I have set up a test vps running bullseye with freedombox 23.6.2. installed and wireguard. The bullseye wireguard as a handshake and the command ping 1.1.1.1 on the client device works perfectly.
I have used the command apt full-upgrade to upgrade this vps from bullseye to bookworm.
DEBIAN_FRONTEND=noninteractive apt full-upgrade
At the end of the upgrade there was the question about the file:
firewalld.conf
I chose [default=N] ?
The file - firewalld.conf is set to: DefaultZone=external
After the full-upgrade there is now no internet access over the wireguard vpn from the client device to freedombox.
The wireguard command wg show shows there is a handshake but the command ping 1.1.1.1 on the client device fails to access the internet.
I think I may have found what going wrong with wireguard and bookworm ?
There is a differences with firewalld zone - block in bullseye and bookworm. In bullseye zone - block section forward: is set to no but in bookworm the zone - block section forward: is set to yes.
I bet if the forward: section in bookwormzone - block was set to no wireguard would be working again. ?
Regard: peter
bullseye:
firewall-cmd --list-all --zone=block
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
bookworm:
firewall-cmd --list-all --zone=block
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Update date: I used the command below to edit the forward to no in the block zone but No Luck !!
On a vps that is running bookworm & freedombox-wireguard I have run tcpdump with the command shown below and on the client end of the vpn I have started a ping 1.1.1.1 which route to: 10.84.0.1
On the vpn: tcpdump -n -v -i wg0
Below is copy and paste of what is of interest from tcpdump out put ?
“The “admin prohibited filter” seen in the tcpdump output means there is a firewall blocking a connection. It does it by sending back an ICMP packet meaning precisely that: the admin of that firewall doesn’t want those packets to get through.”
It looks like there some thing wrong with the firewalld ?