search

YunoHost-Apps / wireguard_ynh

WireGuard VPN software with a web UI configuration companion, packaged for YunoHost.
GNU General Public License v3.0
33 stars 9 forks source link

Wireguard server does not allow connection #98

Closed utzer closed 7 months ago

utzer commented 7 months ago

Describe the bug

Setup worked fine, I created an connection, which also is shown in the web gui. I can add that connection to the official wireguard app in Android or to "WG Tunnel" from F-Droid. In both clients when I start the connection it will first look good, but then when I open a webbrowser and open a random webpage the Wireguard app will complain that connection is not possible to the server.

For me it looks like the firewall port UDP 8097 is open, I can also see that the port is open on the server when I execute sudo ss -lptun|grep 8097 I get this:

Netid State  Recv-Q Send-Q                        Local Address:Port  Peer Address:PortProcess  
udp   UNCONN 0      0                                   0.0.0.0:8097       0.0.0.0:*                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
udp   UNCONN 0      0                                      [::]:8097          [::]:*

I am not sure what else to look for.

I had the same problem on two Yunohost setups, I never got it to work. One case is now, the other was some months ago.

Context

Steps to reproduce

I installed the wireguard app, I setup a connection and it seems it is not working.

Please ask me for questions of tell me what to check, I am quite savvy with Debian. Please don't tell me to update YunoHost Version, this problem persists for months through different versions, so I prefer to trouble shoot it now. As written I will update YNH soon anyway, but not now.

Expected behavior

WG app connects and all traffic goes through VPN.

Logs

When restarting the "wg-quick" service there is a fault during the stop part, but it looks ok when adding the new connection:

Nov 30 09:15:26 systemd[1]: Stopping WireGuard via wg-quick(8) for wg0...
Nov 30 09:15:26 wg-quick[636063]: [#] ip link delete dev wg0
Nov 30 09:15:27 wg-quick[636063]: [#] iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp35s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -D FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o enp35s0 -j MASQUERADE
Nov 30 09:15:27 wg-quick[636083]: iptables: Bad rule (does a matching rule exist in that chain?).
Nov 30 09:15:27 systemd[1]: wg-quick@wg0.service: Control process exited, code=exited, status=1/FAILURE
Nov 30 09:15:27 systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
Nov 30 09:15:27 systemd[1]: Stopped WireGuard via wg-quick(8) for wg0.
Nov 30 09:15:27 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Nov 30 09:15:27 wg-quick[636084]: [#] ip link add wg0 type wireguard
Nov 30 09:15:27 wg-quick[636084]: [#] wg setconf wg0 /dev/fd/63
Nov 30 09:15:27 wg-quick[636084]: [#] ip -4 address add 10.10.10.0/24 dev wg0
Nov 30 09:15:27 wg-quick[636084]: [#] ip -6 address add fd42::/112 dev wg0
Nov 30 09:15:27 wg-quick[636084]: [#] ip link set mtu 1450 up dev wg0
Nov 30 09:15:27 wg-quick[636084]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp35s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o enp35s0 -j MASQUERADE; ip link set multicast on dev wg0
Nov 30 09:15:27 systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
tituspijean commented 7 months ago

Some tests and checks:

  1. Did you click on "Apply config" in the Wireguard server interface after fine-tuning your configuration?
  2. ip -br a and make sure enp35s0 is the right main internet connection of your server
  3. With your client "connected" to the Wireguard network, perform a ping 10.10.10.0: does it work?
  4. Same thing with ping 80.67.172.144 to see if external connection works (most likely no)
utzer commented 7 months ago
  1. Did you click on "Apply config" in the Wireguard server interface after fine-tuning your configuration?

Yes, some months ago, this is clearly stated in the manual, at least I remember that I read this. I did go on edit and apply again now.

2. ip -br a and make sure enp35s0 is the right main internet connection of your server

Besides enp35s0, there is only the loopback (lo) and wg0, so yes enp35s0 is the main connection.

3. With your client "connected" to the Wireguard network, perform a ping 10.10.10.0: does it work?

First it didn't, I continued to play around... and now it does work.

4. Same thing with ping 80.67.172.144 to see if external connection works (most likely no)

Use google.com and yes, this also works.

I did all this multiple times, not sure what finally was the solution. At some point I opened port 8097 for TCP, but I closed it again, I restarted the firewall as written in the other issue.

Really not sure what did it now. If I figure it out I will report it here.

And of course thank you very much for the reply and the effort!