[Solved] Wireguard - as handshake but no internet access - Bookworm

Peterc · August 20, 2023, 4:43pm

Hello All,

I have set up a test vps running bullseye with freedombox 23.6.2. installed and wireguard. The bullseye wireguard as a handshake and the command ping 1.1.1.1 on the client device works perfectly.

I have used the command apt full-upgrade to upgrade this vps from bullseye to bookworm.

DEBIAN_FRONTEND=noninteractive apt full-upgrade

At the end of the upgrade there was the question about the file:

firewalld.conf

I chose [default=N] ?

The file - firewalld.conf is set to: DefaultZone=external

After the full-upgrade there is now no internet access over the wireguard vpn from the client device to freedombox.

The wireguard command wg show shows there is a handshake but the command ping 1.1.1.1 on the client device fails to access the internet.

Regards: peter

Peterc · September 1, 2023, 10:08am

Hello All,

I think I may have found what going wrong with wireguard and bookworm ?

There is a differences with firewalld zone - block in bullseye and bookworm. In bullseye zone - block section forward: is set to no but in bookworm the zone - block section forward: is set to yes.

I bet if the forward: section in bookworm zone - block was set to no wireguard would be working again. ?

Regard: peter

bullseye:

firewall-cmd --list-all --zone=block

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

bookworm:

firewall-cmd --list-all --zone=block

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Update date: I used the command below to edit the forward to no in the block zone but No Luck !!

firewall-cmd --zone=block --remove-forward --permanent

Regards: peter

Peterc · September 1, 2023, 4:35pm

Hello All again,

On a vps that is running bookworm & freedombox-wireguard I have run tcpdump with the command shown below and on the client end of the vpn I have started a ping 1.1.1.1 which route to: 10.84.0.1

On the vpn: tcpdump -n -v -i wg0

Below is copy and paste of what is of interest from tcpdump out put ?

10.84.0.1 > 10.84.0.2: ICMP host 1.1.1.1 unreachable - admin prohibited filter

From a google search:

“The “admin prohibited filter” seen in the tcpdump output means there is a firewall blocking a connection. It does it by sending back an ICMP packet meaning precisely that: the admin of that firewall doesn’t want those packets to get through.”

It looks like there some thing wrong with the firewalld ?

Regards: peter

Peterc · September 5, 2023, 12:16pm

Hello All,

I have use again the commands list below and this time it bingo !

Wireguard started to work after a reboot.

Regards: peter

So the issue is solved !

firewall-cmd --permanent --new-policy int_to_ext_fwd
firewall-cmd --permanent --policy int_to_ext_fwd --add-ingress-zone internal
firewall-cmd --permanent --policy int_to_ext_fwd --add-egress-zone external
firewall-cmd --permanent --policy int_to_ext_fwd --set-priority 100
firewall-cmd --permanent --policy int_to_ext_fwd --set-target ACCEPT