!tCyGickeVqkHsYjWnh:nixos.org

NixOS Networking

918 Members
Declaratively manage your switching, routing, wireless, tunneling and more.274 Servers

Load older messages

SenderMessageTime
30 Apr 2026
@cadair:cadair.comCadairI'm not sure I know what the IP address of the endpoint is over the tunnel14:08:20
@rvdp:infosec.exchangeRamses 🇵🇸My first course of action would be to tcpdump the wg iface to check whether packets are going out and whether replies are coming back14:13:40
@cadair:cadair.comCadairwell nothing seems to be coming back14:19:44
@cadair:cadair.comCadair 
# tcpdump -i mullvad
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on mullvad, link-type RAW (Raw IP), snapshot length 262144 bytes
15:19:10.597713 IP penygader > kolabnow.com: ICMP echo request, id 13, seq 1, length 64
15:19:11.628561 IP penygader > kolabnow.com: ICMP echo request, id 13, seq 2, length 64
15:19:12.652563 IP penygader > kolabnow.com: ICMP echo request, id 13, seq 3, length 64
14:20:17
@cadair:cadair.comCadair I enabled debug logging on the wireguard kernel module and it seems to be fine, and wg shows data coming back, so it's up 14:24:07
@k900:0upti.meK900Is Mullvad maybe just not forwarding ICMP14:24:39
@k900:0upti.meK900Have you tried an actual TCP connection14:24:44
@cadair:cadair.comCadair 
# tcpdump -i mullvad
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on mullvad, link-type RAW (Raw IP), snapshot length 262144 bytes
15:26:01.904094 IP penygader.49524 > kolabnow.com.https: Flags [S], seq 1722299121, win 65520, options [mss 1260,sackOK,TS val 1736116169 ecr 0,nop,wscale 7], length 0
15:26:01.937688 IP kolabnow.com.https > penygader.49524: Flags [S.], seq 1954783574, ack 1722299122, win 64240, options [mss 1340,nop,nop,sackOK,nop,wscale 7], length 0
15:26:02.104493 IP penygader.54126 > kolabnow.com.https: Flags [S], seq 1411843678, win 65520, options [mss 1260,sackOK,TS val 3195388376 ecr 0,nop,wscale 7], length 0
15:26:02.133932 IP kolabnow.com.https > penygader.54126: Flags [S.], seq 2178859904, ack 1411843679, win 64240, options [mss 1340,nop,nop,sackOK,nop,wscale 7], length 0
14:26:33
@cadair:cadair.comCadairI seem to be getting14:26:38
@cadair:cadair.comCadair* I seem to be getting something back14:26:42
@cadair:cadair.comCadairbut curl hangs forever14:26:49
@cadair:cadair.comCadairwell it eventually times out14:28:28
@cadair:cadair.comCadair

ok, I've found something odd. Apparently you can use 10.64.0.1 as a gateway inside the mullvad tunnel, so I setup a static route for this address:

10.64.0.1 dev mullvad proto static scope link metric 128

Which I then ping'ed

# ping 10.64.0.1
PING 10.64.0.1 (10.64.0.1) 56(84) bytes of data.
^C
--- 10.64.0.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4111ms

Looking at tcp dump, this time I'm getting responses:

# tcpdump -i mullvad
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on mullvad, link-type RAW (Raw IP), snapshot length 262144 bytes
15:45:31.453827 IP penygader > 10.64.0.1: ICMP echo request, id 18, seq 1, length 64
15:45:31.481398 IP 10.64.0.1 > penygader: ICMP echo reply, id 18, seq 1, length 64
15:45:32.492560 IP penygader > 10.64.0.1: ICMP echo request, id 18, seq 2, length 64
15:45:32.519818 IP 10.64.0.1 > penygader: ICMP echo reply, id 18, seq 2, length 64
15:45:33.516554 IP penygader > 10.64.0.1: ICMP echo request, id 18, seq 3, length 64
15:45:33.543803 IP 10.64.0.1 > penygader: ICMP echo reply, id 18, seq 3, length 64
15:45:34.540552 IP penygader > 10.64.0.1: ICMP echo request, id 18, seq 4, length 64
15:45:34.567838 IP 10.64.0.1 > penygader: ICMP echo reply, id 18, seq 4, length 64
15:45:35.564545 IP penygader > 10.64.0.1: ICMP echo request, id 18, seq 5, length 64
15:45:35.591841 IP 10.64.0.1 > penygader: ICMP echo reply, id 18, seq 5, length 64
14:47:11
@cadair:cadair.comCadairso why is tcpdump seeing responses, but ping is not seeing them?14:47:31
@rvdp:infosec.exchangeRamses 🇵🇸your firewall might be intercepting them14:57:59
@rvdp:infosec.exchangeRamses 🇵🇸or things like the kernel reverse path filter14:58:27
@rvdp:infosec.exchangeRamses 🇵🇸have a look at the firewall, and if you can't find a potential issue, you can insert log statements in the firewall to figure out at which point the packets are being dropped (and if they reach the firewall in the first place)15:00:46
@cadair:cadair.comCadairoh it was the firewall15:37:12
@cadair:cadair.comCadairthanks15:37:13
@cadair:cadair.comCadairit's working15:37:15
@cadair:cadair.comCadairI can recieve email again15:37:19
@cadair:cadair.comCadairThis finally motivated me to migrate to networkd on my router, so it's achieved something lol15:39:10
@isabel:isabelroses.comisabel changed their profile picture.18:47:28
19 May 2021
@grahamc:nixos.org@grahamc:nixos.org set the history visibility to "world_readable".19:20:58
@grahamc:nixos.org@grahamc:nixos.org changed the room name to "" from "".19:20:58
@grahamc:nixos.org@grahamc:nixos.org invited @casey:hubns.netcasey ©.19:21:08
@casey:hubns.netcasey © joined the room.19:21:17
@0x4a6f:matrix.org[0x4A6F] joined the room.19:23:16
@qyliss:fairydust.spaceAlyssa Ross joined the room.19:26:50
@hexa:lossy.networkhexa joined the room.19:27:05

Show newer messages

Back to Room ListRoom Version: 6