Hngnggh.

WireGuard is giving me a bit of a headache. Trying to connect Mom's PC to Eru via WG, the handshake succeeds, the route is there, but they can't ping each other.

My desktop's WG config is pretty much the same, save for the IP address and key, and that works fine.

Logs aren't telling me much...

[h máj  5 12:11:36 2025] wireguard: wg-eru: Receiving keepalive packet from peer 6 (95.216.196.166:51820)

I mean, yeah, great, I appreciate that, but WHY NO PING?!

@algernon I remember having a similar issue, details a bit foggy but I think switching on which peer the keepalive was detected solved the problem. A symptom was that I could ping A->B only after I sent out a bunch of B->A pings.

AHA!

[Mon May  5 12:38:26 2025] wireguard: madhouse0: Packet has unallowed src IP (10.69.0.55) from peer 33 (<ip>:9918)

But why.

Why?

Because I made a typo. Of course. But now I know how to debug WG issues better!

Oh, right. I should share how to debug WG issues better, shouldn't I?

echo "module wireguard +p" | doas tee /sys/kernel/debug/dynamic_debug/control

On both sides of the tunnel. That'll surface errors like a packet having an unwallowed source IP.

Do the same thing with -p instead of +p to turn the debug messages off.

@algernon owo what's dynamic_debug?

@algernon Following your posts is always interesting. I learn syntax of strange programing things. It's interesting to see your experiments, or setups. Keep it up! and nice way to debug I suppose. Haha.

@tardis to be honest, I would have preferred if I didn't have to enable debug messages to surface errors. But I'll take the small win of being able to enable debug messages without having to reboot.

@wolf480pl https://www.kernel.org/doc/html/latest/admin-guide/dynamic-debug-howto.html

@algernon My latest startup will produce mechanical keyboards that run an AI engine that prevents typos. Anyone who wants to invest a billion dollars please message me privately.

@algernon right, but you need to have support for this enabled in your kernel, if your distro has this off (and maybe a good idea security-wise?) then this won't work.

@stf Indeed, if it is disabled in the kernel, this won't work. Luckily, that is not a case I need to care about. :)