not working on Oracle Free Cloud

[masterwishx]

installed OK but dont have access to internet from Oracle Free Cloud in installation steps it detect private adress 10.10.x.x on enp0s3 adapter instead of public 182.x.x.x and if im insert public then i dont have access to internet

[Sirherobrine23]

Hello here had the same problem look at this discussions #241, This solves my problem.

[masterwishx]

Thanks . you mean to add these two lines ?

PostUp = iptables -I FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -I FORWARD -i wg0 -j ACCEPT;** iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; sudo iptables -I INPUT -i ens3 -p udp --dport 60000 -m state --state NEW,ESTABLISHED -j ACCEPT

PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; sudo iptables -D INPUT -i ens3 -p udp --dport 60000 -m state --state NEW,ESTABLISHED -j ACCEPT

Also this script cant find my real ouside ip address , it show my private ip in start of install . founded another scrit that find it but didnt tryed it (road warroir wireguard-install

Also tryed piVPN but also no lack, i will try it again , after i remade instance of Oracle server. Thanks

[Sirherobrine23]

so, the script already adds this rule in the wireguard configuration, and it also asks the endpoint that the clients will have.

And what I could understand is that the client is not having access, you will have to go to the oracle cloud dashboard to release the wireguard ports that were configured.

And if you still can't access the wireguard network, run this command to remove the iptable rules: iptables -F to remove all the rules.

[Sirherobrine23]

Oracle defined some rules to block almost all ports on the vm, and on your virtual network.

[masterwishx]

so, the script already adds this rule in the wireguard configuration

you mean this or https://github.com/Nyr/wireguard-install

[masterwishx]

i opened the port in oracle cloud befor running script

[Sirherobrine23]

so, the script already adds this rule in the wireguard configuration

you mean this or https://github.com/Nyr/wireguard-install

The https://github.com/angristan/wireguard-install, I don't know other scripts, just a docker image that I'm developing.

[Sirherobrine23]

You could put the iptable rules here (iptables --list).

[Sirherobrine23]

And vm from oracle is what configuration for me to create one here to help you better.

[masterwishx]

OK, Thanks a lot for now i made new instance and dont know what script to use now?!?

1. this one (tryed befor,no success to internet side)
2. https://github.com/Nyr/wireguard-install (there is video on youtube + fix if no internet)
3. pivpn (tryed befor ,no success to internet side)

[masterwishx]

And vm from oracle is what configuration for me to create one here to help you better.

ubuntu 20.4 VM.Standard.A1.Flex -ocpu x4, mem 24gb only added udp port for wireguard

[Sirherobrine23]

I'll try here and send you the iptables settings.

[Sirherobrine23]

Setup Commands

curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
# in "IPv4 or IPv6 public address:" add VM public IP here.
# and "Server's WireGuard port [1-65535]:" add port opened in oracle cloud dashboard.
sudo ./wireguard-install.sh
sudo iptables -F
sudo iptables-save | sudo tee /etc/iptables/rules.v4
sudo reboot

Oracle cloud subnet egress route:

setup log, with angristan/wireguard-install:

ubuntu@wireguardvm:~$ curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15554  100 15554    0     0   106k      0 --:--:-- --:--:-- --:--:--  106k
ubuntu@wireguardvm:~$ chmod +x wireguard-install.sh
ubuntu@wireguardvm:~$ sudo ./wireguard-install.sh
Welcome to the WireGuard installer!
The git repository is available at: https://github.com/angristan/wireguard-install

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

IPv4 or IPv6 public address: 144.22.149.61
Public interface: enp0s3
WireGuard interface name: wg0
Server's WireGuard IPv4: 10.66.66.1
Server's WireGuard IPv6: fd42:42:42::1
Server's WireGuard port [1-65535]: 51820
First DNS resolver to use for the clients: 8.8.8.8
Second DNS resolver to use for the clients (optional): 1.1.1.1

Okay, that was all I needed. We are ready to setup your WireGuard server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
...

Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash and can't exceed 15 chars.
Client name: phone
Client's WireGuard IPv4: 10.66.66.2
Client's WireGuard IPv6: fd42:42:42::2
```ubuntu@wireguardvm:~$ sudo ./wireguard-install.sh
Welcome to the WireGuard installer!
The git repository is available at: https://github.com/angristan/wireguard-install

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

IPv4 or IPv6 public address: 144.22.149.61
Public interface: enp0s3
WireGuard interface name: wg0
Server's WireGuard IPv4: 10.66.66.1
Server's WireGuard IPv6: fd42:42:42::1
Server's WireGuard port [1-65535]: 51820
First DNS resolver to use for the clients: 8.8.8.8
Second DNS resolver to use for the clients (optional): 1.1.1.1

Okay, that was all I needed. We are ready to setup your WireGuard server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
...
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash and can't exceed 15 chars.
Client name: phone
Client's WireGuard IPv4: 10.66.66.2
Client's WireGuard IPv6: fd42:42:42::2
...
ubuntu@wireguardvm:~$ sudo iptables -F && sudo iptables-save | sudo tee /etc/iptables/rules.v4 

My phone client:

[masterwishx]

1.did the script found your external ip? 2.and you have access to inet ?

3. do i need run (iptables -F) its delete iptables ?

Thanks a lot , i will try it.

also have some strange problem when i use "reboot" command in ssh, then i can access by ssh to server (timeout) also checked by https://www.infobyip.com/sshservertest.php , server 22 port like unvalible ... so im restaring by cloud by oracle dashboard ...

[Sirherobrine23]

1. No, I had to put the vm's public IP provided by oracle's Dashboard.
2. Yes.
3. Yes, because you will have to eliminate the rules defined by oracle that blocks all requests to the vm.

To restart the vm over ssh you must use the sudo reboot command.

[masterwishx]

ah OK Thanks i will try

[masterwishx]

if im using root user i dont need "sudo reboot" only reboot no?

[Sirherobrine23]

with root no, I created the vm and used the default user (ubuntu) to configure wireguard.

[masterwishx]

but i cant somehow to enter to server now by ssh !!!! after reboot also rebooted by dashboard after this and still cant access to ssh also https://www.infobyip.com/sshservertest.php cant access to 22 port i will try later ,i had this proble yesturday also ,and opened ticked but today it was OK... anyway thanks a lot for help i will try it when will able to connect Thanks

[Sirherobrine23]

if you don't have ssh access, connect to the vm through the Dashboard, to solve this problem. You can also send commands to verify the integrity of the vm through the Dashboard.

[Sirherobrine23]

also does not put the IP of the wireguard interface in the same cidr of the network interface that access the internet, because this conflict.

[masterwishx]

i added upd port in ingress without statles box checked, also i found i have mtu 9000 on enp0s3 and mtu 8920 on wg0 may mtu case problem ?

also now i have installed other script (https://github.com/Nyr/wireguard-install ) its very same like this but also can find real outside ip ,willbe cool to add it to this script. also i having wireguard OK but no internet somehow ,also used
"sudo iptables -F && sudo iptables-save | sudo tee /etc/iptables/rules.v4 " but not help.

tomorrow i will unninstall it and install you script and will follow your guide i hope you will help me out . Thanks

If $ip is a private IP address, the server must be behind NAT

if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
    echo
    echo "This server is behind NAT. What is the public IPv4 address or hostname?"
    # Get public IP and sanitize with grep
    get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}(\.[0-9]{1,3}){3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")")
    read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
    # If the checkip service is unavailable and user didn't provide input, ask again
    until [[ -n "$get_public_ip" || -n "$public_ip" ]]; do
        echo "Invalid input."
        read -p "Public IPv4 address / hostname: " public_ip
    done
    [[ -z "$public_ip" ]] && public_ip="$get_public_ip"
fi

[Sirherobrine23]

the MTU as I remember it won't be a problem as they are the size of the udp packets. If you are not able to access the NAT must be the iptables rule, I will be waiting for you to help.

[raypnman]

Not sure if you are using Oracle Linux instead of Ubuntu. If that is the case, don't forget to allow traffic using firewall-cmd, otherwise traffic may be blocked by the firewall. There is a ssh service allowed by default in firewall-cmd, but not the others. I am allowing the wireguard traffic under services as well. If you don't have any security concerns, you could completely disable the firewalld...(um...I won't)

You may allow traffic that you have configured inside the xml with command like below: sudo firewall-cmd --zone=public --permanent --add-service=wireguard

You should then see your service being added in the services:

oracle ~]$ sudo firewall-cmd --list-all --zone=public --permanent
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ftp iperf3-tcp iperf3-udp ssh wireguard zabbix-tcp zabbix-udp
  ports:
  protocols:
  forward: no
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

An example of the xml file and the location:

oracle ~]$ sudo ls /etc/firewalld/services/wireguard.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>wireguard</short>
  <description>WireGuard open UDP port 60000 for client connections</description>
  <port protocol="udp" port="60000"/>
</service>

It is also a good idea to use tcpdump when troubleshooting, to see if packets arrived to the VM or not.

