Join Log in
Score:0
Aaron Esau avatar Server

WireGuard `wg-quick up` hangs on `ip link add $profile type wireguard`

bw flag
Aaron Esau

I've been a happy WireGuard user for several years and never had any issues. Today, for seemingly no reason, I started having issues.

I ran wg-quick up $profile as root and that terminal session locked up (ctrl+c/d etc don't kill it). The only output was [#] ip link add $profile type wireguard.

Here's my config:

PrivateKey = $privatekey
Address = 10.19.49.3/24,fd9d:bc11:4021::3/48
DNS =  172.16.0.1 

[Peer]
PublicKey = $publickey
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $ipaddress:$port
PersistentKeepalive = 25

(with the $variables filled in obviously)

I looked in dmesg but wireguard/wg aren't mentioned a single time in it.

How should I proceed? I don't see a --verbose option on wg-quick. What is a good way of debugging this?

Here's the process list:

root      432947  0.0  0.0  17000  7772 pts/5    S+   10:17   0:00 sudo wg-quick up $profile
root      432948  0.0  0.0   8060  4244 pts/5    S+   10:17   0:00 /bin/bash /usr/bin/wg-quick up $profile
root      925699  0.0  0.0      0     0 pts/5    Z+   10:58   0:00 [wg-quick] <defunct>

Attaching to the sudo wg-quick $profile up process (432947):

[#0] 0x7f96c084b34f → ppoll()
[#1] 0x7f96c099d169 → sudo_ev_loop_v1()
[#2] 0x563081408861 → add eax, 0x1
[#3] 0x56308140261c → xor r8d, r8d
[#4] 0x5630813eeb38 → mov ebx, eax
[#5] 0x7f96c0772310 → __libc_start_call_main()
[#6] 0x7f96c07723c1 → __libc_start_main_impl()
[#7] 0x5630813eeda5 → hlt

Attaching to [wg-quick] <defunct> (925699):

warning: process 925699 is a zombie - the process has already terminated
ptrace: Operation not permitted.

NOTE: I lost the SSH key for the server so I can't debug from that side, but the SSH pubkey denied message confirms the server is indeed running still.

EDIT: I just tested, and the server works if I use the same WireGuard configuration from my phone. How can I debug this client?

88
0 + 0
vpn
Keith avatar
kz flag
Keith
I block my ssh to the wireguard interface but also have Single Packet Auth in case wg fails. (my host does not have a console login so I would have to open a ticket for it) Another method is to allow ssh access from the IP of another VPS you control, just in case.
0
Reply
djdomi avatar
za flag
djdomi
use the (recover) console from your provider to access the service
0
Reply
Aaron Esau avatar
bw flag
Aaron Esau
I did try that, but this AWS instance is _very_ old, and the web UI informed me that it does not support connecting in that way.
0
Reply
Aaron Esau avatar
bw flag
Aaron Esau
In the near future I'll attach the volume to another instance and just add the key manually but I figured I'd ask here if there's a good way to debug the client first. Edit: I should also add that the server works if I use the same WireGuard configuration from my phone.
0
Reply
Score:0
avatar Server
cn flag
3735943886

First, add Table = off option under [Interface]. Because your allowips are 0.0.0.0/0, default gateway might be changed to wireguard server, which causes lost ssh control in your case.

With Table = off option, you probably can get shell prompt back after launching wg-quick. Then you can try network tools such as ping, traceroute, etc and see what’s wrong.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.