Cannot make it work in Oracle Cloud VM

[rmspro]

I have Wireguard VPN set up in Oracle Cloud VM (Ubuntu 18.04). Wireguard client (Windows) connects, but there is no internet. 0 bytes received, hundreds sent every other second.

Here are the things I've done and tried:

1. Created and updated/upgraded Ubuntu VM
2. Executed Angristan's scripts.
3. Added the port number assigned by Angristan's script in Ingress Rules (firewall)
4. Tried to check/uncheck "Skip source/destination check" in VNIC setup
5. Tried to set MTU size to 1360 (the default for wg0 was 8920) and added it in client config
6. (Update) Tried to open the firewall another way "sudo ufw allow 54321/upd", I have no idea why I should do this, but still no result.

One thing I didn't understand in the process is why "net.ipv4.ip_forward=1" is still commented out inside "/etc/sysctl.conf" file after executing Angristan's script. Isn't it supposed to be enabled? Anyway, I tried to manually enable it in the file, still no internet.

I'm not good with Linux, Wireguard and networking stuff, so I'm hoping to get some help here on how to troubleshoot this issue.

[rmspro]

Here is "/etc/wireguard/wg0.conf" file content:

[Interface] Address = 10.66.66.1/24,fd42:42:42::1/64 ListenPort = 54321 PrivateKey = PRIVATE_KEY PostUp = iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer] PublicKey = PUBLIC_KEY PresharedKey = PRESHARED_KEY AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

---

Here is the Wireguard Windows client config:

[Interface] PrivateKey = PRIVATE_KEY Address = 10.66.66.2/32, fd42:42:42::2/128 DNS = 1.1.1.1, 1.0.0.1 MTU = 1360

[Peer] PublicKey = PUBLIC_KEY PresharedKey = PRESHARED_KEY AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = 150.101.202.303:54321

[umairakhtar123]

Hello,

I am also facing the issue in setting up the Wireguard VPN on Oracle Cloud VM. I followed the instruction and created the VPS and their clients but not working for me here are the details:

=========================================== interface: wg0 public key: private key: (hidden) listening port: 64399

peer: preshared key: (hidden) allowed ips: 10.66.66.2/32, fd42:42:42::2/128

peer: preshared key: (hidden) allowed ips: 10.66.66.3/32, fd42:42:42::3/128

====================

This is the Desktop client conf: [Interface] PrivateKey = Address = 10.66.66.2/32, fd42:42:42::2/128 DNS = 94.140.14.14, 94.140.15.15

[Peer] PublicKey = PresharedKey = AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = 10.0.0.3:64399

====

Do you think it has something to do with the Firewall?

[FireMasterK]

Oracle cloud has a firewall that has to be configured in their portal.

Once you allow it, you should be able to use it just fine.

I'm able to run it fine on Ubuntu 20.04.

[rmspro]

@FireMasterK I have opened ports for Wireguard by adding ingress rules. Is there anything else to be done to configure the firewall on the Oracle side? By the way, I've also tried it with Ubuntu 20.04, same issue.

[raypnman]

The script works perfectly for me like 6 months ago but not work for my new instances on Oracle cloud VM recently. Allowing the udp port on Oracle dashboard is not the only work to make it works. After adding the accept rule for udp port into iptables, you will see your client device start receiving and sending data with the VM. But your client is still not able to access Internet. It seems there is a prebuilt FORWARD rule on Oracle VM blocking the traffic. The generated config /etc/wireguard/wg0.conf is using "-A" to append the rules to the bottom of FORWARD chain, you may modify it using "-I" instead so it will add the rules to the top, and after it, run "sudo wg-quick down/up wg0" for resetting the iptables. It should work then. At least it works for me.

Chain INPUT (policy ACCEPT) target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:(port num) state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT) target prot opt source destination
ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited <<< Seems this blocking the traffic, you can remove it if no security concern for you

[HosseinMarvi]

Sorry I don't have enough knowledge about networking and I might need a bit more help. @rayMomoko Do you mean replacing every -A flag with -I in wg0.conf? Because I tried to do that and it didn't help. @FireMasterK Would you please explain where and how I can configure firewall settings?

[raypnman]

@hosseinmarvi Hi, not necessarily all, I did it for those being added to Chain FORWARD only. If adding the rules by append (to the bottom), the transit traffic would be rejected by the prebuilt rule on Oracle VM which is at the top. (Basically the table lookup is from the top to the bottom) I also added the port ACCEPT iptables rule to the wg0.conf (I am using udp port 60000). Here's part of my wg0.conf and how my iptables eventually looks like. Hope it can give you some help.

PostUp = iptables -I FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -I FORWARD -i wg0 -j ACCEPT;** iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; sudo iptables -I INPUT -i ens3 -p udp --dport 60000 -m state --state NEW,ESTABLISHED -j ACCEPT

PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; sudo iptables -D INPUT -i ens3 -p udp --dport 60000 -m state --state NEW,ESTABLISHED -j ACCEPT

oracle:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:60000 state NEW,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
InstanceServices  all  --  anywhere             link-local/16

Chain InstanceServices (1 references)
<<<prebuilt rules of Oracle VM>>>

oracle:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N InstanceServices
-A INPUT -i ens3 -p udp -m udp --dport 60000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -i ens3 -o wg0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
<<<prebuilt rules of Oracle VM>>>

[HosseinMarvi]

@rayMomoko Thanks for your great help. It worked for me on a freshly installed Ubuntu 20.04.

I should also mention that having OpenVPN installed before WireGuard was another reason that I couldn't solve the issue with this workaround.