Streisand: WireGuard on GCE not forwarding

Created on 19 Apr 2017  路  25Comments  路  Source: StreisandEffect/streisand

Hello, I'm not sure if I'm missing something or there is a bug, after successful install, I can ping and connect to the server thru the tunnel but any other IP wont answer, I checked forwarding and it looks like enabled but it's a no go. Any idea welcome :-)

arewireguard kinnetwork providegce

Most helpful comment

Looks like upstream fixed this problem, kernel.org's stable kernels fixed this problem, but Ubuntu forgot to backport the fixes.

Please "vote" on this issue if you'd like it to be fixed: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1685416

All 25 comments

What distribution are you on?

Tried with LEDE nightly and Ubuntu 16.04.2 LTS, both can ping server, read https, query dns, but no connection to other IPs.
If it's supposed to forward then there must be an issue, if not I would welcome infos on how to set up forwarding. Thanks!

john@ubuntu:~$ ping -c 1 10.192.122.1
PING 10.192.122.1 (10.192.122.1) 56(84) bytes of data.
64 bytes from 10.192.122.1: icmp_seq=1 ttl=64 time=63.5 ms

--- 10.192.122.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 63.581/63.581/63.581/0.000 ms
john@ubuntu:~$ tracepath 8.8.8.8
 1?: [LOCALHOST]                                         pmtu 1420
 1:  10.192.122.1                                         52.591ms 
 1:  10.192.122.1                                         63.825ms 
 2:  no reply
 3:  no reply

Firewall logs:

Apr 19 01:28:45 streisand kernel: [UFW AUDIT] IN=wg0-server OUT=ens4 MAC= SRC=10.192.122.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=29517 DF PROTO=ICMP TYPE=8 CODE=0 ID=31016 SEQ=1 
Apr 19 01:28:46 streisand kernel: [UFW AUDIT] IN=wg0-server OUT=ens4 MAC= SRC=10.192.122.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=29622 DF PROTO=ICMP TYPE=8 CODE=0 ID=31016 SEQ=2 
Apr 19 01:28:47 streisand kernel: [UFW AUDIT] IN=wg0-server OUT=ens4 MAC= SRC=10.192.122.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=29824 DF PROTO=ICMP TYPE=8 CODE=0 ID=31016 SEQ=3 
Apr 19 01:28:48 streisand kernel: [UFW AUDIT] IN=wg0-server OUT=ens4 MAC= SRC=10.192.122.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=29894 DF PROTO=ICMP TYPE=8 CODE=0 ID=31016 SEQ=4 

Is masquerading turned on on the server? Please send the output of

# iptables -t nat -L -v -n
# iptables -L -v -n
# cat /proc/sys/net/ipv4/ip_forward
# cat /sys/module/wireguard/version
...
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  165 10509 MASQUERADE  all  --  any    any     anywhere             anywhere            
    0     0 MASQUERADE  all  --  any    ens4    10.8.0.0/24          anywhere            
    0     0 MASQUERADE  all  --  any    ens4    10.9.0.0/24          anywhere            
john@ubuntu:~$ /etc/rc.local 
Warning: ignored obsolete keyword 'nat_traversal'
Warning: ignored obsolete keyword 'oe'
Warning: ignored obsolete keyword 'nat_traversal'
Warning: ignored obsolete keyword 'oe'
Warning: ignored obsolete keyword 'nat_traversal'
Warning: ignored obsolete keyword 'oe'
Redirecting to: systemctl start ipsec.service
[ ok ] Restarting xl2tpd (via systemctl): xl2tpd.service.
0

I switched order of rules in /etc/rc.local moving WireGuard rules before those of L2TP/IPsec like here:

# WireGuard
iptables -A FORWARD -s 10.192.122.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.192.122.0/24 -o ens4 -j MASQUERADE

# L2TP/IPsec
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j DROP
iptables -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source 10.148.0.2

Now after reboot iptables -t nat -L -v shows:

...
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  139  8692 MASQUERADE  all  --  any    any     anywhere             anywhere            
    0     0 MASQUERADE  all  --  any    ens4    10.8.0.0/24          anywhere            
    0     0 MASQUERADE  all  --  any    ens4    10.9.0.0/24          anywhere            
    0     0 MASQUERADE  all  --  any    ens4    10.192.122.0/24      anywhere            

Masquerade rule is now there, but something still missing, can't ping other IPs thru tunnel.

@zx2c4 That is after I switched order in rc.local (see above):
https://pastebin.com/raw/9UBGXeHw

Just made a fresh install.

