Closed lowrisk75 closed 2 years ago
Hi @lowrisk75,
To use 0.0.0.0/0 as an AllowedIPs, you need the iptables raw module, which is only loaded when using the external module. Instead you can use AllowedIPs = 0.0.0.0/1,128.0.0.0/1
which covers the same subnet range and doesn't require the iptables raw module.
If you prefer to use 0.0.0.0/0 or the external module with iptables raw support, you can set LOAD_BUILTIN=0
at the top of /mnt/data/wireguard/setup_wireguard.sh
to load the external module.
Also, why are you using 0.0.0.0/0? That will route your entire Internet for all UDMP clients through the tunnel. If that's what you want, you will also need to either add a masquerade rule on wg0, or add routes on the server side for your UDMP internal subnets.
-- not related but just checking, in order to have WG surviving a reboot, it's just cp setup_wireguard.sh /mnt/data/on_boot.d/ right?
That will only load the wireguard module at startup, but not start your tunnel. You will need to add another boot script to start the tunnel at boot. For example, use this script as /mnt/data/on_boot.d/start_wireguard.sh
. You don't need the setup_wireguard.sh script in /mnt/data/on_boot.d with this method.
#!/bin/sh
/mnt/data/wireguard/setup_wireguard.sh
wg-quick up /etc/wireguard/wg0.conf
And remember to chmod +x
the script after creation.
Thanks a lot for your help @peacey.
Sorry, I really don't have a lot of experience with WG, the goal for now is to force a VLAN or at least, an IP to go through the WG server and get a Public IP from it. (I'll probably setup this between two UDM PRO afterward)
I installed split-VPN since and changed my config
`[Interface]
PrivateKey = AWSclient.key
Address = 10.68.1.88/32,fc00:dddd:eeee:bb01::5:6666/128
#PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
#PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101
[Peer]
PublicKey = AWSserver.pub
AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = AWSIP:51820`
The connection seems established
# wg
interface: wg0
public key: ######
private key: (hidden)
listening port: 37069
peer: ####
endpoint: AWSServer:51820
allowed ips: 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
latest handshake: 1 minute, 12 seconds ago
transfer: 1.21 KiB received, 9.03 KiB sent
however my client still get a local IP, but I'm trying to do that in the same time than my work and probably misconfigured the VPN.conf
my client is on a VLAN and connected to a switch (UDM PRO - Switch - Switch2 - port 5) but I misunderstand the configuration (I placed my client IP inside FORCED_SOURCE_IPV4)-- also the only goal for me at the moment is for my client have an IP from the WG server before the client himself establish its own IPSec connection (from macOS), I just don't want the IPsec server, to get the real public IP of the UDM)
FORCED_SOURCE_INTERFACE=""
FORCED_SOURCE_IPV4="my_client_IPhere"
FORCED_SOURCE_IPV6=""
FORCED_SOURCE_MAC="my_client_MAC_here"
FORCED_SOURCE_IPV4_PORT=""
FORCED_SOURCE_IPV6_PORT=""
FORCED_SOURCE_MAC_PORT=""
FORCED_DESTINATIONS_IPV4=""
FORCED_DESTINATIONS_IPV6=""
FORCED_LOCAL_INTERFACE=""
EXEMPT_SOURCE_IPV4=""
EXEMPT_SOURCE_IPV6=""
EXEMPT_SOURCE_MAC=""
EXEMPT_SOURCE_IPV4_PORT=""
EXEMPT_SOURCE_IPV6_PORT=""
EXEMPT_SOURCE_MAC_PORT=""
EXEMPT_DESTINATIONS_IPV4=""
EXEMPT_DESTINATIONS_IPV6=""
FORCED_IPSETS=""
EXEMPT_IPSETS=""
PORT_FORWARDS_IPV4=""
PORT_FORWARDS_IPV6=""
DNS_IPV4_IP="DHCP" ##I guess I could use cloudflare here
DNS_IPV4_PORT=53
DNS_IPV4_INTERFACE=""
DNS_IPV6_IP="" ## I could setup cloudflare IPv6 here
DNS_IPV6_PORT=53
DNS_IPV6_INTERFACE=""
BYPASS_MASQUERADE_IPV4=""
BYPASS_MASQUERADE_IPV6=""
KILLSWITCH=0
REMOVE_KILLSWITCH_ON_EXIT=1
REMOVE_STARTUP_BLACKHOLES=1
VPN_PROVIDER="external"
VPN_ENDPOINT_IPV4="AWSIP"
VPN_ENDPOINT_IPV6=""
GATEWAY_TABLE="auto"
MSS_CLAMPING_IPV4=""
MSS_CLAMPING_IPV6=""
WATCHER_TIMER=1
ROUTE_TABLE=101
MARK=0x9
PREFIX="VPN_"
PREF=99
DEV=wg0 ## initially tun0
Why is PostUp and PreDown commented out in your wg0.conf? Is that just a typo? The script won't run if that's commented out.
