[General Issue]: backup imported successfully, but no connection possible (0 byte received)

[ErikSlevin]

In raising this issue I confirm that

• I have read the documentation
• I have read and understood the PiVPN General Guidelines
• I have read and understood the PiVPN Troubleshooting Guidelines
• The issue I am reporting isn't a duplicate, see closed issues and open issues.
• I have searched for similar issues and solutions
• I can replicate the issue even after a clean OS installation

Describe the issue

After a pivpn backup on server 1 and a successful migration to server 2, no VPN connection can be established via Wireguard. The connection is established with the client, but no data is received (data is only sent).

The fact that a connection was established can also be traced under pivpn -c.

So all migrated profiles cannot establish a connection. However, if I create a new profile, then the VPN connection works. So the error must be in the migration/backup process.

Expected behavior

1. backup of the old configuration
2. migration of the configuration
3. successful establishment of a VPN connection with a migrated profile

Please describe the steps to replicate the issue

1. pivpn backup
2. Move Backup to new Server
3. Install pivpn
4. Extract the backup archive: tar xzpfv
5. Copy the extracted content: sudo cp -r etc/wireguard /etc
6. Restart the wireguard service: sudo systemctl restart wg-quick@wg0
7. pivpn -c Connected Clients List shows me all old clients, so first a partial success
8. However, connecting to an existing client profile is not successful. Connection is established, data is sent, but none is received

Have you taken any steps towards solving your issue?

1. PiVPN installation again
2. check the configuration
3. reboot several times
4. read documentations

Screenshots

No response

Where did you run pivpn?

Raspberry Pi 3

Please provide your output from uname -a

Linux docker-pi-2 6.1.21-v7+ #1642 SMP Mon Apr 3 17:20:52 BST 2023 armv7l GNU/Linux

Details about Operative System

Linux docker-pi-2 6.1.21-v7+ #1642 SMP Mon Apr  3 17:20:52 BST 2023 armv7l GNU/Linux
root@docker-pi-2:/home/erik/backup_wireguard# cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 11 (bullseye)"
NAME="Raspbian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

