Wireguard Site2Site VPN not working as expected

IPv64.net - Services
1

Trying to setup my UDM as a Wireguard server to connect to a Fritzbox Router as Wireguard Client and the network behind.
Setup worked at first and I can ping back and forth perfectly.
However, I cannot to telnet on port 80 or curl. I tested this on the UDM via tcpdump and found, that the SYN and
respective ACK is being received fine on the br0 interface. In my interpretation this tells me that there is not a firewall problem (?).
It is interesing, that the packets coming from the remote network are coming from the fixed IP of the internal Wireguard network.
Its not the remote network IP, which I would have expected. Maybe this causes trouble - I just don’t know.

Here is my question(s):

Do you have a site to site Wireguard VPN running to connect twi networks and experience similar behaviour?
When using tcp dump do you see the real IP or the fixed IP of the wireguard tunnel?
Do you have any other ideas to fix the problem?

Thank you, hcp65

2

If you can use ping (icmp) but not udp or tcp connections like https, ssh or so check your MTU in wireguard tunnel.

WireGuard MTU Size 1412 – Best Practices IPv4/IPv6 – MTU Berechnen

Edit: tracepath <destinationIP> on Linux will show current MTU in Wireguard-Tunnel

3

Just learned, that my analyis was wrong. In one direction I can ping a host behind the router, in the other direction not.

4

Did some experiments and the analysis was wrong:

Setup:

  • networkA managed by a UDM router, clientA is a client in the local network of networkA
  • networkB managed by a Fritzbox router, clientB is a client in the local network of networkB
  • networkC is the transfer network created by the UDM wireguard setup. nodeC (in this network) is the gateway
  • UDM router is a Wireguard server
  • Fritzbox is a Wireguard client

Behaviour:

  • ping clientB->clientA works fine
  • ping clientA->clientB fails
  • tracert clientA->clientB ends at nodeC
5

This comes from the Outbound NAT that the FritzBox is doing on the WireGuard.

6

How look your AllowedIPs on the Fritzbox and on the UDM?

7

Allowed IPs on UDM is the one IP in the transfer network and the complete network on the other side (i.e. Fritzbox side).

On the Fritzbox, its the IP in the transfer network, the gateway in the transfer network and the complete network in the other side (i.e. UDM side).

Anyway, if Fritz puts NAT on, how could I ever ping a specific host through NAT? Or is OUtbound NAT sth different?

I now experience, that I get randomly pings through from UDM side to hosts behind Fritz. It might be from the target IP or from any other behind NAT - don’t know that. Very strange behaviour.

8

I don´t know how AVM think that this should work. I have also a FB here to test these things more deeper. But it is a little bit complex and I must do more research and testing on it. :sweat_smile:

9

Well just to get it clear. UDM and FirtzBox are the Wireguard-Servers, not any other machine in the networks behind?

If so its not diffrent to what i do with my pfsense and a remote FritzBox.
The major point is FritzBox does not like by defalult transfer networks in Wireguard-Connections.

I have no idea whether or how well you understand German but here on this Site are instructions how to setup Wiregurad between FritzBox and pfsense without using a transfer network. But its possible to add it later if all works.

#Anleitung: Site2Site WireGuard Verbindung zwischen pfSense und FritzBox

Maybe you shall start with that

10

Compared to the pfsense I went down the same route. It is also very similar to connecting two AVMs, which worked for me in the past well.

The only difference is, that UDM does only allow configurations without a transfer network. Thats the complication and most likely the cause for trouble.

11

That’s surprising for me, since you wrote before:

That’s kind of a contradiction and only one of both can be true