Skip to content

Troubleshooting

Host Status

If a host's Crux VPN connection does not appear to be working, the first thing to do is to check the status of the host in the Crux VPN web UI. Follow these steps:

  1. Log into the web UI, and switch to the appropriate organization.
  2. Click the Hosts link in the page header. This will take you to the Hosts page.
  3. Click the name of the host. If you don't see this host in the list, use the Filter by name... input at the top of the page to search for it by name. Clicking the name of the host will take you to the main page for the host.

Agent Status

On the main page for the host, check the agent's status in the Agent panel.

  • If the Agent panel simply reads Set Up Agent, make sure that you have set up the host. If you are in the process of setting up the host, check the agent's log files on the host itself for errors (see the "Logs" section of the the platform-specific troubleshooting page).
  • If the Status field in the Agent panel shows anything other than Good Ping, check the agent's log files on the host itself for error details (see "Logs" section of the platform-specific troubleshooting page).

Interface State

If the Status field in the Agent panel shows Good Ping, check each WireGuard interface's state in Interfaces panel.

  • If the Interfaces panel lists an interface as Down, see the Interface Down section below.
  • If the Interfaces panel lists an interface as Active or Available, see the No Traffic section below.

Interface Down

Start Up

In the web UI, if the State field of an interface is shown as Down, try editing the interface to change its state to up. Follow these steps:

  1. Navigate to the main page for the interface (by clicking the name of the interface, usually "crux0").
  2. Click the Edit (pencil) icon in the Interface panel.
  3. Toggle the State toggle button to Up.
  4. Click the Update button.

This will queue a change to start up the interface. The next time the agent on the host pings the Crux VPN API server, the agent will attempt to start up the interface. This may take up to 1 minute; until that time, the state of the interface will usually be shown as Updating -- although it may be shown as Down if the change has been applied, but interface is still in the process of starting up.

Restore to Point

If after a minute, the interface is still listed as Down, try restoring the interface to its last known good configuration. On the main page for the interface, follow these steps:

  1. Scroll down to the Config Changes panel.
  2. Click the Restore to Point (circle-with-arrow-and-dot) icon next to the last good change (often the change before the interface last shut down). This will open a Restore to Point In Time dialog.
  3. Select the Include all endpoint changes radio button.
  4. Click the Restore button.

This will queue several changes to reset the interface configuration, and start up the interface. The next time the agent on the host pings the Crux VPN API server, the agent will attempt to apply the reset configuration, and start up the interface. This may take up to 1 minute; until that time, the state of the interface will usually be shown as Updating -- although it may be shown as Down if the changes have been applied, but interface is still in the process of starting up.

No Traffic

If the web UI shows a WireGuard interface as up, try to connect outbound from the host itself to various other remote hosts by IP address to which the host should be able to connect through the WireGuard tunnel.

For example, to verify that you can connect through the tunnel to a remote host with a private WireGuard address of 10.0.0.2, run the following command to "ping" it with its private address:

$ ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=2.61 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=1.44 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=1.55 ms
^C
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 1.439/1.864/2.606/0.526 ms

If connecting by IP address to a host works, but connection by DNS name does not, you may need to set or change the setting for the interface's DNS servers.