Installation

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   162  100   162    0     0    574      0 --:--:-- --:--:-- --:--:--   576
100  111k  100  111k    0     0   175k      0 --:--:-- --:--:-- --:--:--  633k
:::
::: You are root.
::: Hostname length OK
::: Verifying free disk space...
:::
::: Package Cache update is needed, running apt-get update -y ...
 done!
:::
::: Checking apt-get for upgraded packages.... done!
:::
::: There are 7 updates available for your system!
::: We recommend you update your OS after installing PiVPN!
:::
:::    Checking for git... already installed!
:::    Checking for tar... already installed!
:::    Checking for curl... already installed!
:::    Checking for grep... already installed!
:::    Checking for dnsutils... not installed!
:::    Checking for grepcidr... not installed!
:::    Checking for whiptail... already installed!
:::    Checking for net-tools... already installed!
:::    Checking for bsdmainutils... not installed!
:::    Checking for bash-completion... already installed!
:::    Checking for dhcpcd5... already installed!
:::    Checking for iptables-persistent... not installed!
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  bind9-dnsutils ncal netfilter-persistent
Suggested packages:
  calendar vacation mailutils
The following NEW packages will be installed:
  bind9-dnsutils bsdmainutils dnsutils grepcidr iptables-persistent ncal netfilter-persistent
0 upgraded, 7 newly installed, 0 to remove and 7 not upgraded.
Need to get 0 B/753 kB of archives.
After this operation, 1184 kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously unselected package netfilter-persistent.
(Reading database ... 47167 files and directories currently installed.)
Preparing to unpack .../0-netfilter-persistent_1.0.15_all.deb ...
Unpacking netfilter-persistent (1.0.15) ...
Selecting previously unselected package iptables-persistent.
Preparing to unpack .../1-iptables-persistent_1.0.15_all.deb ...
Unpacking iptables-persistent (1.0.15) ...
Selecting previously unselected package bind9-dnsutils.
Preparing to unpack .../2-bind9-dnsutils_1%3a9.16.42-1~deb11u1_armhf.deb ...
Unpacking bind9-dnsutils (1:9.16.42-1~deb11u1) ...
Selecting previously unselected package ncal.
Preparing to unpack .../3-ncal_12.1.7+nmu3_armhf.deb ...
Unpacking ncal (12.1.7+nmu3) ...
Selecting previously unselected package bsdmainutils.
Preparing to unpack .../4-bsdmainutils_12.1.7+nmu3_all.deb ...
Unpacking bsdmainutils (12.1.7+nmu3) ...
Selecting previously unselected package dnsutils.
Preparing to unpack .../5-dnsutils_1%3a9.16.42-1~deb11u1_all.deb ...
Unpacking dnsutils (1:9.16.42-1~deb11u1) ...
Selecting previously unselected package grepcidr.
Preparing to unpack .../6-grepcidr_2.0-2_armhf.deb ...
Unpacking grepcidr (2.0-2) ...
Setting up ncal (12.1.7+nmu3) ...
Setting up bsdmainutils (12.1.7+nmu3) ...
Setting up grepcidr (2.0-2) ...
Setting up netfilter-persistent (1.0.15) ...
Setting up bind9-dnsutils (1:9.16.42-1~deb11u1) ...
Setting up dnsutils (1:9.16.42-1~deb11u1) ...
Setting up iptables-persistent (1.0.15) ...
update-alternatives: using /lib/systemd/system/netfilter-persistent.service to provide /lib/systemd/system/iptables.service (iptables.service) in auto mode
Processing triggers for man-db (2.9.4-2) ...
:::    Package dnsutils successfully installed!
:::    Package grepcidr successfully installed!
:::    Package bsdmainutils successfully installed!
:::    Package iptables-persistent successfully installed!
::: IPv6 test connections to google.com have failed. Disabling IPv6 support. (The curl test failed with code: 7)
::: Using interface: eth0
::: Static IP already configured.
::: Using User: erik
:::
::: Checking for existing base files...
:::    Checking /usr/local/src/pivpn is a repo... not found!
:::    Cloning https://github.com/pivpn/pivpn.git into /usr/local/src/pivpn ... done!
::: Using VPN: WireGuard
::: Installing WireGuard from Raspbian package...
:::    Checking for wireguard-tools... not installed!
:::    Checking for qrencode... not installed!
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  qrencode wireguard-tools
0 upgraded, 2 newly installed, 0 to remove and 7 not upgraded.
Need to get 0 B/117 kB of archives.
After this operation, 356 kB of additional disk space will be used.
Selecting previously unselected package qrencode.
(Reading database ... 47224 files and directories currently installed.)
Preparing to unpack .../qrencode_4.1.1-1_armhf.deb ...
Unpacking qrencode (4.1.1-1) ...
Selecting previously unselected package wireguard-tools.
Preparing to unpack .../wireguard-tools_1.0.20210223-1_armhf.deb ...
Unpacking wireguard-tools (1.0.20210223-1) ...
Setting up qrencode (4.1.1-1) ...
Setting up wireguard-tools (1.0.20210223-1) ...
wg-quick.target is a disabled or a static unit, not starting it.
Processing triggers for man-db (2.9.4-2) ...
:::    Package wireguard-tools successfully installed!
:::    Package qrencode successfully installed!
::: Using OpenDNS servers.
::: Backing up the wireguard folder to /etc/wireguard_2023-08-28-010530.tar.gz
::: Server Keys have been generated.
::: Server config generated.
::: Install Complete...
::: Restarting services...
:::    Checking for unattended-upgrades... already installed!
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 7 not upgraded.
::: Setupfiles copied to /etc/pivpn/wireguard/setupVars.conf
::: Installing scripts to /opt/pivpn...
 done.
::: Flushing writes to disk...
::: done.
:::

Profile / Client creation

Enter a Name for the Client: TestUser
::: Client Keys generated
::: Client config generated
::: Updated server config
::: WireGuard reloaded
======================================================================
::: Done! TestUser.conf successfully created!
::: TestUser.conf was copied to /home/erik/configs for easytransfer.
::: Please use this profile only on one device and create additional
::: profiles for other devices. You can also use pivpn -qr
::: to generate a QR Code you can scan with the mobile app.
======================================================================

