wireguard – Fixing ‘Destination Address Required’ Error in Wireguard

firewallvpnwireguard

I have a simple wireguard network comprised of a single "server" (the only device with an externally routable ip address) and two clients. Communication between the server and the clients seems to work great: from the server, I can access the clients using their wireguard addresses and I can access addresses "behind" the clients. Similarly, from the clients I can access the server's wireguard address.

What doesn't work is client-to-client communication. If from one client I attempt to ping another client using its wireguard ip address, the ping fails with:

From 192.168.64.10 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required

Furthermore, that ping attempt doesn't result in any UDP traffic between the client and the server.

I've included my wireguard configuration below.

VPN Nodes

On all nodes:

net.ipv4.ip_forward is 1
There are no restrictions on the FORWARD table
I am not using wg-quick to bring up the vpn. I'm using a shell script that is included at the bottom of this post.

Server

# ip addr show wg0
39: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.168.64.1/24 scope global wg0
       valid_lft forever preferred_lft forever

# ip route show | grep wg0
10.0.0.0/8 dev wg0 scope link
192.168.1.0/24 dev wg0 scope link
192.168.11.0/24 dev wg0 scope link
192.168.13.0/24 dev wg0 scope link
192.168.64.0/24 dev wg0 proto kernel scope link src 192.168.64.1

[Interface]
PrivateKey = <secret key>
ListenPort = 50001

[Peer]
PublicKey = 1cML7...
AllowedIps = 192.168.1.0/24, 192.168.11.0/24, 192.168.13.0/24, 192.168.64.10/32
PersistentKeepalive = 30

[Peer]
PublicKey = mRjd9...
AllowedIps = 10.0.0.0/8, 192.168.64.11/32
PersistentKeepalive = 30

Client 1

# ip addr show wg0
33: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.168.64.10/24 scope global wg0
       valid_lft forever preferred_lft forever

# ip route | grep wg0
10.0.0.0/8 dev wg0 scope link
192.168.64.0/24 dev wg0 proto kernel scope link src 192.168.64.10

[Interface]
PrivateKey = <secret key>
ListenPort = 50001

[Peer]
PublicKey = 2VtQ/...
Endpoint = wg.example.com:50001
AllowedIps = 0.0.0.0/0, 192.168.64.1/32
PersistentKeepalive = 30

[Peer]
PublicKey = mRjd9...
AllowedIps = 10.0.0.0/8, 192.168.64.11/32
PersistentKeepalive = 30

Client 2

# ip addr show wg0
11: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.168.64.11/24 scope global wg0
       valid_lft forever preferred_lft forever

# ip route show | grep wg0
192.168.1.0/24 dev wg0 scope link
192.168.11.0/24 dev wg0 scope link
192.168.13.0/24 dev wg0 scope link
192.168.64.0/24 dev wg0 proto kernel scope link src 192.168.64.11

[Interface]
PrivateKey = <secret key>
ListenPort = 50001

[Peer]
PublicKey = 2VtQ/...
Endpoint = wg.example.com:50001
AllowedIps = 0.0.0.0/0, 192.168.64.1/32
PersistentKeepalive = 30

[Peer]
PublicKey = 1cML7...
AllowedIps = 192.168.1.0/24, 192.168.11.0/24, 192.168.13.0/24, 192.168.64.10/32
PersistentKeepalive = 30

Interface configuration script

The wg0 interface on the nodes is configured with the following script:

#!/bin/sh

dev=$1
addr=$2

ip link add $dev type wireguard
ip addr add $addr dev $dev

wg setconf $dev /etc/wireguard/$dev.conf

ip link set $dev  up

Best Answer

Let's follow what happens:

Client1's routing table tell it that 192.168.64.11 is reachable through wg0.
Client1's wg0 cryptokey-routing settings tell that 192.168.64.11 is reachable through 2nd Peer (with a key starting with mRjd9) aka Client2.
payload is ready to be tunneled to 2nd Peer's current endpoint... except there's no Endpoint defined to reach the 2nd Peer and as there was never traffic received in the other direction (for the very same reason) no endpoint exists. That's different for Server which on receiving the first packet from Client1 will set the current Client1's source address as the endpoint.

The same happens in the other direction from Client2 to Client1: there's no Endpoint defined and no traffic was received to have an endpoint set.

So the tunnel being currently incomplete, fails. wireguard sends the error EDESTADDRREQ/Destination address required when this happens. Just because it's more difficult to specify what is this other side, doesn't mean omitting it will magically make it work.

As both are NATed you get the usual NAT connectivity issues between two NATed devices.

To solve this you can either:

Use Server as a STUN-like server (maybe even running an actual STUN server, but outside of the tunnel) to synchronize the method for Client1 and Client2 to attempt UDP hole punching with WireGuard tunnels, assuming there's no Symmetric NATs or CG NAT in the way. That's beyond the scope of this WireGuard question to do this properly, but that should be what to favor to avoid needing Server for all traffic.

