59402 so engarde is able to connect to the server.

[Marctraider]

Mhh. Do you see any high bandwidth activity on any interface? If you have connection sometimes it sounds like something is acting up.

How does ping look from linux to linux box directly? like ping -I wg0 10.200.200.1 or 10.200.200.2 from one end to the other?

[pipriles]

Normally if don't connect the phone to the computer and I use just the Laptop as my WiFi adapter then I get:

ping 10.200.200.1
PING 10.200.200.1 (10.200.200.1) 56(84) bytes of data.
64 bytes from 10.200.200.1: icmp_seq=1 ttl=64 time=78.5 ms
64 bytes from 10.200.200.1: icmp_seq=2 ttl=64 time=76.7 ms
64 bytes from 10.200.200.1: icmp_seq=3 ttl=64 time=82.1 ms
64 bytes from 10.200.200.1: icmp_seq=4 ttl=64 time=76.5 ms
64 bytes from 10.200.200.1: icmp_seq=5 ttl=64 time=77.8 ms
^C
--- 10.200.200.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 76.597/78.374/82.160/2.054 ms

With the phone connected:

➜  VPN ping 10.200.200.1
PING 10.200.200.1 (10.200.200.1) 56(84) bytes of data.
64 bytes from 10.200.200.1: icmp_seq=1 ttl=64 time=109 ms
64 bytes from 10.200.200.1: icmp_seq=2 ttl=64 time=111 ms
64 bytes from 10.200.200.1: icmp_seq=3 ttl=64 time=106 ms
64 bytes from 10.200.200.1: icmp_seq=4 ttl=64 time=107 ms
64 bytes from 10.200.200.1: icmp_seq=5 ttl=64 time=107 ms
64 bytes from 10.200.200.1: icmp_seq=6 ttl=64 time=103 ms
64 bytes from 10.200.200.1: icmp_seq=7 ttl=64 time=107 ms
^C
--- 10.200.200.1 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6005ms
rtt min/avg/max/mdev = 103.842/107.591/111.168/2.095 ms

[pipriles]

Well now, the server does not detect the client when I connect to the tunnel :(

[EDIT] Ok, when I add the PersistentKeepalive = 25 to the WireGuard client config file the server detects the client just the moment that I connect:

But the Last received packet keeps increasing and never goes to 0 again... And I can't ping the IPs that I put on allowedIPs ...

[Marctraider]

Mhh... smelling some weird firewall/nat stuff going on maybe... Just a hunch.

Any luck?

[pipriles]

I don't know I tried several times but no luck ...

[ale-rinaldi]

Hello, sorry to reach you so late but I disabled issue mail notifications by mistake :/

Are you using the official Windows WireGuard Client? I've seen it doesn't like it when you put 127.0.0.1 as endpoint. I'm trying to get in touch with them about this issue, since the official Linux and Mac clients work flawlessly in the same situation, so I'll let you know as soon as I'll have updates.

In the meantime, please give it a try with another client such as TunSafe: that's what I use on Windows with engarde and works without issues.

Please let me know if this solves for you :)

Thanks ans sorry again ;)

[pipriles]

Thank you for you answer, I'll let you know if it worked.

[ale-rinaldi]

Hello @pipriles , did that work for you? Thanks!

[ale-rinaldi]

Hello @pipriles , I'm closing this issue since I assume you solved the issue. Please feel free to open it again if this is not the case! Thanks

[pipriles]

I am sorry I didn't test before, I tried with TunSafe and now it works.

Thank you for your help.