[Sirherobrine23]

Hello, he is using Ubuntu to apply wireguard server.

Não tenho certeza se você está usando o Oracle Linux em vez do Ubuntu. Se for esse o caso, não se esqueça de permitir o tráfego usando firewall-cmd, caso contrário o tráfego pode ser bloqueado pelo firewall. Existe um serviço ssh permitido por padrão no firewall-cmd, mas não os outros. Estou permitindo o tráfego de wireguard em serviços também. Se você não tiver nenhuma preocupação de segurança, poderá desativar completamente o firewall-ncmd

Você pode permitir o tráfego que você configurou dentro do xml com o comando abaixo: sudo firewall-cmd --zone=public --permanent --add-service=wireguard

Você deve então ver seu serviço sendo adicionado nos serviços:

oracle ~]$ sudo firewall-cmd --list-all --zone=public --permanent
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ftp iperf3-tcp iperf3-udp ssh wireguard zabbix-tcp zabbix-udp
  ports:
  protocols:
  forward: no
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Um exemplo do arquivo xml e do local:

oracle ~]$ sudo ls /etc/firewalld/services/wireguard.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>wireguard</short>
  <description>WireGuard open UDP port 60000 for client connections</description>
  <port protocol="udp" port="60000"/>
</service>

Também é uma boa ideia usar o tcpdump ao solucionar problemas, para ver se os pacotes chegaram à VM ou não.

[raypnman]

Hello, he is using Ubuntu to apply wireguard server.

Oh, yes, just saw the environment in previous posts...

[xw-l]

So, reinstall the system, and everything will work out。(BONUS: It really works!)

[Sirherobrine23]

he can do that, and it would be nice, but it depends on him, sometimes he doesn't want to recreate the vm by some service he hosts there.

[masterwishx]

I unnistalled the script that has wireguard, and will install yours, then I will post all info of wireguard. I already made new clean instance. After tryed your script and pivpn script. Also I made backup of clean boot disk after creation of vm.and I don't installed any services befor wireguard. All that I had befor is gone. I wanted to make wireguard to work first...

I installed wireguard on my Unraid home server without any problem in 5-10 min. But vps I'm trying for first time. If will be problems again I can restore backup or recreate vm. Thanks

[masterwishx]

Finally installed you script script and still no internet on my phone. but somehow after:

sudo iptables -F && sudo iptables-save | sudo tee /etc/iptables/rules.v4 reboot

i having next iptables with old script ip in it :

[masterwishx]

[Sirherobrine23]

I suspect you still don't have internet access, can you test on the computer to see if you still don't have internet too?

[masterwishx]

OK

[masterwishx]

Also i have very strange and slow server in oracle i nedd to wait 30 min on reboot and its slow do installs also...

[masterwishx]

is it ok that i have ip forward from old script in iptable?

[masterwishx]

Yes on comp also no inet

[Sirherobrine23]

It's looking like some iptables rule or on the oracle cloud network.

[Sirherobrine23]

my phone accesses normal internet and local vm hosts.

My phone client

Nginx page:

wireguard config:

Iptables rules

# Generated by iptables-save v1.8.4 on Tue Feb 15 13:48:34 2022
*filter
:INPUT ACCEPT [3188:1408807]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3245:2175416]
:InstanceServices - [0:0]
-A FORWARD -i enp0s3 -o wg0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Tue Feb 15 13:48:34 2022
# Generated by iptables-save v1.8.4 on Tue Feb 15 13:48:34 2022
*nat
:PREROUTING ACCEPT [244:65907]
:INPUT ACCEPT [17:1472]
:OUTPUT ACCEPT [92:7610]
:POSTROUTING ACCEPT [34:3004]
-A POSTROUTING -o enp0s3 -j MASQUERADE
-A POSTROUTING -o enp0s3 -j MASQUERADE
COMMIT
# Completed on Tue Feb 15 13:48:34 2022

Oracle cloud Egress/Ingress Rules:

[masterwishx]

i will copy iptabes to my iptables then reboot. if not i can restore clean boot volume , or recreate new vm with new vcn and ip

[Sirherobrine23]

no need to restart to apply iptables rules, I only restart if I renew all rules and save.

[masterwishx]

ok

[masterwishx]

Also not working. So I made new instance with new vcn. I will try again on new one.

[masterwishx]

i installed on new VM and this VM work perfect and fast , not like befor .. but still no inet connection :-(

during install:

[masterwishx]

added to filter like in your iptable but i mising somehow :

-A FORWARD -i enp0s3 -o wg0 -j ACCEPT -A FORWARD -i wg0 -j ACCEPT

but its not helped i really dont know what to do ?!? ps: now my vm working OK in case of speed and restart after some seconds ... not like befor ... ps: like i said befor, installed wireguard in my home Unraid about some minutes without problem :-(

[Sirherobrine23]

you have a very suspicious case about accessing your inet.

[masterwishx]

I really don't understand where the problem. Should thouse missing lines must be in rules.v4? If I use Ip tables - F...... They gone

[Sirherobrine23]

iptables -f will remove all rules. and release everything.

[masterwishx]

is here all OK?

[Sirherobrine23]

It's normal.

[Sirherobrine23]

The inet would be the oracle cloud network, or it would be a network of a computer on your network.

if in oracle cloud.

1. The network must be on the same vcn and subnet.
2. VMs can communicate with each other.
3. If the VMs are not communicating, they may be on separate networks.

A local infrastructure of yours.

1. On your router open the ports.
2. Check communication with wireguard server.

From oracle cloud to on-premises network

If you are going to access a remote machine through wireguard, you have to redirect the ports to the wireguard interface.