#

After fresh install:

Output of:

iptables -t nat -L -v -n
iptables -L -v -n
cat /proc/sys/net/ipv4/ip_forward
cat /sys/module/wireguard/version

https://pastebin.com/raw/YdQ8Gy5p

Output of systemctl:
https://pastebin.com/raw/ckhLZ3T5

Output of systemctl status:
https://pastebin.com/raw/CWbYJ4n2

#

After fresh install and reboot:

Output of:

iptables -t nat -L -v -n
iptables -L -v -n
cat /proc/sys/net/ipv4/ip_forward
cat /sys/module/wireguard/version

https://pastebin.com/raw/4yqtMtei

Output of systemctl:
https://pastebin.com/raw/3Wta71ZS

Output of systemctl status:
https://pastebin.com/raw/r58H5f2F

Thanks. Sorry one more command: ip addr

# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 42:01:0a:94:00:02 brd ff:ff:ff:ff:ff:ff
    inet 10.148.0.2/32 brd 10.148.0.2 scope global ens4
       valid_lft forever preferred_lft forever
    inet6 fe80::4001:aff:fe94:2/64 scope link 
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::9d35:7bcf:2405:ae1/64 scope link flags 800 
       valid_lft forever preferred_lft forever
4: wg0-server: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
    link/none 
    inet 10.192.122.1/24 scope global wg0-server
       valid_lft forever preferred_lft forever
5: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.9.0.1 peer 10.9.0.2/32 scope global tun1
       valid_lft forever preferred_lft forever
    inet6 fe80::1a08:3269:b995:ae7a/64 scope link flags 800 
       valid_lft forever preferred_lft forever
6: ip_vti0@NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0

@zx2c4 I have a fairly fresh GCE instance you can use to troubleshoot if you would like. Just send me your public key and I can add it.

A nice Github trick allows for this: https://github.com/zx2c4.keys

I'll be back in ~10 hours and will take a look.

TIL, thanks!
Keys has been added to [email protected] feel free to do whatever you want with this sever.

This may or may not matter, but after reading the backlog again, I started looking at the GCE module we use. The module has an ip_forward options which is disabled by default. https://docs.ansible.com/ansible/gce_module.html. I can enable that and spin up a new server if needed.

Tried that without success, maybe worth a retry as by the time I had already messed up the firewall rules. Thought, it should run NATed like L2TP and Openvpn which work fine with the GCE instance forwarding option turned off.
With tcpdump, I couldn't see traffic coming from wg0-server go thru the outgoing interface, also worth a retest.

Just updated client and server to WG 0.0.20170421, NAT seams to be working now, but the firewall seams to be blocking:

# journalctl -xf
Apr 21 19:22:23 streisand kernel: [UFW AUDIT] IN=wg0-server OUT=ens4 MAC= SRC=10.192.122.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=34008 DF PROTO=ICMP TYPE=8 CODE=0 ID=4787 SEQ=12 
Apr 21 19:22:24 streisand kernel: [UFW AUDIT] IN=wg0-server OUT=ens4 MAC= SRC=10.192.122.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=34192 DF PROTO=ICMP TYPE=8 CODE=0 ID=4787 SEQ=13 
Apr 21 19:22:25 streisand kernel: [UFW AUDIT] IN=wg0-server OUT=ens4 MAC= SRC=10.192.122.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=34234 DF PROTO=ICMP TYPE=8 CODE=0 ID=4787 SEQ=14 
Apr 21 19:22:26 streisand kernel: [UFW AUDIT] IN=wg0-server OUT=ens4 MAC= SRC=10.192.122.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=34291 DF PROTO=ICMP TYPE=8 CODE=0 ID=4787 SEQ=15 

# tcpdump -i ens4 not port 22
19:22:23.253165 IP 10.148.0.2 > google-public-dns-a.google.com: ICMP echo request, id 4787, seq 12, length 64
19:22:24.245219 IP 10.148.0.2 > google-public-dns-a.google.com: ICMP echo request, id 4787, seq 13, length 64
19:22:25.241188 IP 10.148.0.2 > google-public-dns-a.google.com: ICMP echo request, id 4787, seq 14, length 64
19:22:26.241714 IP 10.148.0.2 > google-public-dns-a.google.com: ICMP echo request, id 4787, seq 15, length 64

After 24 hours of debugging, I figured it out, and it's extremely low level. I'm following up with the relevant parties and will report here once it's fixed.

Thank you @zx2c4 for taking care of this! Yours is an amazing project! Streisand as well! :-)

Looks like upstream fixed this problem, kernel.org's stable kernels fixed this problem, but Ubuntu forgot to backport the fixes.

Please "vote" on this issue if you'd like it to be fixed: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1685416

@zx2c4 Do you think its worth conditionally skipping Streisand's Wireguard role on GCE until the required patches are backported?

Give them til Tuesday to respond, and then we'll see what to do. I suspect there will be a fairly quick cycle for fixing this, since Google Cloud platform is a big customer, and breaking stuff for them isn't good.

In the meantime you can get WG working on GCE by installing:
linux-generic-hwe-16.04-edge

The Ubuntu kernel guy wrote:

Hi Jason, actually we found out that someone else already had been requesting those changes last week. It was decided that it is better to get these changes out quickly so it should be in the next few days. I will mark your report as a duplicate to the older age report.

Prior bug report is here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1683947

I'm pretty sure this should be fixed by now. Can somebody test with a fresh instance and report back?

I have a fresh GCE instance coming up now. Will report back in a short while.

I was able to confirm that Wireguard appears to be working fine with a fresh GCE instance. I was able to route test traffic through the Wireguard interface without issue.

Thanks everyone! I'm going to close this issue - please open a new issue if you run into any further problems.

Was this page helpful?
0 / 5 - 0 ratings