[General Issue]: No Packets Reaching Raspberry Pi (Wireguard)

Question

[General Issue]: No Packets Reaching Raspberry Pi (Wireguard)

gitKittySuicide opened this issue 8 months ago · 4 comments

In raising this issue I confirm that

I have read the documentation
I have read and understood the PiVPN General Guidelines
I have read and understood the PiVPN Troubleshooting Guidelines
The issue I am reporting isn't a duplicate, see closed issues and open issues.
I have searched for similar issues and solutions
I can replicate the issue even after a clean OS installation

Describe the issue

TL;DR: Pfsense is not port forwarding correctly on UDP 51820. I need that for my VPN to work.I suspect my ISP could be overriding my port forwarding somehow.

Hello! I am trying to setup my VPN server with Wireguard and Pihole, both which are installed in a Raspberry Pi 400 of mine.

The Pihole is working just fine, when I use it as my DNS server on my pfsense router it works fine and my online activity has no issues.

I tried to connect Wireguard on my computer to see if it works and even though I got a connection, it basically killed all of my connections on my Windows 10 PC.

I ran some tests on my Raspberry Pi to see if there any issues with my connection, as per this link:
https://docs.pivpn.io/faq/#how-do-i-troubleshoot-connection-issues

Eventually, it led me to finding out I have no packets being received by my Raspberry Pi, which means no Wireguard VPN will work, either.

I am almost 100% convinced it is an issue with my router ports, which has pfsense installed on it.I opened the port 51820 on pfsense as it is the default used by Wireguard.

Results for the tcpdump on my Raspberry Pi -

"tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes"

Results for the nmap on my Raspberry Pi (Port 51820 - UDP) -

"PORT STATE SERVICE

51820/udp open|filtered unknown"

Pivpn (Wireguard) Configuration File -

"PLAT=Debian
OSCN=bullseye
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=eth0
IPv4addr=10.14.88.9/24
IPv4gw=10.14.88.1
install_user=REDACTED
install_home=/home/REDACTED
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=10.14.88.9
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=1
FORWARD_CHAIN_EDITED=0
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnPROTO=udp
pivpnMTU=1410
pivpnDEV=wg0
pivpnNET=10.87.121.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=1
INSTALLED_PACKAGES=(bsdmainutils unattended-upgrades)"

Results for my Windows 10 PC using tracert on my public ip -

Tracing route to REDACTED over a maximum of 30 hops 1 <1 ms <1 ms <1 ms REDACTED Trace complete.

Please help. I don't know what else to do.

Expected behavior

The expected behavior would be for Wireguard to work and grant me connection, not to mention also changing my IP.
A handshake and connection is formed with Wireguard, but there is no connection, not even with other devices on my LAN or home network.

I can't even connect to my router anymore when I connect to my Wireguard.

Please describe the steps to replicate the issue

I click on Wireguard and nothing happens.

Have you taken any steps towards solving your issue?

Yes, multiple. This is why I am posting here.

Screenshots

No response

Where did you run pivpn?

Raspberry Pi 400

Please provide your output from `uname -a`

Linux raspberrypi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux

Details about Operative System

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Installation

No response

Profile / Client creation

[Interface]
PrivateKey = =
Address = 10.87.121.2/24
DNS = 10.14.88.9

[Peer]
PublicKey = =
PresharedKey = =
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0

Debug output

:::: ^[[4mPiVPN debug^[[0m ::::

:::: ^[[4mLatest commit^[[0m ::::
Branch: master
Commit: `16189ed`
Author: 4s3ti
Date: Thu Aug 3 23:33:23 2023 +0200
Summary: fix(core): typo on distroCheck

:::: ^[[4mInstallation settings^[[0m ::::
PLAT=Debian
OSCN=bullseye
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=eth0
IPv4addr=10.14.88.9/24
IPv4gw=10.14.88.1
install_user=REDACTED
install_home=/home/REDACTED
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=10.14.88.9
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=1
FORWARD_CHAIN_EDITED=0
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.87.121.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=1
INSTALLED_PACKAGES=(bsdmainutils unattended-upgrades)

:::: ^[[4mServer configuration shown below^[[0m ::::
[Interface]
PrivateKey = server_priv
Address = 10.87.121.1/24
MTU = 1420
ListenPort = 51820

begin client-alpha

[Peer]
PublicKey = client-alpha_pub
PresharedKey = client-alpha_psk
AllowedIPs = 10.87.121.2/32

end client-alpha

=============================================
:::: ^[[4mClient configuration shown below^[[0m ::::
[Interface]
PrivateKey = client-alpha_priv
Address = 10.87.121.2/24
DNS = 10.14.88.9

[Peer]
PublicKey = server_pub
PresharedKey = client-alpha_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0

:::: ^[[4mRecursive list of files in^[[0m ::::
:::: ^[[4m/etc/wireguard shown below^[[0m ::::
/etc/wireguard:
configs
keys
wg0.conf

/etc/wireguard/configs:
client-alpha.conf
clients.txt

/etc/wireguard/keys:
client-alpha_priv
client-alpha_psk
client-alpha_pub
server_priv
server_pub

:::: ^[[4mSelf check^[[0m ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] Iptables INPUT rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled
(it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp

:::: Having trouble connecting? Take a look at the FAQ:
:::: ^[[1mhttps://docs.pivpn.io/faq^[[0m

:::: ^[[1mWARNING^[[0m: This script should have automatically masked sensitive ::::
:::: information, however, still make sure that ^[[4mPrivateKey^[[0m, ^[[4mPublicKey^[[0m ::::
:::: and ^[[4mPresharedKey^[[0m are masked before reporting an issue. An example key ::::
:::: that you should NOT see in this log looks like this: ::::
:::: YIAoJVsdIeyvXfGGDDadHh6AxsMRymZTnnzZoAb9cxRe ::::

:::: ^[[4mDebug complete^[[0m ::::

Answer 1 · 2023-10-06T12:43:42.000Z

I had the same problem, and solved it by adding "ListenPort = xxxx" to the tunnel, and opening the same internal port in my router settings

Answer 2 · 2023-11-05T13:47:56.000Z

Just installed latest version on bookworm, it now works (thanks). I had a similar issue, port forwarding and DDNS is enabled on the router and yet it it did not work.

I'm pretty convinced it's my new ISP, and not an issue with this script (I see other customers with this ISP seem to be complaining about it).

I was able to confirm it works at my end by installing a wireguard client on a computer connected to my local LAN. I edited the .conf file so that the endpoint goes to the static IP address of my pi server on the local LAN, rather than an external DNS address (supplied via a DDNS service). That worked. Investigations continue at my end, but so far no issues here.

(btw UFW not enabled on the PI yet).

Answer 3 · 2023-11-07T22:53:38.000Z

Update. It was indeed my ISP blocking (using CGNAT). I'm now using Tailscale.