Wireguard, only ICMP Traffic

Hey everyone,

i tried setting up a VPS with wireguard. Installed wireguard on my Rapi in my LAN and on my Notebook. All is running on different Versions of Ubuntu (i don’t thin that the distributions matter too much in my case). The Raspi does the Routing between my LAN and the VP network.
Everything seemed to work like a charm.

I can ping from
VPN Server to Raspi/Notebook using their VPN adresses (172.16.x.x)
VPN Server to adresses in my LAN (e.g. NAS (10.x.x.x))
Notebook to VPN Server and Raspi using VPN adresses
Notebook to LAN
LAN to Notebook using the notebooks VPN adress

BUT the only thing working is actually traffic using ICMP. So i can use ping and traceroute -I.
Everything else does not work. I can not access the smb share on my notebook, i cannot access the webinterface of my smarthome hub or my router, i can not access my NAS, …

Everything else than icmp traffic seems to not get any response.

Do i miss something obvious?
Maybe there is a better place for this question, but there is no official wireguard forum, i think…

Any help is appreciated.
thx

So, you are using the RasPi as your webserver? If so, did you get port forwarding and DDNS working properly on the RasPi ?

Firewall rules are screaming at this point. Do you have the Uncomplicated Firewall running on the Pi and VPS? Can you list the rules with the following command:

ufw status

1 Like

On the server the output of ufw status is:

Status: active

To Action From


22/tcp ALLOW Anywhere
41179/udp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
41179/udp (v6) ALLOW Anywhere (v6)


with 41179 being the port of the wg server.
Just for testing purposes i disabled ufw on the server and now it es working.

So the firewall config is the problem. I dont really understand why, because in my understanding every packet send to any client through the wg0-client interface should be send through port 41179 as a udp packet to the server. These packets are allowed in ufw. So i am getting something wrong…

So does ufw check the packets inside the wg tunnel? Then i need to allow a whole bunch of things for http, https, smb, ssh, …

thanks for pointing my in the right direction!!

1 Like

Ok,
i got it. It actually was a missing entry in iptables.

Thank again! Sometimes it is just a bit of experience missing to know, what causes your problem :slight_smile:

1 Like