The rest of your vpn.conf is correct.
Why is PostUp and PreDown commented out in your wg0.conf? Is that just a typo? The script won't run if that's commented out.
The rest of your vpn.conf is correct.
That was giving me an error but I fixed it, it's seems to work but my client in question can't get any traffic -- I'll try to specific cloudflare instead of DHCP and will edit.
Edit : same error
`# wg-quick up ./wg0.conf
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.68.1.88/32 dev wg0
[#] ip -6 address add fc00:dddd:eeee:bb01::5:6666/128 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -6 route add ::/1 dev wg0 table 101
[#] ip -6 route add 8000::/1 dev wg0 table 101
[#] ip -4 route add 128.0.0.0/1 dev wg0 table 101
[#] ip -4 route add 0.0.0.0/1 dev wg0 table 101
[#] sh /etc/split-vpn/vpn/updown.sh wg0 up
[Sun Mar 6 22:10:42 GMT 2022] split-vpn: wg0 up: Loading configuration from /etc/split-vpn/wireguard/mullvad/vpn.conf.
[Sun Mar 6 22:10:42 GMT 2022] split-vpn: Using IPv4 gateway from table 201: via my_UDM_PublicIP dev eth8.10.`
Nothing to do with my wg0 referring to IP table 101 and gateway from table 201 ?
@lowrisk75, the script is working fine. The problem is your setup on the AWS side. If you set that up yourself, you have to enable ip forwarding and add a masquerade rule on the WAN interface on the AWS server.
Do you know how to do that?
@lowrisk75, the script is working fine. The problem is your setup on the AWS side. If you set that up yourself, you have to enable ip forwarding and add a masquerade rule on the WAN interface on the AWS server.
Do you know how to do that?
I thought the AWS server was working fine because when I connect from my iPhone all the traffic is rerouted properly and I have a IP from AWS but you probably right. I'm double checking now for the IP forwarding -- not to sure for masquerade but surely I can't find something on google. thanks a million for your help anyway
@lowrisk75, the script is working fine. The problem is your setup on the AWS side. If you set that up yourself, you have to enable ip forwarding and add a masquerade rule on the WAN interface on the AWS server.
Do you know how to do that?
I double checked AWS,
sudo vim /etc/sysctl.d/10-wireguard.conf
net.ipv4.ip_forward=1
regarding the server WG config
[Inteface]
Address = 10.1.1.1/24
ListenPort = 51820
PrivateKey = ##
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = ###
AllowedIPs = 10.1.1.2/32
I though the issue was with Address and AllowedIP but that seems in the same sub
@lowrisk75, I see a potential problem with your WireGuard server config. Your wireguard client has Address = 10.68.1.88/32
but on the server config, you set the Peer AllowedIPs = 10.1.1.2/32
. In that case, the traffic will not be allowed through to the client since the IP don't match. The Peer AllowedIPs on the server config should be the same as the client IP. And you should have a different [Peer] configuration for each different client. So if you want to connect both iPhone and UDMP separately, you need two [Peer] entries, each with the correct client PublicKey and Address associated to that client.
Once you fix that, please do the following tests on the UDMP in SSH after you connect to wireguard:
ping -I wg0 10.1.1.1
ping -I wg0 1.1.1.1
ping 1.1.1.1
No, @lowrisk75, your server wg0.conf has Address = 10.1.1.1/32
, so your UDMP client should have 10.1.1.2 NOT 10.1.1.1. Can you set UDMP wg0.conf Address = 10.1.1.2/32
?
