Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WireGuard Multi-Hop: SSH Drops & Inter-VPS Connectivity Loss on VPS2 (Mullvad)

    Scheduled Pinned Locked Moved WireGuard
    5 Posts 2 Posters 93 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      spanishswimmer
      last edited by

      Hello everyone,

      I'm encountering a persistent issue with my WireGuard multi-hop setup and would greatly appreciate any insights or assistance. My desired configuration is as follows:

      Laptop (Client) -> VPS1 -> VPS2 -> Mullvad VPN Server

      The Problem

      While all peers seem to be able to communicate with each other initially, I face a critical problem when I start wg2 on VPS2 (the connection to Mullvad). Every time wg2 is brought up on VPS2, I immediately lose my SSH connection to VPS2 and am unable to re-establish it. Furthermore, if this wg2 connection is active, the WireGuard connection between VPS1 and VPS2 also fails.

      This suggests a routing or firewall issue on VPS2 when the Mullvad connection is initiated, but I'm struggling to pinpoint the exact cause.

      Configuration Details

      To help diagnose the issue, I'm providing the relevant WireGuard configurations. Please note that all private keys and public keys have been redacted for security purposes.

      WireGuard Config: VPS1 (wg1 - connection between VPS1 and VPS2)

      [Interface]
PrivateKey = [REDACTED]
Address = 10.67.0.1/24
ListenPort = 51821
FwMark = 51821
Table = 123
PostUp = iptables -A FORWARD -i wg2 -o wg1 -j ACCEPT; iptables -A FORWARD -i wg1 -j ACCEPT; iptables -t nat -A POSTROUTING -o wg1 -j MASQUERADE; ip rule add from 10.66.0.0/24 lookup 123; ip rule add iif wg2 table 123 priority 456; ip route add 10.66.0.0/24 dev wg2 table 123 || true; ip route add 10.67.0.0/24 dev wg1 table 123 || true; ip route add default via 10.67.0.2 dev wg1 table 123 || true
PostDown = iptables -D FORWARD -i wg2 -o wg1 -j ACCEPT; iptables -D FORWARD -i wg1 -j ACCEPT; iptables -t nat -D POSTROUTING -o wg1 -j MASQUERADE; ip rule del from 10.66.0.0/24 lookup 123; ip rule del iif wg2 table 123 priority 456; ip route del 10.66.0.0/24 dev wg2 table 123 || true; ip route del 10.67.0.0/24 dev wg1 table 123 || true; ip route del default via 10.67.0.2 dev wg1 table 123 || true

[Peer]
PublicKey = [REDACTED]
AllowedIPs = 0.0.0.0/0
Endpoint = 101.99.75.179:51821
PersistentKeepalive = 25

      WireGuard Config: VPS1 (wg2 - connection Laptop to VPS1)

      [Interface]
PrivateKey = [REDACTED]
ListenPort = 51820
Address = 10.66.0.1/24
PostUp = iptables -A FORWARD -i wg2 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg2 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERAD

[Peer]
PublicKey = [REDACTED]
AllowedIPs = 10.66.0.2/32
Endpoint = 89.247.173.162:51820
PersistentKeepalive = 25

      WireGuard Config: VPS2 (wg1 - connection between VPS2 and VPS1)

      [Interface]
PrivateKey = [REDACTED]
Address = 10.67.0.2/24
ListenPort = 51821
Table = 51821
PostUp = iptables -A INPUT -s 101.99.75.173 -p tcp --dport 2023 -j ACCEPT; iptables -A OUTPUT -d 101.99.75.173 -p tcp --sport 2023 -j ACCEPT; iptables -A FORWARD -i wg1 -j ACCEPT; ip rule add from 10.66.0.0/24 lookup 51821; ip route add default via 10.67.0.2 dev wg1 table 51821
PostDown = iptables -D INPUT -s 101.99.75.173 -p tcp --dport 2023 -j ACCEPT; iptables -D OUTPUT -d 101.99.75.173 -p tcp --sport 2023 -j ACCEPT; iptables -D FORWARD -i wg1 -j ACCEPT; ip rule del from 10.66.0.0/24 table 51821; ip route del default via 10.67.0.2 dev wg1 table 51821

[Peer]
PublicKey = [REDACTED]
AllowedIPs = 10.67.0.1/24
Endpoint = 101.99.75.173:51821
PersistentKeepalive = 25

      WireGuard Config: VPS2 (wg2 - connection to Mullvad VPN server)

      [Interface]
# Device: Calm Cicada
PrivateKey = hidden
Address = 10.64.143.164/32
DNS = 100.64.0.1
PostUp = ip route add 101.99.75.173/32 dev eth0; iptables -A INPUT -s 101.99.75.173 -p tcp --dport 2023 -j ACCEPT; iptables -A OUTPUT -d 101.99.75.173 -p tcp --sport 2023 -j ACCEPT; iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/8 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -A FORWARD -i wg2 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip route del 101.99.75.173/32 dev eth0; iptables -D INPUT -s 101.99.75.173 -p tcp --dport 2023 -j ACCEPT; iptables -D OUTPUT -d 101.99.75.173 -p tcp --sport 2023 -j ACCEPT; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/8 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D FORWARD -i wg2 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = hidden
AllowedIPs = 0.0.0.0/0
Endpoint = 193.32.127.66:5182

      Any help or suggestions on how to troubleshoot this further would be greatly appreciated!

      Thank you.

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        spanishswimmer @spanishswimmer
        last edited by

        please note that I'm new to this and used mostly ai to generate these ip table rules

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          spanishswimmer @spanishswimmer
          last edited by

          Grok suggested this config for wg2 vps 2to fix it

          [Interface]
PrivateKey = [REDACTED]
Address = 10.64.143.164/32
DNS = 100.64.0.1
Table = 123  # Custom table for VPN routes

PostUp = ip rule add iif wg1 lookup 123 prio 32765  # Or 'from 10.67.0.0/24' if subnet
PostUp = iptables -A FORWARD -i wg1 -o %i -j ACCEPT
PostUp = iptables -A FORWARD -i %i -o wg1 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
PostUp = sysctl -w net.ipv4.ip_forward=1  # Enable forwarding if needed

PreDown = ip rule del iif wg1 lookup 123 prio 32765
PreDown = iptables -D FORWARD -i wg1 -o %i -j ACCEPT
PreDown = iptables -D FORWARD -i %i -o wg1 -j ACCEPT
PreDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE

[Peer]
PublicKey = [REDACTED]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [MULLVAD_ENDPOINT_IP]:[PORT]
PersistentKeepalive = 25

          What do you think guys?

          Bob.DigB 1 Reply Last reply Reply Quote 0
          • Bob.DigB Offline
            Bob.Dig LAYER 8 @spanishswimmer
            last edited by

            @spanishswimmer said in WireGuard Multi-Hop: SSH Drops & Inter-VPS Connectivity Loss on VPS2 (Mullvad):

            What do you think guys?

            Ask in the right place which is not this forum... thank you.

            S 1 Reply Last reply Reply Quote 0
            • S Offline
              spanishswimmer @Bob.Dig
              last edited by

              @Bob.Dig what's the right place?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.