search

tusc / wireguard-kmod

WireGuard for UDM series routers
https://www.wireguard.com/
352 stars 19 forks source link

[Solved] Can connect on LAN but cannot connect outside of network #59

Closed lenaxia closed 2 years ago

lenaxia commented 2 years ago

Setup: UDM Pro at 192.168.0.1, iPhone roaming

I'm able to successfully establish a connection when I use the LAN endpoint (192.168.0.1:51820):

# wg
interface: wg0
  public key: <HIDDEN>
  private key: (hidden)
  listening port: 51820

peer: <HIDDEN>
  endpoint: 192.168.0.215:58262
  allowed ips: 10.0.0.2/32
  latest handshake: 2 seconds ago
  transfer: 360 B received, 184 B sent

However when I switch that to my WAN endpoint 174.21.xxx.xxx:51820, I cannot establish a handshake.

Server config:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <HIDDEN>

[Peer]
PublicKey = <HIDDEN>
AllowedIPs = 10.0.0.2/32

Client Config:

[Peer]
PrivateKey = <HIDDEN>
AllowedIPs = 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0./12

[Interface]
Address = <PUBLIC WAN IP>
ListenPort = 51820
PublicKey = <HIDDEN>

Here is my firewall config: https://lenaxia.net/i/images/Screenshot-6.png

I do not have any port forwarding rules configured.

When I use the WAN endpoint, this is the only output I get:

# wg
interface: wg0
  public key: <HIDDEN>
  private key: (hidden)
  listening port: 51820

peer: <HIDDEN>
  allowed ips: 10.0.0.2/32

What am I missing that is preventing me from accessing WG from outside my network?

I'm following these guides:

peacey commented 2 years ago

Hi @lenaxia,

Your client config is wrong. Please double check the tutorials. You should have an Endpoint for the WAN IP in the Peer section and the Interface Address should be the wireguard local IP, not WAN IP. Your public/private key should also be switched. Your client config should look like this: 

[Interface]
Address = 10.0.0.2/32
PrivateKey = <HIDDEN>

[Peer]
Endpoint = WAN_IP:51820
PublicKey = <HIDDEN>
AllowedIPs = 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12

Regards, Peacey

lenaxia commented 2 years ago

Hi, that was a typo because I was manually filling out my clinent config from my iphone. I am using the corrcet definition for Endpoint.

When I use the LAN IP for the endpoint, it works, when I use the WAN IP for the endpoint it does not work.

wg config

peacey commented 2 years ago

@lenaxia, did you open up the port 51820 on WAN LOCAL on the UDM firewall? UDM is the server right?

lenaxia commented 2 years ago

I did open 51820 on Internet Local (I'm assuming that's the updated name for it based on my UI version) Server is a UDM Pro

Just to be explicit, I don't need any port forwarding right?

Screenshot-6

lenaxia commented 2 years ago

@peacey any ideas where I can start debugging? I'm not sure where else I should be looking or what I missed.

peacey commented 2 years ago

@lenaxia, you didn't miss anything. If the public/private keys are right and the port is open, it should work. There is no port forward required.

Do you have any other firewall rules that can interfere? Also, do you have any local network on the UDM with the same subnet as the wireguard (10.0.0.0/24)?

Make sure you're testing from outside your network and that if you're connected to another WiFi, it doesn't share any of the wireguard subnets you set in AllowedIPs on the client.

You can run a tcpdump on the UDM for port 51820 on the WAN to see if you're getting any traffic on it when you try to connect from your phone. And you can run tcpdump on the wg0 interface to see if the wireguard tunnel is seeing anything. 

tcpdump -ni any port 51820
tcpdump -ni wg0
lenaxia commented 2 years ago

So weird... It's working now. I didn't change anything. I was definitely off of my wifi and on cellular and it wasn't working. Ugh lol thanks for the help! I'll definitely keep tcp dump in mind for any future trouble shooting. Totally forgot about it!