wireguard not working - Githubissues

UncleJ4ck commented 1 year ago

im trying to setup a wireguard vpn on a ubuntu server

uname -a

Linux suricata 5.15.0-73-generic #80-Ubuntu SMP Mon May 15 15:18:26 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/os-release

PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

i installed the vpn server using default options except for the dns i used my current dns resolvers

the wg0.conf in my server:

# Do not alter the commented lines
# They are used by wireguard-install
# ENDPOINT 163.114.159.100

[Interface]
Address = 10.7.0.1/24
PrivateKey = *****
ListenPort = 51820

# BEGIN_PEER wg0
[Peer]
PublicKey = *****
PresharedKey = *****
AllowedIPs = 10.7.0.2/32
# END_PEER wg0

sudo iptables -nvL; sudo iptables -nvL -t nat


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- 10.7.0.0/24 0.0.0.0/0 0 0 DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain DOCKER (1 references) pkts bytes target prot opt in out source destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 127 7304 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- !docker0 172.17.0.0/16 0.0.0.0/0 0 0 SNAT all -- * 10.7.0.0/24 !10.7.0.0/24 to:163.114.159.100

Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0


the internet is working the interface is up when i move the client conf to the client machine, i don't have any internet access + i can't access the vpn server ip i tried to ping it back it doesn't work + nothing is working

- `cat /etc/wireguard/wg0.conf`

[Interface] Address = 10.7.0.2/24 DNS = 163.114.159.11, 163.114.159.12 PrivateKey = *****

[Peer] PublicKey = PresharedKey = AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = 163.114.159.100:51820 PersistentKeepalive = 25

root@test-VirtualBox:~# sudo iptables -nvL; sudo iptables -nvL -t nat Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

and even when i try to enable and start the service using systemctl it fails:

× wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 Loaded: loaded (/lib/systemd/system/wg-quick@.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2023-06-05 03:33:07 CEST; 42s ago Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 Process: 14796 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=1/FAILURE) Main PID: 14796 (code=exited, status=1/FAILURE) CPU: 15ms

juin 05 03:33:07 test-VirtualBox systemd[1]: Starting WireGuard via wg-quick(8) for wg0... juin 05 03:33:07 test-VirtualBox wg-quick[14796]: wg-quick: `wg0' already exists juin 05 03:33:07 test-VirtualBox systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=1/> juin 05 03:33:07 test-VirtualBox systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'. juin 05 03:33:07 test-VirtualBox systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.


from the server i try to ping my client:

ubuntu@suricata:~/wireguard-install$ ping 10.7.0.2 PING 10.7.0.2 (10.7.0.2) 56(84) bytes of data. From 10.7.0.1 icmp_seq=1 Destination Host Unreachable ping: sendmsg: Destination address required From 10.7.0.1 icmp_seq=2 Destination Host Unreachable ping: sendmsg: Destination address required From 10.7.0.1 icmp_seq=3 Destination Host Unreachable ping: sendmsg: Destination address required From 10.7.0.1 icmp_seq=4 Destination Host Unreachable ping: sendmsg: Destination address required ^C --- 10.7.0.2 ping statistics --- 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3072ms



and from the client, it timeouts and it fails

hwdsl2 commented 1 year ago

@UncleJ4ck Hello! Thanks for providing the details in this issue. First, please uninstall and reinstall WireGuard on your server to generate new keys. I've redacted some keys from your post which shouldn't be posted publicly.

First, check whether you can connect to this WireGuard server using a different client, such as Windows, macOS, Android or iOS. I suspect that the issue is most likely with the WireGuard configuration on your Linux client (in VirtualBox). This step can confirm whether the server itself works correctly. If the server is fine, feel free to close this issue and instead look into configuring your WireGuard client on Linux.

In addition, I noticed that the two DNS servers you specified are in the same subnet as the WireGuard server. Although unlikely, WireGuard clients might not be able to connect to those servers, you can try using a different public DNS server and see if that works.

Your server seems to have Docker installed, and although unlikely, this could interfere with the IPTables rules for WireGuard. When you have a client successfully connected, the IPTables output should have a positive number (instead of 0) on this line:

    0     0 SNAT       all  --  *      *       10.7.0.0/24         !10.7.0.0/24          to:163.114.159.100

UncleJ4ck commented 1 year ago

I tried a different dns server (google public dns server) but it didn't work it's the same, i tried it on a windows machine it's not working, can you please provide instructions on using the .conf in the client machine for Linux, because it's not working.

Thank you

hwdsl2 commented 1 year ago

@UncleJ4ck Unfortunately I don't have the instructions for configuring WireGuard clients on Linux. You'll need to look into that yourself.

If it also doesn't work on Windows, it is possible that Docker on your server interferes with the IPTables rules for WireGuard. I would suggest that you set up WireGuard on a new server without Docker installed. The script was tested and confirmed working with Ubuntu 22.04, it is most likely not an issue with the script.

If you have additional information feel free to reply here.

UncleJ4ck commented 1 year ago

i tried to install it in a vm debian without docker and it's not working i tried it with an android phone and it's the same i can't ping the server back and the internet connection get caught

hwdsl2 commented 1 year ago

@UncleJ4ck I tested the script on a new Ubuntu 22.04 cloud server, and was able to successfully connect using a WireGuard client. So the issue is most likely not with the script.

Maybe the issue is with your VM's network configuration, or it could be the network connection between your WireGuard client and server is unstable (e.g. blocked by GFW). I would suggest that you instead set up the WireGuard server on a cloud server provider, such as DigitalOcean or OVH.

hwdsl2 / wireguard-install

wireguard not working #18