Wireguard Connection Dies on Ubuntu Peer

I live in a building where the network is behind a NAT. I have a Linux desktop PC and a laptop. In order to access my desktop via ssh, I have a Wireguard VPN running on my desktop, laptop and a VPS. The issue is that connection between my desktop and the VPS dies.

Here is the VPS config:

[Interface]
Address = 10.9.0.1/24
SaveConfig = false
#PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -$
#PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING$
ListenPort = 51820
PrivateKey = **SERVER PRIVATE KEY**

[Peer]
PublicKey = **LINUX DESKTOP PUBLIC KEY**
AllowedIPs = 10.9.0.2/32
PersistentKeepalive = 5

[Peer]
PublicKey = **LAPTOP PUBLIC KEY**
AllowedIPs = 10.9.0.3/32
PersistentKeepalive = 20

Here is the Linux desktop's config:

[Interface]
PrivateKey = **LINUX DESKTOP PRIVATE KEY**
Address = 10.9.0.2/24

[Peer]
PublicKey = **SERVER PUBLIC KEY**
Endpoint = *MY ENDPOING IP*
AllowedIPs = 10.9.0.1/32, 10.9.0.3/32

From the above config, you can see that I don't allow 0.0.0.0\0 from any client. I only want to tunnel SSH traffic through the VPS. If I only allow traffic from SSH the connection between my laptop and Linux desktop dies in a minute or two. To revive the connection, I have to ping the VPS from the desktop.

This problem does not happen if I route all traffic through the VPS. However, I don't want to do that (Google Captcha is annoying and also I don't have the bandwidth on the VPS).

Any thoughts on how to debug this issue?


Solution 1:

Try moving the PersistentKeepalive settings from your VPS WireGuard config to your Desktop and Laptop WireGuard configs. Usually you want PersistentKeepalive on the side of the connection that's behind NAT, as it will automatically send keepalive packets to "open a hole" in the NAT, allowing the non-NAT side to initiate new connections (or re-establish lapsed connections) through the WireGuard tunnel. When you ping the VPS from your Desktop, you're doing the same thing, manually.