u/Ambitious_Group_593

Hey everyone,

Quick update after another full day debugging this WireGuard/VPS relay setup.

Current topology:

Kali VM
↕
WireGuard
↕
Ubuntu VPS relay (public IP hidden)
↕
Remote UniFi LAN (10.x.x.x/24)

What works now:
- wg0 comes UP correctly on both Kali and VPS
- VPS ↔ UniFi peer has stable handshakes
- Rebuilt all WireGuard private/public keys + PSKs from scratch
- Fixed several mismatched peer configs
- Corrected AllowedIPs and routes
- Enabled IPv4 forwarding
- Added NAT + FORWARD iptables rules
- tcpdump confirms UDP packets from Kali ARE reaching the VPS on port 51820

Relevant commands already tested:

bash sudo iptables -t nat -A POSTROUTING -s 10.x.x.x/24 -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i wg0 -j ACCEPT sudo iptables -A FORWARD -o wg0 -j ACCEPT sudo systemctl restart wg-quick@wg0

Current issue:
Kali still shows:

bash transfer: 0 B received

And on the VPS:
- the Kali peer NEVER establishes a handshake
- only the UniFi peer handshakes correctly

Important detail:
tcpdump on the VPS clearly shows UDP packets arriving from the Kali side, so packets ARE reaching the server physically.

At this point I feel like I’m missing something fundamental in the WireGuard handshake/routing flow itself.

What would you inspect next?
Could this still be:
- routing?
- conntrack/NAT?
- VMware networking weirdness?
- MTU?
- asymmetric return path?
- wrong peer matching on the VPS?

Would really appreciate ideas from people who debugged similar one-way WireGuard behavior.

Thanks!

**EDIT-POST**

Quick update after a day of debugging my WireGuard relay setup.

Topology:

Kali VM
|
WireGuard
|
VPS relay (x.x.x.x)
|
Remote UniFi LAN (10.x.x.x/24)

Progress since yesterday:
- wg0 now comes UP correctly on both Kali and VPS
- VPS ↔ UniFi tunnel works with active handshakes
- Rebuilt all private/public keys and PSKs from scratch
- Fixed multiple config mismatches
- Added proper AllowedIPs/routes
- Enabled IP forwarding
- tcpdump confirms UDP packets from Kali ARE reaching the VPS on port 51820
- MASQUERADE/FORWARD rules added successfully

Current issue:
Kali still shows:

transfer: 0 B received

and VPS still never shows a handshake specifically for the Kali peer.

The last troubleshooting steps I tried before getting stuck were:

sudo iptables -t nat -A POSTROUTING -s 10.x.x.x/24 -o eth0 -j MASQUERADE

sudo iptables -A FORWARD -i wg0 -j ACCEPT

sudo iptables -A FORWARD -o wg0 -j ACCEPT

sudo systemctl restart wg-quick@wg0

Those commands applied successfully but the issue remains.

At this point I still feel like I’m missing some deeper understanding of the WireGuard handshake/routing flow itself.

Any ideas what I should inspect next?

Thanks!

*old post*
Hey guys,
I’ve been banging my head against the wall for the past few days trying to troubleshoot a Layer 2 VXLAN tunnel, and I'm officially stuck.
The goal is to bridge my home lab with a remote DigitalOcean VPS so end-devices on both sides can talk on the same L2 broadcast domain (10.100.102.x).

The Setup:
• Home Side: Tossed my ISP router into stupid Bridge Mode, letting a UniFi Cloud Gateway Ultra handle the public IP. Behind it, I am running Kali Linux inside VMware Workstation, completely isolated so it only communicates within my specific lab environment.
• Cloud Side: Ubuntu VPS on DigitalOcean.
• The Underlay: Set up a stable WireGuard tunnel between the Kali VM and the DO VPS over UDP port 51820. The VPN itself is rock solid and I can route traffic between the host and VPS perfectly.
• The Overlay: On top of WireGuard, I built a vxlan30 interface (VNI 30, UDP 4789) and enslaved it to a local bridge on both sides. The interface status is officially UP.

The Problem:
Even though the tunnel says it's active, I have zero data plane connectivity:
• The weird part: I can successfully ping the remote WireGuard IP address and the VPS itself from the host. The underlay network is 100% alive.
• However, pings between the actual end-devices (like trying to hit .1 over the VXLAN subnet) completely time out.
• Running arp -a or ip neigh just gives me Incomplete or Failed. It looks like ARP broadcasts are disappearing into the void and not traversing the tunnel.
• The Bridge FDB isn't learning any remote MAC addresses.

**EDIT-POST**

Quick update after a day of debugging my WireGuard relay setup.

Topology:

Kali VM
|
WireGuard
|
VPS relay (x.x.x.x)
|
Remote UniFi LAN (10.x.x.x/24)

Progress since yesterday:
- wg0 now comes UP correctly on both Kali and VPS
- VPS ↔ UniFi tunnel works with active handshakes
- Rebuilt all private/public keys and PSKs from scratch
- Fixed multiple config mismatches
- Added proper AllowedIPs/routes
- Enabled IP forwarding
- tcpdump confirms UDP packets from Kali ARE reaching the VPS on port 51820
- MASQUERADE/FORWARD rules added successfully

Current issue:
Kali still shows:

transfer: 0 B received

and VPS still never shows a handshake specifically for the Kali peer.

The last troubleshooting steps I tried before getting stuck were:

sudo iptables -t nat -A POSTROUTING -s 10.x.x.x/24 -o eth0 -j MASQUERADE

sudo iptables -A FORWARD -i wg0 -j ACCEPT

sudo iptables -A FORWARD -o wg0 -j ACCEPT

sudo systemctl restart wg-quick@wg0

Those commands applied successfully but the issue remains.

At this point I still feel like I’m missing some deeper understanding of the WireGuard handshake/routing flow itself.

Any ideas what I should inspect next?

Thanks!

*old post*
Hey guys,
I’ve been banging my head against the wall for the past few days trying to troubleshoot a Layer 2 VXLAN tunnel, and I'm officially stuck.
The goal is to bridge my home lab with a remote DigitalOcean VPS so end-devices on both sides can talk on the same L2 broadcast domain (10.100.102.x).

The Setup:
• Home Side: Tossed my ISP router into stupid Bridge Mode, letting a UniFi Cloud Gateway Ultra handle the public IP. Behind it, I am running Kali Linux inside VMware Workstation, completely isolated so it only communicates within my specific lab environment.
• Cloud Side: Ubuntu VPS on DigitalOcean.
• The Underlay: Set up a stable WireGuard tunnel between the Kali VM and the DO VPS over UDP port 51820. The VPN itself is rock solid and I can route traffic between the host and VPS perfectly.
• The Overlay: On top of WireGuard, I built a vxlan30 interface (VNI 30, UDP 4789) and enslaved it to a local bridge on both sides. The interface status is officially UP.

The Problem:
Even though the tunnel says it's active, I have zero data plane connectivity:
• The weird part: I can successfully ping the remote WireGuard IP address and the VPS itself from the host. The underlay network is 100% alive.
• However, pings between the actual end-devices (like trying to hit .1 over the VXLAN subnet) completely time out.
• Running arp -a or ip neigh just gives me Incomplete or Failed. It looks like ARP broadcasts are disappearing into the void and not traversing the tunnel.
• The Bridge FDB isn't learning any remote MAC addresses.