Join Log in
Score:0
ElRudi avatar Server

Can't access wireguard server from WAN

cn flag
ElRudi

I'm trying to connect to my wireguard server, but it's not working, and I'm out of my depth. I suspect it's more of a network issue than a wireguard issue, but I could be mistaken. I'm hoping someone can give me some pointers.

What I've done / What is working

I've created several configurations on the server, and one of them I've added to the client running Pop-OS. If it's on the (W)LAN, it can connect to the server without problems.

Details

Set-up of client.

# /etc/wireguard/wg0.conf

[Interface]
PrivateKey = [removed]
Address = 10.6.0.4/24
MTU = 1420
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = [removed]
PresharedKey = [removed]
Endpoint = somesubdomain.chickenkiller.com:51820  # I tried with this one...
#Endpoint = 192.168.1.220:51820  # ...and with this one.
AllowedIPs = 0.0.0.0/0, ::0/0

In the LAN, this works, regardless of the Endpoint that's commented in:

# sudo wg-quick up wg0

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.6.0.4/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n



# sudo wg

interface: wg0
  public key: [removed]
  private key: (hidden)
  listening port: 44709
  fwmark: 0xca6c

peer: [removed]
  preshared key: (hidden)
  endpoint: 12.34.567.89:51820     # (WAN IP address or LAN IP address, depending on commented-in Endpoint in wg0.conf)
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: Now
  transfer: 17.84 MiB received, 230.08 KiB sent

For my smartphone, using the wireguard app, the same is true: the connection is working when the phone is in the WLAN.

What is not working

When the client tries to connect through the internet, it's no longer working. The output of sudo wg-quick up wg0 is the same as when it's in the LAN, but sudo wg times out.

Details

Seems to me that there is a problem getting into the LAN from the WAN, so I better crack out the old network diagram.

This is the set-up of the LAN:

enter image description here

On both the routers, port forwarding for UDP traffic on port 51820 is active. (on the left router, to the right one, and on the right one, to the vpn server)

It's surely not relevant, but the client is connected to the internet through a USB-tethered smartphone's cellular data connection, over which it can ping google just fine.

The VPN Server is running a service to update the somesubdomain.chickenkiller.com DDNS service, and pinging this shows that it indeed resolves to my WAN address. The pings get a response as well:

~$ ping somesubdomain.chickenkiller.com
PING somesubdomain.chickenkiller.com (12.34.567.89) 56(84) bytes of data.
64 bytes from xxxxxxx.dynamic.kabel-deutschland.de (12.34.567.89): icmp_seq=1 ttl=47 time=77.1 ms
64 bytes from xxxxxxx.dynamic.kabel-deutschland.de (12.34.567.89): icmp_seq=2 ttl=47 time=76.1 ms

On my smartphone, the wireguard app cannot get past the sending handshake initiation when it's using its mobile data connection.

I'm not working on networks and networking infrastructure every day, so excuse me in advance if this has an obvious reason, or if I left out any critical information; just ask and I'll happily provide any additional data that is needed.

Edit / Additional information / Primary router settings

  • I can connect to the VPN server whether on LAN1 or LAN2, so the port forwarding on the own/secondary router seems to be working just fine; the problem must be in the ISP/primary router or its modem.

  • The following port forwarding rules are set in this router; correctly AFAICS: enter image description here

  • The ISP router has a firewall, but it's an on-or-off one without any settings. enter image description here

472
0 + 0
vpn
cn flag
Justin Ludwig
Sounds like either 1) there's an issue with your phone's cell data connection that's preventing it from connecting through the Internet to your ISP router; or 2) the firewall on your ISP router is not letting UDP port 51820 traffic in from the WAN. So 1) with your Pop OS client tethered to your phone and using that cell connection, see if you can ping somesubdomain.chickenkiller.com from your Pop OS client; and 2) double-check if you have WAN firewall settings on your ISP router that are separate from its port-forwarding settings.
0
Reply
ElRudi avatar
cn flag
ElRudi
Thanks Justin. I've added the information to the question. Pings to the WAN are working. The firewall settings are not very fine-tunable.
0
Reply
in flag
Gerald Schneider
I admire the amount of information you gathered, this would be an excellent question and many users could learn from it ... but it looks very much like a home setup, which makes the question sadly off topic here. Sorry.
0
Reply
ElRudi avatar
cn flag
ElRudi
Is there a forum specifically for home networking?
0
Reply
in flag
Gerald Schneider
The closest match would be [su].
0
Reply
ElRudi avatar
cn flag
ElRudi
Alright, I'll try my luck there. Thanks for the tip.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.