Also, I noticed in your server wg0.conf, you have Inteface
instead of Interface
. Is that a typo?
@lowrisk75, I see a potential problem with your WireGuard server config. Your wireguard client has
Address = 10.68.1.88/32
but on the server config, you set the PeerAllowedIPs = 10.1.1.2/32
. In that case, the traffic will not be allowed through to the client since the IP don't match. The Peer AllowedIPs on the server config should be the same as the client IP. And you should have a different [Peer] configuration for each different client. So if you want to connect both iPhone and UDMP separately, you need two [Peer] entries, each with the correct client PublicKey and Address associated to that client.Once you fix that, please do the following tests on the UDMP in SSH after you connect to wireguard:
- Try to ping the WG server VPN IP through the WG tunnel.
ping -I wg0 10.1.1.1
- If that works, then try to ping 1.1.1.1 through the tunnel:
ping -I wg0 1.1.1.1
- If that works, try to ping 1.1.1.1 from your UDMP-forced client (not in SSH).
ping 1.1.1.1
Ok, big progress , ignore the message I just post/deleted I stupidly left 10.1.1.1/24 in the UDMP....
Server
[Interface]
Address = 10.1.1.1/24
ListenPort = 51820
PrivateKey = ####
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = ###
AllowedIPs = 10.1.1.2/32
UDMP
[Interface]
PrivateKey = ##
Address = 10.1.1.2/24,fc00:dddd:eeee:bb01::5:6666/128
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101
[Peer]
PublicKey = ###
AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = ##:51820
Ping work, I can even get AWS IP from terminal (curl icanhazip.com) but no traffic at all through safari/brave
-- Sorry Interface was probably a typo because I don't see it in my config. I disabled iCloud Private relay obviously and forced to renew the DHCP lease but nothing, it's must be a DNS issue
I think it might be an MSS clamping/MTU issue. Someone else using AWS had the same problem. I don't think it's a dns issue because it worked in terminal with the curl.
Can you set MSS_CLAMPING_IPV4="1400"
in your vpn.conf and try again?
I think it might be an MSS clamping/MTU issue. Someone else using AWS had the same problem. I don't think it's a dns issue because it worked in terminal with the curl.
Can you set
MSS_CLAMPING_IPV4="1400"
in your vpn.conf and try again?
It's working! thank you so much that's is wonderful! truly amazing.
That's great @lowrisk75! Finally we fixed everything lol.
Btw, I noticed you are using an IPv6 address in the UDMP wg0.conf, but your AWS server wireguard isn't using any IPv6 addresses nor even allowing them. So I suggest you remove the IPv6 address from the UDMP config unless you plan to use set up IPv6 properly (including forwarding, masquerading on AWS, etc).
That's great @lowrisk75! Finally we fixed everything lol.
Btw, I noticed you are using an IPv6 address in the UDMP wg0.conf, but your AWS server wireguard isn't using any IPv6 addresses nor even allowing them. So I suggest you remove the IPv6 address from the UDMP config unless you plan to use set up IPv6 properly (including forwarding, masquerading on AWS, etc).
I will remove it, I though about that yesterday, I was planing to check if AWS had a IPv6 option but I don't think so and I'm happy enough with IPv4 I will set the udmp to Address = 10.1.1.2/24
thank you again
@lowrisk75, AWS does have IPv6, you have to enable it in the instance settings before you deploy it or attach it afterwards. I've set it up before so I know they do have it.
No problem again! If everything is resolved, you're welcome to close this issue now.
I keep getting an error on line 1 (UDM PRO) but to be fair I'm probably doing something wrong
BTW, should I not be worried of :
Warning:
/mnt/data/wireguard/etc/wireguard/wg0.conf' is world accessible`for the moment I'm trying to connect to a WG server in AWS.
my config: (/etc/wireguard/wg0.conf)
-- not related but just checking, in order to have WG surviving a reboot, it's just
cp setup_wireguard.sh /mnt/data/on_boot.d/
right?