Closed anartikov closed 2 years ago
hwdsl2
commented
2 years ago @anartikov Hello! This could be an IPTables issue. Can you post the IPTables rules from your server?
sudo iptables -nvL; sudo iptables -nvL -t natAlso post the contents of /etc/sysconfig/iptables if the file exists.
anartikov
commented
2 years ago [root@nartserv2 ~]# sudo iptables -nvL; sudo iptables -nvL -t nat
Chain INPUT (policy ACCEPT 641 packets, 37212 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none
10 431 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
36956 33M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
11 3792 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
2 214 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7 835 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
230 257K ACCEPT all -- eth0 ppp+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
114 24033 ACCEPT all -- ppp+ eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp+ ppp+ 192.168.42.0/24 192.168.42.0 /24
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 192.168.43.0 /24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * eth0 192.168.43.0/24 0.0.0.0/0
392 85125 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 37598 packets, 33M bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 1064 packets, 130K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 648 packets, 39668 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 700 packets, 45940 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 701 packets, 47220 bytes)
pkts bytes target prot opt in out source destination
21 3634 MASQUERADE all -- * eth0 192.168.42.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * eth0 192.168.43.0/24 0.0.0.0/0 policy match dir out pol none/etc/sysconfig/iptables
# Modified by hwdsl2 VPN script
# Generated by iptables-save v1.4.21 on Thu Oct 18 18:52:13 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
COMMIT
# Completed on Thu Oct 18 18:52:13 2018
# Generated by iptables-save v1.4.21 on Thu Oct 18 18:52:13 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Thu Oct 18 18:52:13 2018@anartikov Your IPTables rules does not contain any rules for WireGuard, only IPsec. Try:
systemctl enable --now wg-iptables.service
systemctl enable --now wg-quick@wg0.service If this doesn't work, remove and re-install WireGuard from this repo.
archidote
commented
2 years ago Hello,
I had the same issue as @anartikov.
I have done your workarround, but it still does not work... even after a new fresh install.
This is what the IPTables rules look like from my server when the problem occurs (after a reboot)
sudo iptables -nvL; sudo iptables -nvL -t natChain INPUT (policy ACCEPT 9099 packets, 718K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none
3 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
75871 9509K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 2746 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- ens5 ppp+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- ppp+ ens5 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp+ ppp+ 0.0.0.0/0 0.0.0.0/0
84 29578 ACCEPT all -- ens5 * 0.0.0.0/0 192.168.43.0/24 ctstate RELATED,ESTABLISHED
74 21286 ACCEPT all -- * ens5 192.168.43.0/24 0.0.0.0/0
0 0 ACCEPT all -- * ppp+ 192.168.43.0/24 0.0.0.0/0
148 9361 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 66559 packets, 32M bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 8571 packets, 565K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 8408 packets, 548K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 145 packets, 10564 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 145 packets, 10564 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens5 192.168.42.0/24 0.0.0.0/0
10 7041 MASQUERADE all -- * ens5 192.168.43.0/24 0.0.0.0/0 policy match dir out pol noneAfter a fresh install, this is what it looks like:
sudo iptables -nvL; sudo iptables -nvL -t natChain INPUT (policy ACCEPT 18619 packets, 1530K bytes)
pkts bytes target prot opt in out source destination
1 176 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none
3 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
154K 19M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 2746 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.7.0.0/24 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- ens5 ppp+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- ppp+ ens5 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp+ ppp+ 0.0.0.0/0 0.0.0.0/0
222 83218 ACCEPT all -- ens5 * 0.0.0.0/0 192.168.43.0/24 ctstate RELATED,ESTABLISHED
184 51985 ACCEPT all -- * ens5 192.168.43.0/24 0.0.0.0/0
0 0 ACCEPT all -- * ppp+ 192.168.43.0/24 0.0.0.0/0
248 15585 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 135K packets, 65M bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 17392 packets, 1152K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 17106 packets, 1115K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 171 packets, 12363 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 171 packets, 12363 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens5 192.168.42.0/24 0.0.0.0/0
29 19960 MASQUERADE all -- * ens5 192.168.43.0/24 0.0.0.0/0 policy match dir out pol none
0 0 SNAT all -- * * 10.7.0.0/24 !10.7.0.0/24 to:192.168.1.19After a quick visual analysis, I notice that the last line has disappeared:
0 0 SNAT all -- * * 10.7.0.0/24 !10.7.0.0/24 to:192.168.1.19I think that the problem comes from the, as if this rule was "temporary", and as soon as we restart, this one is not effective anymore...
Do you have an idea ?
best regards,
hwdsl2
commented
2 years ago @archidote Hello! Please try:
systemctl restart wg-iptables.serviceThen check the IPTables rules again. The missing rules should be back after that. Let us know if this works for you. If so, add the command above to your /etc/rc.local.
anartikov
commented
2 years ago @hwdsl2 I did it. After adding the command everything works well after a reboot. Thanks
archidote
commented
2 years ago @archidote Hello! Please try:
systemctl restart wg-iptables.serviceThen check the IPTables rules again. The missing rules should be back after that. Let us know if this works for you. If so, add the command above to your
/etc/rc.local.
Hello @hwdsl2 ,
First of all thank your for your answer.
I have done what you said previously and it works !
