[Freedombox-discuss] Wireguard: Packet has unallowed src IP (...) from peer 1 (...)

A. F. Cano afc54 at comcast.net
Sat Feb 15 21:45:29 GMT 2025 

I'm attempting to set up wireguard for the simplest case: a laptop that
wants to connect to the FreedomBox and thus have access to the internal
network.

I have already overcome a few hurdles.  Per

https://wiki.debian.org/WireGuard

I have set up /etc/wireguard/wg0.conf (in the client)

-------------------------------------

[Interface]
PrivateKey = <the private key, in /etc/wireguard/privatekey>
## Client IP
Address = 192.168.200.28/24        (the internal network I want to join)

## if you have DNS server running
# DNS = 192.168.x.1             (I don't run a dns server)

[Peer]
PublicKey = <public key of the FreedomBox>
 
## to pass internet trafic 0.0.0.0 but for peer connection only use 192.168.x.0/24, or you can also specify comma separated IPs
AllowedIPs = 10.84.0.0/32,192.168.200.0/24

Endpoint = <my subdomain>.freedombox.rocks:51820
PersistentKeepalive = 20

-------------------------------------

But no matter the combination of /24 or /32 in the "Address" and "AllowedIPs"
fields nothing ever goes out of the client.  I had to explicitly add the
specific internal address I want to contact in the "AllowedIPs", as in:

AllowedIPs = 10.84.0.0/32,192.168.200.0/24,192.168.200.9

and then packets actually do go out and I see them arrive at the FreedomBox,

After 

$ echo "module wireguard +p" | sudo tee /sys/kernel/debug/dynamic_debug/control

I see this when running "sudo dmesg -wT" at the FreedomBox:

[Sat Feb 15 15:13:46 2025] wireguard: wg0: Packet has unallowed src IP (192.168.200.28) from peer 1 (73.178.216.92:42585)

It appears that the FreedomBox wireguard doesn't use /etc/wireguard/wg0.conf
(/etc/wireguard is empty) so I can't use the same trick I used on the client.
I would have assumed that the FreedomBox wireguard would know about the
internal networks (in my case 192.168.200.0/24 and 192.168.224.0/24) and I am
unsure how to tell the FreedomBox wireshark what IP ranges to accept traffic
for.  After all wireshark is apparently just a kernel module.

So, how do I tell the FreedomBox to accept packets coming from "peer 1"
(192.168.200.28)?

Thanks.

Augustine

More information about the Freedombox-discuss mailing list