Hi,
I am trying to configure my OpenBSD server as a Wireguard server for my
my Windows laptop (and eventually my Android phone)
I am using OpenBSD 7.6 (GENERIC.MP) #338: Mon Sep 30 08:55:35 MDT 2024
My Windows PC is using Windows Wireguard client 0.5.3 (downloaded Dec
31, 2024)
The Windows Wireguard client is able to connect to the OpenBSD server
but no traffic seems to make it across the tunnel. The packet counts go
up, but I cannot ping, ssh, etc
The packet counts also go up on the OpenBSD server (ifconfig wg0)
mini# ifconfig wg0
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 5 priority 0 llprio 3
wgport 4433
wgpubkey <wgpubkey>
wgpeer <wgpeer>
wgendpoint 192.168.123.2 55331
tx: 9920, rx: 423232
last handshake: 88 seconds ago
wgaip 192.168.124.0/24
groups: wg
inet 192.168.126.1 netmask 0xffffff00 broadcast 192.168.126.255
I have been running Wireshark on Windows and using tcpdump -i wg0 as
well as tcpdump -i pflog0, as well as looking at the blocked (logged)
packets by tcpdump -r /var/log/pflog. I don't seen any blocked packets.
My pf.conf has:
-----------------------
<close to the top>
set skip on wg0
<further down>
# WireGuard
pass in on egress inet proto udp from any to (egress) port 4433
-----------------------
hostname.wg0
-----------------------
wgkey <wgkey>
wgport 4433
wgpeer <wgpeer key>
wgaip 192.168.124.0/24
inet 192.168.126.1/24
up
On the Windows Wireguard client:
[Interface]
PrivateKey = <privateKey>
Address = 192.168.126.2/24
[Peer]
PublicKey = <public key of OpenBSD server>
AllowedIPs = 192.168.126.0/24
Endpoint = <public IP of OpenBSD Server>:4433
The Windows Wireguard client the following so the tunnel seems to be up:
2024-12-31 17:14:58.244: [TUN] [OpenBSD] Sending keepalive packet to
peer 1 (207.6.196.56:4433)
2024-12-31 17:14:58.247: [TUN] [OpenBSD] Receiving keepalive packet from
peer 1 (207.6.196.56:4433)
Wireshark when I'm pinging from the Windows system to the server
1 0.000000 192.168.126.2 192.168.126.1 ICMP 60 Echo
(ping) request id=0x0001, seq=37/9472, ttl=128 (no response found!)
2 4.689174 192.168.126.2 192.168.126.1 ICMP 60 Echo
(ping) request id=0x0001, seq=38/9728, ttl=128 (no response found!)
3 9.693818 192.168.126.2 192.168.126.1 ICMP 60 Echo
(ping) request id=0x0001, seq=39/9984, ttl=128 (no response found!)
4 14.705842 192.168.126.2 192.168.126.1 ICMP 60 Echo
(ping) request id=0x0001, seq=40/10240, ttl=128 (no response found!)
There is no traffic received on wg0 (tcpdump -i wg0) when I ping from
the Windows system
tcpdump when I ping from the OpenBSD box to the Windows Client
mini# tcpdump -i wg0
tcpdump: listening on wg0, link-type LOOP
17:23:59.960035 192.168.126.1 > 192.168.126.2: icmp: echo request
17:24:00.962192 192.168.126.1 > 192.168.126.2: icmp: echo request
17:24:01.962181 192.168.126.1 > 192.168.126.2: icmp: echo request
17:24:02.962161 192.168.126.1 > 192.168.126.2: icmp: echo request
mini# ping 192.168.126.2
PING 192.168.126.2 (192.168.126.2): 56 data bytes
ping: sendmsg: Network is unreachable
ping: wrote 192.168.126.2 64 chars, ret=-1
ping: sendmsg: Network is unreachable
ping: wrote 192.168.126.2 64 chars, ret=-1
ping: sendmsg: Network is unreachable
ping: wrote 192.168.126.2 64 chars, ret=-1
ping: sendmsg: Network is unreachable
ping: wrote 192.168.126.2 64 chars, ret=-1
Network Unreachable... a routing issue?
mini# netstat -rn | grep wg0
192.168.126/24 192.168.126.1 UCn 1 0 - 4 wg0
192.168.126.1 wg0 UHl 0 0 - 1 wg0
192.168.126.2 link#0 UHc 0 4 - 3 wg0
192.168.126.255 192.168.126.1 UHb 0 0 - 1 wg0
** There is nothing seen in Wireshark on the Windows PC
** There are no blocked packets by pf that are logged.
# Default deny everything, log for troubleshooting
block log all
What am I missing? It feels like Wireguard is dropping the packets, but
I have the 192.168.126.0/24 IP address range allowed... (being liberal
here).
What more can I do for troubleshooting?
I can see there is a "debug" command for the OpenBSD wg interface, but I
can't figure out where that debug information ends up :(
Thanks,
Steve W.
No comments:
Post a Comment