But in my point of view, the behaviour of iptables is very strange because,
If i do
systemctl restart wg-iptables.serviceit works
but, if I do as following (because I'm a little bit curious ^^)
systemctl start wg-iptables.serviceIt does not work anymore ^^ iptables is still a mystery to me...
I run a Debian 11 fully updated server... Maybe you can modify the wireguard-install.sh to auto add
systemctl restart wg-iptables.servicein /etc/rc.local ? I think that It will help a lot of people in the futur. I saw on many forum/topics that some peoples had the same issue than us.
[Edit]
After inserting the line in /etc/rc.local and then restarting the server, I hav’nt seen any change.
I had to enter the command manually for the changes to take effect.
I look foward to hearing from you, Best regards
hwdsl2
commented
2 years ago @archidote Thank you for the update. The reason that systemctl start wg-iptables.service doesn't work is because the service is already started, and it only adds the necessary IPTables rules when starting. On the other hand, systemctl restart works.
Make sure that your /etc/rc.local is executable by running:
chmod +x /etc/rc.localThen reboot the server and check again. It should work. I plan to add a fix for this in the script.
archidote
commented
2 years ago @hwdsl2
So according to my investigations:
What you told me about /etc/rc.local works fine. BUT (IN MY CASE),
I had already installed a VPN from one of your scripts
(https://github.com/hwdsl2/setup-ipsec-vpn)
after re-reading my rc.local file, I noticed that some instructions were already present in this file (from your script :)
In my case, the problem was obviously the "exit 0". I commented it, and since then everything is working again. rc.local is running fine.
Here is my /etc/rc.local configuration:
#!/bin/sh
# Added by hwdsl2 VPN script (L2TP/ipsec/ikev2)
(sleep 15
service ipsec restart
service xl2tpd restart
echo 1 > /proc/sys/net/ipv4/ip_forward)&
#exit 0
# manually edit hwdsl2 wireguard vpn script
systemctl restart wg-iptables.service
# echo "hello" >> /tmp/test.txtand the rights of the file :
-rwxr-xr-x 1 root root 259 Nov 17 16:47 rc.localFor all, here is a reconfiguration from scratch that I just did and that worked well even after reboots :
root@debian:~# wget -O wireguard.sh https://get.vpnsetup.net/wg
Saving to: ‘wireguard.sh’
2022-11-17 16:53:03 (14.0 MB/s) - ‘wireguard.sh’ saved [31498/31498]
root@debian:~# sudo bash wireguard.sh --auto
WireGuard Script
https://github.com/hwdsl2/wireguard-install
Starting WireGuard setup using default options.
Server IP: x.x.x.x
Port: UDP/51820
Client name: client
Client DNS: Google Public DNS
Installing WireGuard, please wait...
+ apt-get -yqq update
+ apt-get -yqq install wireguard qrencode
+ systemctl enable --now wg-iptables.service
+ systemctl enable --now wg-quick@wg0.service
████ ▄▄▄▄▄ █▀▄▀█▀▀▄ ▀▀▄█ ▄▀█ ▀▀▀▄▄ ▄▄▀▄▀█▄█▄▄█▄▀▀ ▄▀█▄█▀▄██▄▀█ ▄▄▄▄▄ ████
↑ That is a QR code containing the client configuration.
Finished!
The client configuration is available in: /root/client.conf
New clients can be added by running this script again.
root@debian:~# nano /etc/rc.local
root@debian:~# nano /etc/rc.local
root@debian:~# echo "systemctl restart wg-iptables.service" >> /etc/rc.local
root@debian:~# cat /etc/rc.local | tail -1
systemctl restart wg-iptables.service
root@debian:~# sudo iptables -nvL; sudo iptables -nvL -t nat
Chain INPUT (policy ACCEPT 805 packets, 220K bytes)
pkts bytes target prot opt in out source destination
2 352 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820
[...]
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.7.0.0/24 0.0.0.0/0
[...]
Chain POSTROUTING (policy ACCEPT 146 packets, 10708 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens5 192.168.42.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens5 192.168.43.0/24 0.0.0.0/0 policy match dir out pol none
0 0 SNAT all -- * * 10.7.0.0/24 !10.7.0.0/24 to:192.168.1.19
root@debian:~# reboot # test if after a reboot, the rule is correctly charged
Connection to 192.168.1.19 closed by remote host.
Connection to 192.168.1.19 closed.
┌──(kali㉿kali)-[~]
└─$ ssh root@192.168.1.19 -p 2019
root@debian:~# sudo iptables -nvL; sudo iptables -nvL -t nat
Chain INPUT (policy ACCEPT 3849 packets, 1177K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820
[...]
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.7.0.0/24 0.0.0.0/0
[...]
Chain POSTROUTING (policy ACCEPT 188 packets, 13001 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens5 192.168.42.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens5 192.168.43.0/24 0.0.0.0/0 policy match dir out pol none
5 306 SNAT all -- * * 10.7.0.0/24 !10.7.0.0/24 to:192.168.1.19
root@debian:~# ++
hwdsl2
commented
2 years ago @archidote Thanks for the update. A fix has been applied in f50b376 for this issue.
https://github.com/hwdsl2/wireguard-install/issues/1
Understood, at what moment there is an error described above. Everything works fine until the first reboot of the server. After a reboot, the problem recurs. That is, the handshake goes well, but there is no Internet access.
Please tell me what information to provide you so that you can possibly help me.