'WireGuard: can't ping anything, traffic doesn't go through while handshake successful
I'm trying to setup WireGuard VPN server on a cloud virtual server (Yandex cloud).
Server config:
[Interface]
Address = 10.128.0.19/24
MTU = 1500
SaveConfig = false
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t >
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables ->
ListenPort = 41820
PrivateKey = <cut>
[Peer]
PublicKey = 0fWTvnU+j4D4pXfv0hWtAJDatRj/DxgPH3zwrSbT7js=
AllowedIPs = 10.128.0.201/32
Client config:
[Interface]
PrivateKey = <cut>
Address = 10.128.0.200/32
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = g9HF8K1303CwDrYb0ga8/dBe8EY8tb3wlreO0lHA9iI=
AllowedIPs = 0.0.0.0/0
Endpoint = <cut>:41820
PersistentKeepalive = 25
I've enabled the net.ipv4.ip_forward=1 option on the server. The server is on the public cloud compute instance. The client is an Android device in a home network behind NAT.
When I turn on the tunnel, all the communications stops. I can't ping anything from the device. At the same time, I can see successful handshakes in the wg output:
interface: wg0
public key: g9HF8K1303CwDrYb0ga8/dBe8EY8tb3wlreO0lHA9iI=
private key: (hidden)
listening port: 41820
peer: 0fWTvnU+j4D4pXfv0hWtAJDatRj/DxgPH3zwrSbT7js=
endpoint: <cut>:38517
allowed ips: 10.128.0.201/32
latest handshake: 15 seconds ago
transfer: 2.25 KiB received, 124 B sent
I can't ping neither the VPN server internal IP address (10.128.0.19) nor any of public IPs (like 1.1.1.1).
The server's ifconfig output is the following:
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.128.0.19 netmask 255.255.255.0 broadcast 10.128.0.255
inet6 fe80::d20d:1bff:fe98:a801 prefixlen 64 scopeid 0x20<link>
ether d0:0d:1b:98:a8:01 txqueuelen 1000 (Ethernet)
RX packets 16530 bytes 2016056 (2.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12031 bytes 1483606 (1.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 177 bytes 14328 (14.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 177 bytes 14328 (14.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1500
inet 10.128.0.19 netmask 255.255.255.0 destination 10.128.0.19
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 145 bytes 16504 (16.5 KB)
RX errors 54 dropped 0 overruns 0 frame 54
TX packets 11 bytes 472 (472.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
The OS on the server is Ubuntu 20.04.
I tried to set MTU on the client side to 1500 but nothing changed.
What I'm doing wrong?
Solution 1:[1]
The issue was in the server's interface IP address. The correct one is
[Interface]
Address = 10.128.0.19/32
The subnet part should be 32 instead of 24 in my case.
After that, the connection works well.
Solution 2:[2]
The allowed ip is wrong in the server configuration. Please change it from:
[Peer]
PublicKey = 0fWTvnU+j4D4pXfv0hWtAJDatRj/DxgPH3zwrSbT7js=
AllowedIPs = 10.128.0.201/32
to:
[Peer]
PublicKey = 0fWTvnU+j4D4pXfv0hWtAJDatRj/DxgPH3zwrSbT7js=
AllowedIPs = 10.128.0.200/32
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Alexander Pravdin |
| Solution 2 | ouflak |