Debug output

::: Generating Debug Output
::::            PiVPN debug              ::::
=============================================
::::            Latest commit            ::::
Branch: master
Commit: 16189edc7b03d3ed930dbb3cc908d8e2275a7563
Author: 4s3ti
Date: Thu Aug 3 23:33:23 2023 +0200
Summary: fix(core): typo on distroCheck
=============================================
::::        Installation settings        ::::
PLAT=Raspbian
OSCN=bullseye
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=eth0
IPv4addr=10.0.0.21/24
IPv4gw=10.0.0.1
install_user=erik
install_home=/home/erik
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=208.67.222.222
pivpnDNS2=208.67.220.220
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=1
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.3.232.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=1
INSTALLED_PACKAGES=(dnsutils grepcidr bsdmainutils iptables-persistent wireguard-tools qrencode)
=============================================
::::  Server configuration shown below   ::::
[Interface]
PrivateKey = server_priv
Address = 10.144.242.1/24
MTU = 1420
ListenPort = 51820
### begin Erik ###
[Peer]
PublicKey = Erik_pub
PresharedKey = Erik_psk
AllowedIPs = 10.144.242.2/32
### end Erik ###
### begin Kiro ###
[Peer]
PublicKey = Kiro_pub
PresharedKey = Kiro_psk
AllowedIPs = 10.144.242.3/32
### end Kiro ###
### begin Bjoern ###
[Peer]
PublicKey = Bjoern_pub
PresharedKey = Bjoern_psk
AllowedIPs = 10.144.242.4/32
### end Bjoern ###
### begin Markus_neu ###
[Peer]
PublicKey = Markus_neu_pub
PresharedKey = Markus_neu_psk
AllowedIPs = 10.144.242.5/32
### end Markus_neu ###
### begin Bonky ###
[Peer]
PublicKey = Bonky_pub
PresharedKey = Bonky_psk
AllowedIPs = 10.144.242.7/32
### end Bonky ###
#[disabled] ### begin Test ###
#[disabled] [Peer]
#[disabled] PublicKey = Test_pub
#[disabled] PresharedKey = Test_psk
#[disabled] AllowedIPs = 10.144.242.6/32
#[disabled] ### end Test ###
### begin TestUser ###
[Peer]
PublicKey = TestUser_pub
PresharedKey = TestUser_psk
AllowedIPs = 10.3.232.8/32
### end TestUser ###
=============================================
::::  Client configuration shown below   ::::
[Interface]
PrivateKey = Erik_priv
Address = 10.144.242.2/24
DNS = 10.0.0.20

[Peer]
PublicKey = server_pub
PresharedKey = Erik_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0
=============================================
::::    Recursive list of files in       ::::
::::    /etc/wireguard shown below       ::::
/etc/wireguard:
configs
keys
wg0.conf

/etc/wireguard/configs:
Bjoern.conf
Bonky.conf
clients.txt
Erik.conf
Kiro.conf
Markus_neu.conf
Test.conf
TestUser.conf

/etc/wireguard/keys:
Bjoern_priv
Bjoern_psk
Bjoern_pub
Bonky_priv
Bonky_psk
Bonky_pub
Erik_priv
Erik_psk
Erik_pub
Kiro_priv
Kiro_psk
Kiro_pub
Markus_neu_priv
Markus_neu_psk
Markus_neu_pub
server_priv
server_pub
Test_priv
Test_psk
Test_pub
TestUser_priv
TestUser_psk
TestUser_pub
=============================================
::::            Self check               ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] Iptables FORWARD rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled
(it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://docs.pivpn.io/faq
=============================================
:::: WARNING: This script should have automatically masked sensitive       ::::
:::: information, however, still make sure that PrivateKey, PublicKey      ::::
:::: and PresharedKey are masked before reporting an issue. An example key ::::
:::: that you should NOT see in this log looks like this:                  ::::
:::: YIAoJVsdIeyvXfGGDDadHh6AxsMRymZTnnzZoAb9cxRe                          ::::
=============================================
::::            Debug complete           ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.log
:::

[orazioedoardo]

Please run troubleshooting steps: https://docs.pivpn.io/faq/#how-do-i-troubleshoot-connection-issues

Is the public IP of the server up to date?

[David-Antunes]

Hello,

I have encountered the same issue you have described here.

As you can see in the debug log, pivpnNET is configured with the following value:

pivpnNET=10.3.232.0

While your clients addresses are 10.144.242.x.

If you check closely, the new client you created contains:

PublicKey = TestUser_pub
PresharedKey = TestUser_psk
AllowedIPs = 10.3.232.8/32`

Which corresponds to the network defined in the pivpnNET variable, meaning that the network rules are installed for the new client and not the old clients.

To fix this issue, you can go to /etc/pivpn/wireguard/setupVars.conf and change pivpnNET to pivpnNET=10.144.242.0.

Next, go to /etc/iptables/rules.v4 and remove the rules regarding wireguard (the rules contain --comment wireguard-forward-rule or --comment wireguard-nat-rule) and remove them.

Now, if you run the debug command again, it will prompt you if you want to fix iptables masquerade/forward rule.

After that you can just reboot, and the new rules should be applied, making the old clients work again.

[TechWilk]

I've also just run into this when re-configuring PiVPN. @David-Antunes 's steps are what I needed but it took me a while to figure it out myself before I found them here.

Having skimmed through the documentation site I found the troubleshooting steps rather hidden. I didn't spot the debug script (pikvm -d) mentioned in the FAQ until after I read through pages of code and went through everything manually. The "preliminary steps" are a little hidden half way down the page.

I've proposed a few minor alterations to the page which would have helped me skim through and find the command, but ultimately I would consider splitting the FAQ into two pages - one with questions and answers, the second with the more detailed troubleshooting info. I'll propose that in a second PR

[coolapso]

Pre-archive closing, more information here