No TCP for connected VPN clients (just ICMP)

Hey,
i specify the problem and hope, that it would be clear now.
After some tries and settings and looking logs.

I get connection to the wireguard and see the connected client.
But if I look to the connection logs of my firewall (all rules are set) I see, that the VPN client connects to the websites via ICMP not TCP 80 or 443. So all connection from the client are ICMP and are droped.

So something goes wrong within the Brume 2. Maby I set wrong IPs or something like that?

Brume 2: 10.1.1.2 (start and end at the private network: 10.1.1.3 to 10.1.1.33
Wireguard-Server: 10.1.1.2/24
connected client: 10.1.1.3

Should the LAN IP address be different to the wireguard server IP?
Should I set WG-Server to 10.0.0.1 or smth like that and leave the Brume2 on 10.1.1.2?

I can update Brume 2 (4.2.1) and install plugins, so the Brume itself has internet connection and is not somehow blocked. Just the client can not use TCP connections to websites.

I tried to set MTU to 1380, but the issue stays.

Cheers
glineter

Yes, the LAN ip and VPN subnets should be set to two different subnets, for example, the LAN set to 192.168.8.1 and the VPN set to 10.0.0.1.

1 Like

ok, but if I set LAN to 10.1.1.1 and VPN to 10.0.0.1 I get no connection, why that?

  • wg show
  • netstat -natp
  • traceroute ipecho.net
  • route -ne
  • logread
  • curl http://ipecho.net/plain && echo

where should I do it?

You’ll want to SSH into your router. Those commands will give you a little more details than the GL GUI provides.

More on topic: someone else has similar trouble recently:

wg show:
interface and peer are running.
Peer allowed IPs 10.0.0.3/32

netstat -natp:
several listen (10.1.1.2:53, 10.0.0.2:53)
established connection from this laptop to 10.1.1.2:22

traceroute:
works from the IP of the DMZ in the ipfire to the ISP router to the internet

route -ne:
destination gateway genmask flags
0.0.0.0 10.1.1.1 (DMZ) 0.0.0.0 UG
10.1.1.0 (?) 0.0.0.0 255.255.255.0 U

logread:
don’t really know, what should I look for

  • curl http://ipecho.net/plain && echo:
    gives me some IP address

By the way, I can not ping the smartphone client connected to the wireguard via ssh in the Brume2

That’d be your public facing IP. It should be the same as seen @ ipleak.net .

The device may reject all incoming packets by default. I’d try pinging another computer/laptop on your LAN instead. You should be able to disable any firewall on it easily… as one less thing to get in the way of troubleshooting

It’s a good way to check everything logged but yeah, it can be a bit verbose. You can filter msgs. Eg: I use the GL GUI’s DNS over HTTPS (DOH) feature. It is provided by dnscrypt-proxy2. So logread -e "dnscrypt-proxy" gives me the output I’m looking for.

Can you post your wg show output, in full? Here’s what my VPN Client on a Slate AX shows connected to Surfshark:

root@GL-AXT1800:~# wg show
interface: wgclient
  public key: [redacted]=
  private key: (hidden)
  listening port: 32

peer: [redacted]=
  endpoint: 37.19.211.7:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 49 seconds ago
  transfer: 1.69 GiB received, 503.36 MiB sent
  persistent keepalive: every 25 seconds

(I would point out that, in WG, it is a misnomer to call it a ‘client/server’ architecture. It really is all just peer-to-peer but I agree w/ GL that it’s easier for people to understand client/server as if it was similar to OpenVPN.)

yes, it is.

I can ping the firewall interface in the internal network, which serves as DNS

I can not copy between the VMs I use now using the terminal. I type just the things that differ in relevant way.
wg show:
interace: wgserver
fwmark: 0x80000

peer:
endpoint: IP of the client
allowed IPS: 10.0.0.3/32
latests handshake 1 hour ago (I tested it in that time).

So maybe the problem is “aloowed IPs”. The IP of the client is 10.0.0.3, but it should connect to another subnets.

#Edit: but if I look to the settings of the client, So I see allowed IPs 0.0.0.0/0. So that’s strange. 10.0.0.3/32 is set as the IP of the client. Allowed IPs is set to 0.0.0.0/0. But wg show shows 10.0.0.3/32 as allowed IPs

But if I connect with the smartphone now, I can not see “connected client” in the VPN dashboard. I just see “1 connected client (0 online)”

No, it’s not. That’d be the default setting to route on the device everything through WG.

I’d really be tempted to just strip down/delete the existing WG Server/Client setup & follow along from GL’s GUI based defaults. We know it works.

I can not copy between the VMs I use now using the terminal.

Off topic but if you use Windows, MobaXterm Home Edition is excellent for that ability (< ctrl > + < shift > + < c/v > ). It has integrated SCP/SFTP support, too. It’s freeware.

I mean that the client settings show 0.0.0.0/0 and wg show 10.0.0.3/32 as allowed IPs. Thats strange for me.

nope, I use QubesOS with xterm

what are the defaults for the server? For I can not just delete it or go to defaults.

Crap; I point out I’m using currently using ‘WG Client’ on my Slate AX. I intend to setup a WG ‘Client/Server’ later today on a Flint & Certa… or I’d just post those default confs for you now.

Nice; I’ve never used it so I don’t know the limitations.

IDK as I’d just use whatever GL sets up… but perhaps it would be a good time to make a backup of your GL device before proceeding. See below.

The wg confs are @ /etc/config/wireguard & /etc/config/wireguard_server assuming a v. 4.2.1-r4 f/w. That HOW-TO describes getting it all in ‘Note’ section.

I have nothing really important on the Brume2. Just wanted to install wireguard on it, nothing else.
Yes, as it seems you use it as a client with some other WGserver. I want just to use it as a server within the network.

Why don’t we put a pin in all this for today if not the next few hours? I need to grab some lunch… & caffeine… then I’ll get to setting up a Flint & Certa as I described.

At least you’d have some ‘known good’ conf files to template from. Sound good?

the problem is, that I want to use (or use) Brume2 in the DMZ of my ipfire. So I think, I will stole a lot of time from you, but maybe still have problems within the network. And I have no idea what is “Flint & Certa” :smiley:

ah, ok… we can try it, but as I said, the complications could come within my network in ipfire

< ahem > Excuse me; you’re interrupting my lunch. (heh!)

True but you’d be able to edit the confs to suit whatever are your subnetting specifics. I assume you’re familiar w/ the Nano editor? It’s easier to use than VI/VIM.

opkg update && opkg install nano

yes, I hate VIM :smiley:
We’ll see, if I understand what these configs are about

I will fite you. VIM is awesome… if you’re doing extreme amounts of conf editing/sysadmin/programming work & spend hours/days/week/months setting it up properly. Nano is my goto for the ‘quick & dirty’.

Now excuse me; you’re interrupting my coffee/smoke break. :wink: