WireGuard issues with GL-MT3000, internet from router not client

p-fer · December 26, 2024, 2:35pm

Hi,

I running Linux GL-MT3000 5.4.211 #0 SMP Thu Dec 5 01:20:09 2024 aarch64 GNU/Linux with a WireGuard connection to a local sever. Internet connectivity works fine from the router.

Example:

interface: wgclient
  public key: U5OWCALxSQRz7p+QT9zPXRC99zTDr/cTlM6kzCY5UGw=
  private key: (hidden)
  listening port: 59515
  fwmark: 0x8000

peer: UV51NBy6uUAUGbYLmBh1t7XncYMyn/iNz/KvGJhlzWE=
  preshared key: (hidden)
  endpoint: 80.229.144.33:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 16 seconds ago
  transfer: 8.65 KiB received, 24.70 KiB sent
  persistent keepalive: every 25 seconds

curl http://ipecho.net/plain && echo
80.229.144.33

But when trying to access internet from my local computer ICMP connections work fine but not tcp connections, I tried to reduce the MTU under the interface hardware setting but not luck.

Any idea about why the connection could be drop.

admon · December 26, 2024, 2:42pm

Check on your server what's going on. Guess the issue might be there.

gutobueno · December 26, 2024, 4:49pm

This sounds like a DNS issue to me.
Can you ping a domain or only ips?

p-fer · December 26, 2024, 6:34pm

Thanks, no dns looks fine to me.

 ping ipecho.net
PING ipecho.net (34.160.111.145): 56 data bytes
64 bytes from 34.160.111.145: icmp_seq=0 ttl=61 time=221.266 ms
64 bytes from 34.160.111.145: icmp_seq=1 ttl=61 time=135.036 ms
c^C

including the ping

ping ipecho.net
PING ipecho.net (34.160.111.145): 56 data bytes
64 bytes from 34.160.111.145: icmp_seq=0 ttl=61 time=260.828 ms
64 bytes from 34.160.111.145: icmp_seq=1 ttl=61 time=107.990 ms
64 bytes from 34.160.111.145: icmp_seq=2 ttl=61 time=111.601 ms

The issue is in a full tcp handshake:

telnet ipecho.net 80
Trying 34.160.111.145...
^C

p-fer · December 26, 2024, 6:46pm

Server configuration shows a healthy interface, when I do a test from the router it shows the right egress gateway IP.

url http://ipecho.net/plain && echo
80.229.144.33

The GL-MT is doing the IP mascarating so allowing the traffic, and I can see the ICMP traffic hitting the server and going to internet

18:44:13.354824 IP 192.168.1.250 > dns.google: ICMP echo request, id 41549, seq 0, length 64
18:44:13.365271 IP dns.google > 192.168.1.250: ICMP echo reply, id 41549, seq 0, length 64
18:44:14.308439 IP 192.168.1.250 > dns.google: ICMP echo request, id 41549, seq 1, length 64
18:44:14.314926 IP dns.google > 192.168.1.250: ICMP echo reply, id 41549, seq 1, length 64

admon · December 26, 2024, 7:00pm

Please share your WireGuard config (masking the private key)
Make sure to not remove private IP addresses.

p-fer · December 26, 2024, 7:03pm

Server

# Note: Do not edit this file directly.
# Your changes will be overwritten!

# Server
[Interface]
PrivateKey = [......]
Address = 10.8.0.1/24
ListenPort = 51820
PreUp =
PostUp =  iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
PreDown =
PostDown =  iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -D INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT;



[Peer]
PublicKey = oACkqo8L+lC6fZD9AhBVaG4JI5b1XrbX39UqwL3NAGw=
PresharedKey = [....]
AllowedIPs = 10.8.0.2/32%

Exported config:

[Interface]
PrivateKey = [...]
Address = 10.8.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = UV51NBy6uUAUGbYLmBh1t7XncYMyn/iNz/KvGJhlzWE=
PresharedKey = [....]
AllowedIPs = 0.0.0.0/0,::/0
PersistentKeepalive = 0
Endpoint = pegerto.com:51820

gutobueno · December 26, 2024, 8:34pm

I know it is a long shot, but....

If I'm not mistaken, you only seem to accept the 10.8.0.2 IP for server configuration. I hope you won't mind me asking, but is it possible that your PC is using a different IP for TCP?

Maybe worth the shot to accept 0.0.0.0/0 just to see if the result change?