!tCyGickeVqkHsYjWnh:nixos.org

NixOS Networking

914 Members
Declaratively manage your switching, routing, wireless, tunneling and more.274 Servers

Load older messages

SenderMessageTime
30 Apr 2026
@k900:0upti.meK900Uhh is 185.254.79.30 the internal address of the peer on the tunnel14:05:28
@k900:0upti.meK900Or is it the external endpoint14:05:32
@k900:0upti.meK900Cause it feels like the latter14:05:35
@cadair:cadair.comCadairyeah the latter14:05:39
@k900:0upti.meK900Then it should absolutely not have a route on the Mullvad interface14:06:01
@k900:0upti.meK900Because what you're saying is "to get to the endpoint of the tunnel, go through the tunnel"14:06:13
@k900:0upti.meK900Which makes no sense14:06:16
@cadair:cadair.comCadairoh it's neither sorry14:06:38
@cadair:cadair.comCadairit's the random IP on the wider internet I want to get to over the tunnel14:06:47
@cadair:cadair.comCadair* it's the "random" IP on the wider internet I want to get to over the tunnel14:07:09
@k900:0upti.meK900Can you ping the actual endpoint of the tunnel?14:07:33
@k900:0upti.meK900On the tunnel link14:07:38
* @cadair:cadair.comCadair can't get packets to his email host over his home internet without tunneling it over a VPN for some reason he can't get to the bottom on14:07:55
* @cadair:cadair.comCadair * can't get packets to his email host over his home internet without tunneling it over a VPN for some reason he can't get to the bottom of14:07:55
@cadair:cadair.comCadairI'm not sure I know what the IP address of the endpoint is over the tunnel14:08:20
@rvdp:infosec.exchangeRamses 🇵🇸My first course of action would be to tcpdump the wg iface to check whether packets are going out and whether replies are coming back14:13:40
@cadair:cadair.comCadairwell nothing seems to be coming back14:19:44
@cadair:cadair.comCadair 
# tcpdump -i mullvad
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on mullvad, link-type RAW (Raw IP), snapshot length 262144 bytes
15:19:10.597713 IP penygader > kolabnow.com: ICMP echo request, id 13, seq 1, length 64
15:19:11.628561 IP penygader > kolabnow.com: ICMP echo request, id 13, seq 2, length 64
15:19:12.652563 IP penygader > kolabnow.com: ICMP echo request, id 13, seq 3, length 64
14:20:17
@cadair:cadair.comCadair I enabled debug logging on the wireguard kernel module and it seems to be fine, and wg shows data coming back, so it's up 14:24:07
@k900:0upti.meK900Is Mullvad maybe just not forwarding ICMP14:24:39
@k900:0upti.meK900Have you tried an actual TCP connection14:24:44
@cadair:cadair.comCadair 
# tcpdump -i mullvad
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on mullvad, link-type RAW (Raw IP), snapshot length 262144 bytes
15:26:01.904094 IP penygader.49524 > kolabnow.com.https: Flags [S], seq 1722299121, win 65520, options [mss 1260,sackOK,TS val 1736116169 ecr 0,nop,wscale 7], length 0
15:26:01.937688 IP kolabnow.com.https > penygader.49524: Flags [S.], seq 1954783574, ack 1722299122, win 64240, options [mss 1340,nop,nop,sackOK,nop,wscale 7], length 0
15:26:02.104493 IP penygader.54126 > kolabnow.com.https: Flags [S], seq 1411843678, win 65520, options [mss 1260,sackOK,TS val 3195388376 ecr 0,nop,wscale 7], length 0
15:26:02.133932 IP kolabnow.com.https > penygader.54126: Flags [S.], seq 2178859904, ack 1411843679, win 64240, options [mss 1340,nop,nop,sackOK,nop,wscale 7], length 0
14:26:33
@cadair:cadair.comCadairI seem to be getting14:26:38
@cadair:cadair.comCadair* I seem to be getting something back14:26:42
@cadair:cadair.comCadairbut curl hangs forever14:26:49
@cadair:cadair.comCadairwell it eventually times out14:28:28
@cadair:cadair.comCadair

ok, I've found something odd. Apparently you can use 10.64.0.1 as a gateway inside the mullvad tunnel, so I setup a static route for this address:

10.64.0.1 dev mullvad proto static scope link metric 128

Which I then ping'ed

# ping 10.64.0.1
PING 10.64.0.1 (10.64.0.1) 56(84) bytes of data.
^C
--- 10.64.0.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4111ms

Looking at tcp dump, this time I'm getting responses:

# tcpdump -i mullvad
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on mullvad, link-type RAW (Raw IP), snapshot length 262144 bytes
15:45:31.453827 IP penygader > 10.64.0.1: ICMP echo request, id 18, seq 1, length 64
15:45:31.481398 IP 10.64.0.1 > penygader: ICMP echo reply, id 18, seq 1, length 64
15:45:32.492560 IP penygader > 10.64.0.1: ICMP echo request, id 18, seq 2, length 64
15:45:32.519818 IP 10.64.0.1 > penygader: ICMP echo reply, id 18, seq 2, length 64
15:45:33.516554 IP penygader > 10.64.0.1: ICMP echo request, id 18, seq 3, length 64
15:45:33.543803 IP 10.64.0.1 > penygader: ICMP echo reply, id 18, seq 3, length 64
15:45:34.540552 IP penygader > 10.64.0.1: ICMP echo request, id 18, seq 4, length 64
15:45:34.567838 IP 10.64.0.1 > penygader: ICMP echo reply, id 18, seq 4, length 64
15:45:35.564545 IP penygader > 10.64.0.1: ICMP echo request, id 18, seq 5, length 64
15:45:35.591841 IP 10.64.0.1 > penygader: ICMP echo reply, id 18, seq 5, length 64
14:47:11
@cadair:cadair.comCadairso why is tcpdump seeing responses, but ping is not seeing them?14:47:31
@rvdp:infosec.exchangeRamses 🇵🇸your firewall might be intercepting them14:57:59
@rvdp:infosec.exchangeRamses 🇵🇸or things like the kernel reverse path filter14:58:27

Show newer messages

Back to Room ListRoom Version: 6