WireGuard no ping from client to server Destination Host Unreachable why?

Tiamon2020-10-01 01:23:37

VPN

Tiamon, 2020-10-01 01:23:37

I can't figure out what the problem is, I've tried everything.

Virtualka server on hetzner.cloud ubuntu server 20
WireGuard

/etc/wireguard/wg0.conf

[Interface]
Address = 192.168.2.0/24
ListenPort = 51820
PrivateKey = ***
[Peer]
PublicKey = ***
AllowedIPs = 192.168.2.5/32

Network

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 95.****  netmask 255.255.255.255  broadcast 95.217.216.27
        inet6 ****  prefixlen 64  scopeid 0x0<global>
        inet6 f****  prefixlen 64  scopeid 0x20<link>
        ether ****  txqueuelen 1000  (Ethernet)
        RX packets 2628633  bytes 267355939 (267.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2868851  bytes 2423794900 (2.4 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 95.****  netmask 255.255.255.255  broadcast 0.0.0.0
        ether ****  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 143389020  bytes 300907498907 (300.9 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 143389020  bytes 300907498907 (300.9 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1360
        inet 192.168.2.0  netmask 255.255.255.0  destination 192.168.2.0
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 25  bytes 1264 (1.2 KB)
        RX errors 0  dropped 7  overruns 0  frame 0
        TX packets 11  bytes 1376 (1.3 KB)
        TX errors 7  dropped 0 overruns 0  carrier 0  collisions 0

Routes

routel
         target            gateway          source    proto    scope    dev tbl
        default         172.31.1.1                                     eth0
     172.31.1.1                                                 link   eth0
   192.168.2.0/ 24                     192.168.2.0   kernel     link    wg0
   95.**8              local    95.**8   kernel     host   eth0 local
  95.**7              local   95.**7   kernel     host   eth0 local
  95.**7          broadcast   95.**7   kernel     link   eth0 local
      127.0.0.0          broadcast       127.0.0.1   kernel     link     lo local
     127.0.0.0/ 8            local       127.0.0.1   kernel     host     lo local
      127.0.0.1              local       127.0.0.1   kernel     host     lo local
127.255.255.255          broadcast       127.0.0.1   kernel     link     lo local
    192.168.2.0              local     192.168.2.0   kernel     host    wg0 local
    192.168.2.0          broadcast     192.168.2.0   kernel     link    wg0 local
  192.168.2.255          broadcast     192.168.2.0   kernel     link    wg0 local
            ::1              local                   kernel              lo
2**4::/ 64                                   kernel            eth0
        fe80::/ 64                                   kernel            eth0
        default            fe80::1                                     eth0
            ::1              local                   kernel              lo local
2**4::1              local                   kernel            eth0 local
fe**c              local                   kernel            eth0 local
        ff00::/ 8                                                      eth0 local
        ff00::/ 8

IPTables

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# 
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
#
*filter
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i wg0 -j ACCEPT
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
#
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 2.****.2 -j ACCEPT
#
-A INPUT -p tcp -m tcp --dport 51820 -j ACCEPT
#
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
#
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
COMMIT
#

The client, more complicated, is a home network router on ubuntu server 20

wire guard

[Interface]
PrivateKey = ****
Address = 192.168.2.5/32

[Peer]
PublicKey = *****
Endpoint = 95.****7:51820
AllowedIPs = 192.168.2.0/24
PersistentKeepalive = 20

Network

enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.*.*.*  netmask 255.255.255.192  broadcast 10.*.*.255
        inet6 fe80::***3  prefixlen 64  scopeid 0x20<link>
        ether ****  txqueuelen 1000  (Ethernet)
        RX packets 19271715  bytes 11632872490 (11.6 GB)
        RX errors 0  dropped 14715  overruns 0  frame 0
        TX packets 34385445  bytes 22939419548 (22.9 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enxd03745808a81: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::d237:45ff:fe80:8a81  prefixlen 64  scopeid 0x20<link>
        ether d0:37:45:80:8a:81  txqueuelen 1000  (Ethernet)
        RX packets 3479852  bytes 447509307 (447.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5774541  bytes 6861799687 (6.8 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 113657  bytes 13774350 (13.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 113657  bytes 13774350 (13.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1456
        inet 2***2  netmask 255.255.255.255  destination 1***7
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 15995507  bytes 10613692732 (10.6 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 34373520  bytes 21151140776 (21.1 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1376
        inet 192.168.2.5  netmask 255.255.255.255  destination 192.168.2.5
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 18  bytes 2020 (2.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 89  bytes 4796 (4.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enxd03745808a81 смотрит в локальную сеть
enp2s0 к провайдеру
подключение к интернету через L2TP интерфейс ppp0

Network settings

# This is the network config written by 'subiquit
network:
  ethernets:
    enp2s0:
      addresses:
      - 10.*.*.*/26
      gateway4: 10.*.*.*
      dhcp4: false
      nameservers:
        addresses:
        - *.*.*.*
        - *.*.*.*
      routes:
        - to: 192.168.149.0/24
          via: 10.*.*.*
    enxd03745808a81:
      addresses:
      - 192.168.1.1/24
      dhcp4: false
      nameservers:
        addresses:
        - 8.8.8.8
        - 8.8.4.4
        search: [home]
  version: 2

Further in the comment, it didn’t fit into the post, restrictions on the length of

ip_forward are enabled on both machines

From the server, the client pings, from the client the server pings:

# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
From 192.168.2.0 icmp_seq=1 Destination Host Unreachable
From 192.168.2.0 icmp_seq=2 Destination Host Unreachable
From 192.168.2.0 icmp_seq=3 Destination Host Unreachable
From 192.168.2.0 icmp_seq=4 Destination Host Unreachable
^C
--- 192.168.2.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3004ms

The fourth day I can not deal with this nonsense, it seems that I have tried everything. Apparently my eyes are blurry, I hope for your help.

Answer the question

In order to leave comments, you need to log in

1 answer(s)

Tiamon, 2020-10-03
@Tiamon

I figured it out myself The
error was in the config on the server
It was:

[Interface]
Address = 192.168.2.0/24

Should be:
[Interface]
Address = 192.168.2. 1/24 Well ,
nat should also have:

-A POSTROUTING -s 192.168.1.0/24 -o ppp+ -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -o wg+ -j MASQUERADE

-A POSTROUTING -s 192.168.1.0/24 -o ppp+ -j SNAT --to-source 2***2
-A POSTROUTING -s 192.168.1.0/24 -o wg+ -j SNAT --to-source "локальный адрес клиента в моём случае 192.168.2.5