Developer Debugs 4-Hour WireGuard VPN Failure Traced to GCP NAT and Linux Kernel Settings
A developer set out to build a secure WireGuard VPN linking a mobile phone and laptop through a free-tier Google Cloud Platform VM as a central hub. The first roadblock was using the VM's internal private IP in client configurations, when GCP's 1:1 NAT means only the external public IP is reachable from outside the network. After fixing the IP, packets were successfully reaching the laptop via the VPN tunnel but receiving no replies, with no error messages to indicate why. The culprit was Linux's Reverse Path Filtering, a kernel security feature that silently dropped incoming WireGuard packets because the reply route pointed to a different interface than the one the packets arrived on. Disabling or adjusting rp_filter on the laptop interface resolved the issue and allowed end-to-end communication across the VPN.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in