WireGuard connection fails, no packets sent to peer

J

janedenone

I deployed a WireGuard on a server (Ubuntu Linux) and created peer profiles (split tunnel) for several clients (Linux, macOS, iOS). Everything worked as expected.

Now I set up a FreeBSD client (14.3) and created a new WireGuard profile for it. The profile was tested successfully on a different client (running macOS) and transferred to the FreeBSD client. I installed the WireGuard tools package ( pkg install wireguard-tools) and loaded the WireGuard kernel module ( kldload if_wg). When executing wg-quick up wg0, the interface and routes are created (according to wg show wg0 and netstat -rn), but no packets are sent to the server according to tcpdump -i wlan0 udp port 51820 (the listening port on the server).

What could be the problem here?
 
Sure, sorry:

Code: 
[Interface]
PrivateKey = [redacted]
Address = 2a00:11c0:5f:30d6::9306/128, 10.100.0.6/32
DNS = 2620:fe::fe, 9.9.9.9

[Peer]
PublicKey = [redacted]
AllowedIPs = 2620:fe::fe/128, 9.9.9.9/32, 2a00:11c0:5f:30d6::9300/120, 10.100.0.1/24, [more IPs here, belonging to servers behind the VPN gateway]
Endpoint = wg.example.com:51820

As stated in the original post, this configuration works well on a different client.
 
Is the wlan0 interface actually up and associated? I mean is there any other network traffic going through it? A ifconfig output from the FreeBSD host would be useful, as does a netstat -rn output.

Does the FreeBSD host happen to have both a wired and wireless connected and active? This seems to confuse FreeBSD newbies a lot, if two or more interfaces are active and on the same network (subnet; 192.168.21.0/24 for example), routing becomes quite ambigious as there will be two (or more) so-called "directly connected" networks. If both interfaces use DHCP things become even more ambiguous.

Might move the thread to "Networking", my first impression was a configuration issue with the client (hence "Web and Network services") but that seems to be in order.
 
Yes, the interface wlan0 is up and running, and the ethernet interface is not connected. After activating the WireGuard interface, ifconfig prints this:

Code: 
em0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4e524bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether c8:5b:76:17:a4:85
    media: Ethernet autoselect
    status: no carrier
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=0
    ether 44:85:00:f4:9d:db
    inet 192.168.8.191 netmask 0xffffff00 broadcast 192.168.8.255
    inet6 fe80::4685:ff:fef4:9ddb%wlan0 prefixlen 64 scopeid 0x3
    inet6 [IPv6 prefix, redacted]:4685:ff:fef4:9ddb prefixlen 64 autoconf pltime 81198 vltime 81198
    groups: wlan
    ssid [SSID, redacted] channel 36 (5180 MHz 11a) bssid 12:59:03:4d:4c:3e
    regdomain FCC country US authmode WPA2/802.11i privacy ON
    deftxkey UNDEF AES-CCM 3:128-bit txpower 17 bmiss 10 mcastrate 6
    mgmtrate 6 scanvalid 60 wme roaming MANUAL
    parent interface: iwm0
    media: IEEE 802.11 Wireless Ethernet OFDM/6Mbps mode 11a
    status: associated
    nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
    options=80000<LINKSTATE>
    inet 10.100.0.6 netmask 0xffffffff
    inet6 2a00:11c0:5f:30d6::9306 prefixlen 128
    groups: wg
    nd6 options=101<PERFORMNUD,NO_DAD>

The output of netstat -rn is the following:

Code: 
Routing tables

Internet:
Destination        Gateway            Flags         Netif Expire
default            192.168.8.1        UGS           wlan0
9.9.9.9            link#4             UHS             wg0
10.100.0.0/24      link#4             US              wg0
10.100.0.6         link#2             UH              lo0
78.47.178.18       link#4             UHS             wg0
127.0.0.1          link#2             UH              lo0
152.53.206.52      link#4             UHS             wg0
192.168.8.0/24     link#3             U             wlan0
192.168.8.191      link#2             UHS             lo0
217.154.195.8      link#4             UHS             wg0

Internet6:
Destination                       Gateway                       Flags         Netif Expire
::/96                             link#2                        URS             lo0
default                           fe80::9683:c4ff:feaa:be4e%wlan0 UG          wlan0
::1                               link#2                        UHS             lo0
::ffff:0.0.0.0/96                 link#2                        URS             lo0
2620:fe::fe                       link#4                        UHS             wg0
2a00:11c0:5f:30d6::9300/120       link#4                        US              wg0
2a00:11c0:5f:30d6::9306           link#2                        UHS             lo0
2a00:11c0:5f:30d6:74e2:89ff:fed1:83f5 link#4                    UHS             wg0
2a01:239:295:c900::1              link#4                        UHS             wg0
2a01:4f8:c17:d87e::1              link#4                        UHS             wg0
[IPv6 prefix, redacted]::/64            link#3                        U             wlan0
[IPv6 prefix, redacted]:4685:ff:fef4:9ddb link#2                      UHS             lo0
fe80::%lo0/10                     link#2                        URS             lo0
fe80::%lo0/64                     link#2                        U               lo0
fe80::1%lo0                       link#2                        UHS             lo0
fe80::%wlan0/64                   link#3                        U             wlan0
fe80::4685:ff:fef4:9ddb%lo0       link#2                        UHS             lo0
ff02::/16                         link#2                        URS             lo0

The AllowedIPs for the tunnel are routed correctly through the wg0 interface. On the surface, everything looks as it should (at least to me), but as I said, no packets are sent to the WireGuard server. pf is not running on the FreeBSD host. Could it be that there is something wrong with the if_wg kernel module?
 
I am using sniffnet to debug a lot of issues around FreeBSD and Linux wireguard configuration.

Code: 
$ pkg search sniffnet
sniffnet-1.4.1                 Comfortably monitor your Internet traffic

In this way you can see what traffic is going on wg0 ... and what is not.

NOTE: You will need to run the program as root as it needs access to the Berkley Packet Filter (BPF).

Code: 
# ls -al /dev/bpf
crw-------  1 root wheel 0x27 Nov  4 00:00 /dev/bpf
#
 
You must log in or register to reply here.
Back
Top