Note that using 0.0.0.0/0 in AllowedIps on each client makes no sense as soon as there are two peers defined each with values in AllowedIps. 0.0.0.0/0 will be silently discarded from the cryptokey route in the end and should not be used. One IP address can resolve (ie: be cryptokey-routed) to exactly one Peer (or none) but never more than one.
or, as it appears was intended in OP, relay traffic through Server which requires to set Server as router on its wg0 interface (used both for ingress and egress) and change configuration on Client1 and Client2. There's no "dynamic cryptokeyrouting" protocol, the change must be done manually or with scripts on both clients (until some routing daemon able to do this for WireGuard appears). For example (here just using 0.0.0.0/0 instead of explicitly stating all the routes would have be fine, there's now only one actual Peer):
- Client1
```
[Interface]
PrivateKey = <secret key>
ListenPort = 50001

[Peer]
PublicKey = 2VtQ/...
Endpoint = wg.example.com:50001
AllowedIps = 192.168.64.1/32, 10.0.0.0/8, 192.168.64.11/32
PersistentKeepalive = 30
```
  The part below becomes useless: Client1 never has Client2 as peer, only Server. But it can still be kept in the configuration:
```
[Peer]
PublicKey = mRjd9...
AllowedIps = 
PersistentKeepalive = 30
```
- Client2
```
[Interface]
PrivateKey = <secret key>
ListenPort = 50001

[Peer]
PublicKey = 2VtQ/...
Endpoint = wg.example.com:50001
AllowedIps = 192.168.64.1/32, 192.168.1.0/24, 192.168.11.0/24, 192.168.13.0/24, 192.168.64.10/32
PersistentKeepalive = 30

[Peer]
PublicKey = 1cML7...
AllowedIps = 
PersistentKeepalive = 30
```

Related Solutions

Linux – OpenSwan IPSec phase #2 complications

You'll want to get the remote end to enable NAT-T on their end of the connection as well.

IPSec communication cryptographically signs the entire packet - any change to the IP header will invalidate that signature. NAT works by rewriting the source and/or destination IP fields; having NAT on either end of the connection means that every packet is having the header changed in transit; the source is changed on packets leaving your 192.168 network, and the destination is changed on inbound packets.

NAT-T counteracts this by encapsulating the entire ESP packet in a new UDP packet. The UDP packet can safely have its headers mangled to the satisfaction of any NAT devices, while the ESP payload will make the entire trip unchanged. The remote node will need to enable this to protect the packets they're sending your way from the NAT modifications, and you'll both need to be allowing UDP port 4500.

This may not be the only issue in the configuration of the VPN tunnel, but it would certainly explain a malformed payload message; give it a shot, and let us know if any further issues come up!

Linux – WireGuard Port-forwarding from Client in the Host

Turns out doing DNAT like that for 127.0.0.1 appears to be infeasible (well, at least for the case of OUTPUT), probably due to the fact that 127.0.0.0/8 are of scope host or similar reasons.

However, the following nftables ruleset should help you achieve what you want:

table ip rewrite {
        chain unloop {
                type route hook output priority filter; policy accept;
                ip daddr 127.0.0.1 tcp dport 80 ip daddr set 10.7.0.2 ip saddr set 10.7.0.1
        }

        chain reloop {
                type filter hook input priority 101; policy accept;
                ip saddr 10.7.0.2 tcp sport 80 ip saddr set 127.0.0.1 ip daddr set 127.0.0.1
        }
}
table ip realnat {
        chain dest {
                type nat hook output priority filter; policy accept;
                ip daddr 192.168.1.183 tcp dport 80 dnat to 10.7.0.2
        }

        chain source {
                type nat hook postrouting priority srcnat; policy accept;
                ip daddr 10.7.0.2 tcp dport 80 snat to 10.7.0.1
        }
}

Instead of doing "proper" destination NAT, you need to instead do sort of an "untracked" rewrite of the destination (and the source) address. With the help of a type route chain, a new route lookup will be performed. Additionally, you'll need to make the replying traffics have their source and destination addresses change back to 127.0.0.1 so that curl can recognize the traffics.

With hook input, it should (i.e. NOT TESTED) avoid unwanted rewrite for traffics that are not for the host itself (i.e. replying traffics for forwarded traffics). On the other hand, priority 101 (i.e. 1 larger than srcnat / all standard priorities) will avoid unwanted rewrite to replies that are responding to requests that have been properly NAT'd.

As you can see, for the 192.168.1.183 case, another table that does normal NAT'ing follows the one for the 127.0.0.1 special case.

Note that this ruleset is only for curling from inside the container (or at most, its host; I'm not familiar with containers and as far as I know, there can be different networking approach for them). If you for example need the container to forward for some other hosts in 192.168.1.0/24, you'll additionally need the same dnat rule in a chain of type nat hook prerouting priority dstnat. IP forwarding will need to be enabled and allowed as well. And as I said, I'm NOT sure if the rewriting tricks above for 127.0.0.1 will conflict with that.