1

I'm running Manjaro, in which I've set up a wireguard peer to connect to my raspberry pi at home, but it can't ping any machine on my local network, not even the wireguard peer. It may not even be connected, when it claims it is. I have a second client that has absolutely no issues.

Here is my interface configuration, which is the same as the config file my client install script spit out:

Here is my interface configuration

This closely corresponds to the configuration used on my other client, other than the private and preshared key being different.

The client is, as far as I can tell, correctly set up on the server side, as seen in my /etc/wireguard/wg0.conf file.

Whenever I enable tun0, I'm unable to ping any local address, including the other end of the wireguard tunnel.

What could possibly be going on here?

Nate
  • 319
  • 2
  • 3
  • 8

1 Answers1

1

When you use AllowedIPs 0.0.0.0, wireguard binds to all IP Addresses. You'll want to be more specific with this field if you have two endpoints. From the "unofficial" wireguard documentation at github, see #3 below:

AllowedIPs

This defines the IP ranges for which a peer will route traffic. On simple clients, this is usually a single address (the VPN address of the simple client itself). For bounce servers this will be a range of the IPs or subnets that the relay server is capable of routing traffic for. Multiple IPs and subnets may be specified using comma-separated IPv4 or IPv6 CIDR notation (from a single /32 or /128 address, all the way up to 0.0.0.0/0 and ::/0 to indicate a default route to send all internet and VPN traffic through that peer). This option may be specified multiple times.

When deciding how to route a packet, the system chooses the most specific route first, and falls back to broader routes. So for a packet destined to 192.0.2.3, the system would first look for a peer advertising 192.0.2.3/32 specifically, and would fall back to a peer advertising 192.0.2.1/24 or a larger range like 0.0.0.0/0 as a last resort.

Examples

  1. peer is a simple client that only accepts traffic to/from itself: AllowedIPs = 192.0.2.3/32
  1. peer is a relay server that can bounce VPN traffic to all other peers: AllowedIPs = 192.0.2.1/24
  1. peer is a relay server that bounces all internet & VPN traffic (like a proxy), including IPv6: AllowedIPs = 0.0.0.0/0,::/0
  1. peer is a relay server that routes to itself and only one other peer: AllowedIPs = 192.0.2.3/32,192.0.2.4/32
  1. peer is a relay server that routes to itself and all nodes on its local LAN: AllowedIPs = 192.0.2.3/32,192.168.1.1/24
jaredatobe
  • 50
  • 5
  • My working client has allowed IPs set to 0.0.0.0/0, so wouldn't that work for the broken client? Do you think I have some other routing issue? Like a conflict with my regular network connection? How would I check this? – Nate Sep 01 '22 at 13:38
  • If the 2nd client is on the same machine, it is unable to bind to ports that the 1st client is already bound to. If it's on another machine, then I don't know. – jaredatobe Sep 01 '22 at 17:18
  • My working client is on a different machine than the broken client. – Nate Sep 01 '22 at 19:31
  • Okay, then I do not know. I had a very similar issue to what you described and the solution was as I stated. But I was using a single machine with 2 wireguard clients on it, so it sounds like that's not what you're seeing. – jaredatobe Sep 01 '22 at 20:15