Wireguard - no handshake established

akrael · 17 February 2023 15:37

Creating a bug report/issue

Required Information

DietPi version | G_DIETPI_VERSION_CORE=8 G_DIETPI_VERSION_SUB=14 G_DIETPI_VERSION_RC=2 G_GITBRANCH='master' G_GITOWNER='MichaIng' G_LIVE_PATCH_STATUS[0]='not applicable'
Distro version | bullseye
Kernel version | Linux zeitgeist 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
SBC model | older Dell PC featuring an i3-2130
Power supply used | the one built in
SD card used | a 1 tb toshiba 3.5 inch sata hdd

Additional Information (if applicable)

Software title | Wireguard
Was the software title installed freshly or updated/migrated? Freshly installed
Can this issue be replicated on a fresh installation of DietPi? Probably - but i guess i am doing something wrong here

Steps to reproduce

Trying to establish a connection with a previously set up client remains unable to establish a connection → protocol shows that the handshakes of the client are not being answered

Expected behaviour

The connection should be established.

Actual behaviour

The connection is not being established.

Extra details

Protocol of my wg server:

2023-02-17 16:14:46.762318: [TUN] [vpn-windspiel] Sending handshake initiation to peer 1 (89.12.43.18:51820)
2023-02-17 16:14:51.777741: [TUN] [vpn-windspiel] Handshake for peer 1 (89.12.43.18:51820) did not complete after 5 seconds, retrying (try 2)

Protocol of a wg server where its working correctly:

2023-02-17 16:10:44.939156: [TUN] [##_notebook] Sending handshake initiation to peer 1 (31.18.6.15:51820)
2023-02-17 16:10:44.997503: [TUN] [##_notebook] Receiving handshake response from peer 1 (31.18.6.15:51820)
2023-02-17 16:10:44.997503: [TUN] [##_notebook] Keypair 1 created for peer 1

My best guess is that something with my ufw setup is wrong. If i disable ufw the connection is being established and the handshakes are getting through. However, i think my ufw setup is looking good:

     To                         Action      From
     --                         ------      ----
[ 1] Anywhere on eth0           ALLOW FWD   10.152.231.0/24 on wg0
[ 2] 51820/udp                  ALLOW IN    Anywhere                   # allow-wireguard
[ 3] Anywhere                   ALLOW IN    192.168.177.0/24
[ 4] 443                        ALLOW IN    Anywhere
[ 5] 443 (v6)                   ALLOW IN    Anywhere (v6)
[ 6] 51820/udp (v6)             ALLOW IN    Anywhere (v6)              # allow-wireguard

Note: rule #1, #2 and #6 have been added by the Wireguard setup.

My wg0.conf:

[Interface]
PrivateKey = 
Address = 10.152.231.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
MTU = 1420
ListenPort = 51820
### begin vpn-windspiel ###
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.152.231.2/32
### end vpn-windspiel ###

I bet its something simple - but i am just too dumb to find it…

akrael · 17 February 2023 17:01

solved with this ufw config (even though i dont understand why this is actually working):

     To                         Action      From
     --                         ------      ----
[ 1] 443                        ALLOW IN    Anywhere
[ 2] Anywhere                   ALLOW IN    10.152.231.0/24
[ 3] Anywhere                   ALLOW IN    192.168.177.0/24
[ 4] 51820/udp                  ALLOW IN    Anywhere
[ 5] 443 (v6)                   ALLOW IN    Anywhere (v6)
[ 6] 51820/udp (v6)             ALLOW IN    Anywhere (v6)

→ 192.168.177.0/24 being my home lan network range

trendy · 18 February 2023 21:20

It seems a bit stupid, but apparently it considers the wg network as input, while you were considering it as forwarded.