WgServerforWindows
WgServerforWindows copied to clipboard
micahmo
Invalid MAC of handshake, dropping packet from
Steps I did WireGuard Server For Windows in VPS 1.successfully run all requests https://ibb.co/Fz1vmZf 2. Infor Server Configuration https://ibb.co/bbH36sD Export Configuration File => vpnFile.conf https://ibb.co/CWZ5bgr 3.I opened port 51820 on Firewall 4.Use vpnFile.conf on another computer https://ibb.co/zmrw5sz 5.Wireguard always notices on the log "invalid MAC of handshake, dropping packet from" https://ibb.co/HTsw1Ht =>It makes my connected computer unable to access the network =>I'm a newbie with no experience.I don't know what step I'm missing or where I'm going wrong. Please help me
Hi @wpresources, this sounds like more a WireGuard problem than a WS4W problem, but there are a few things you can check.
Does this values in the registry get updated?
Do you see anything if you open Logs from WS4W?
When the client is trying to connect, can you ping it from the server? (10.243.0.2)
In that Invalid MAC error messages, is the source IP address (103.127.207.199) the expected public IP address of the client?
According to everything I'm seeing online, that error is usually associated with a bad key on the client side, but if you've used WS4W to generate all the keys (and based on your screenshots), everything should be correct.
registry is exactly
This is the vps address where i am trying to create a vpn server (185.80.234.52 passServer!) the ip address i check the ip check page is 118.69.3.196 (118.69.3.196 passClient!) but the error message is ip 103.127.207.199.
If 185.80.234.52 can't create vpn server you can change 118.69.3.196.Please take a moment to help me check it
Hi @wpresources, I connected and took a look. Your configuration looks fine, but I was also unable to connect to your server from my client.
I'm afraid the problem is related to port forwarding. I understand you're using a VPS, and you have unblocked the port in your machine's firewall. However, your VPS may only route certain ports (like 3389 for RDP) to your VM, whereas other ports (like 51820 for WireGuard) may be blocked.
I used this website to test the open ports on your VMs public IP: https://www.yougetsignal.com/tools/open-ports/
Sure enough, seems like the WireGuard port is closed.
Maybe you can open it in the VPS configuration?
Yeah you're right, that port scanner is not a good test. It also doesn't show the WireGuard port open on my server that currently works.
I just remembered that WireGuard uses UDP protocol. Can you verify that your VPS forwards UDP?
While I was connected to your server, I checked the logs in WS4W. They don't show any incoming connection from the client. I think the "Invalid MAC of handshake" from the WireGuard logs are not related to this case (like you said, the origin IP was different from your (and my) client machine). Seems like the client cannot establish the connection at all.
I only have a couple more suggestions:
- Use
netstator TCPView on the server to verify that WireGuard is listening on the port. This is mine (I use51821):
- Use Wireshark on the server with a filter like
udp.port eq 51820. Here is an example from my server. Notice I get a handshake request received, handshake response sent, and then immediately traffic starts flowing.
- Maybe try OpenVPN (they have a guide for configuring a server on Windows). If that works, you can use it instead of WireGuard. If not, then there is a general problem with the networking of the VPS machine.
Sorry I don't have more to offer! I am not really a WireGuard expert when it goes beyond a fairly trivial setup.
Due to some error I am resetting my computer, I will try your latest way You helped me understand a lot more about WireGuard and VPN, very easy to understand
Hi I would like to ask for the same Remote Address and Remote Port information as you? https://imgur.com/a/Rhf613G
Set a name when using WS4W to name the item Server Configuration and Configure Client. Or when naming wireguard https://ibb.co/zmrw5sz =>Is it possible to set optional or mandatory according to the name structure? Because in the manual page the item your name has blurred https://camo.githubusercontent.com/bcd2f3a1c5552db454a3ec658c5b2d03497767b9d44bcfe8d9fe41946dc46c78/68747470733a2f2f692e696d6775722e636f6d2f667278644a37532e706e67
Similar Address value does it have rules? https://user-images.githubusercontent.com/7417301/137597967-5dfcf8ba-5a22-4dcf-98f9-3aed21ae3c5e.png
Hi I would like to ask for the same Remote Address and Remote Port information as you? https://imgur.com/a/Rhf613G
Yep, that looks good to me. Your WireGuard process is listening to port 51820 on all interfaces with both IPv4 and IPv6.
Is it possible to set optional or mandatory according to the name structure? Because in the manual page the item your name has blurred
No, the name doesn't matter, it's just for your convenience. In the WireGuard config file, it gets added as a comment, but, as you discovered, the value is ignored when you import the WireGuard configuration file into the client application.
May I ask what VPS you are using? If I have time, I could try setting up my own system to do some troubleshooting. But again, this is very likely outside the scope of my WireGuard knowledge.
Yes i am using vps at https://zomro.net/vds.html.With your knowledge, I believe I will be able to fix it. When I successfully fix it, I will let you know :D
I believe my error is coming from Address.10.253.0.1 is a common ip but my ip is different IP Address: 192.168.1.247 Subnet: 255.255.255.0 Default gateway 192.168.1.1 => I believe it is the reason for "Invalid MAC of handshake, packet from".Currently I get the error "packet has unallowed src ip" maybe it comes from client.conf and server.conf config files
Keep in mind the network range for the WireGuard network must not conflict with your machine's network. It looks like your machine is using 192.168.1.0/24 (CIDR), and WireGuard is using 10.253.0.1/24, so there should be no conflict there.
I know it seems counterintuitive that you want WireGuard on a separate network, but that's what the Network Sharing feature in Windows is for. It allows a request from one network to travel to the other. If both networks have the same IP range, things get messy.
Hey @wpresources, I finally had some time to try this out on a Zomro VPS. Believe it or not, WS4W worked right out of the box with no problems! I don't know why it would be any different than yours, but I followed all the basic steps in WS4W (except for "Persistent Internet Sharing", because I don't really care it it breaks after rebooting), then I exported the client config to my phone, connected to the WireGuard VPN, and I was on the Zomro network. I didn't even change any settings in the firewall.
Here are some screenshots, but again, I didn't do any unusual configuration.
The most important part: I'm getting a handshake and data transfer from my client.
From my phone I connected to the WireGuard VPN, and whoismyisp.org confirms I'm on the Zomro machine's network.
Let me know if you'd like me to share the VM credentials and/or WireGuard client info with you privately.
Hey @wpresources, I'm trying to clean up some old issues. Is there anything else I can do to help with this issue? As mentioned in my last comment, I signed up for a Zomro VPS and was able to get WS4W working right out of the box, so I don't think there's anything inherently wrong with that VPS. I'm still willing to share those credentials if you'd like to connect and take a look. Otherwise, I'm not sure what else I can do to help. Let me know!
As this issue has not had any activity in over a year, I am going to close it. Of course, please feel free to reopen at any time.