turowicz
commented
3 years ago My understanding is that after establishing the connection and routing everything through VPN (AllowedIPs = 0.0.0.0/0) it no longer works.
Closed turowicz closed 2 years ago
turowicz
commented
3 years ago My understanding is that after establishing the connection and routing everything through VPN (AllowedIPs = 0.0.0.0/0) it no longer works.
turowicz
commented
3 years ago Server config:
[Interface]
Address = 192.168.101.1/24
ListenPort = 51820
PrivateKey = 0MCG...XG0=
#PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth8 -j MASQUERADE
#PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth8 -j MASQUERADE
[Peer]
PublicKey = BymT...yjs=
AllowedIPs = 192.168.101.2/24Client config:
[Interface]
Address = 192.168.101.2/24
PrivateKey = iPH...8VQ=
DNS = 192.168.101.1
[Peer]
PublicKey = LIe...B1E=
Endpoint = [redacted]:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21After replacing 0.0.0.0/0 on the client with the private networks AllowedIPs = 192.168.100.0/24, 192.168.101.0/24, 192.168.102.0/24, 192.168.200.0/24 it no longer drops and I get:
[ +4,210753] wireguard: wg0: Receiving keepalive packet from peer 78 (217.97.99.123:51820)
[ +9,984748] wireguard: wg0: Receiving keepalive packet from peer 78 (217.97.99.123:51820)
[lip19 17:12] wireguard: wg0: Receiving keepalive packet from peer 78 (217.97.99.123:51820)
[ +10,042259] wireguard: wg0: Receiving keepalive packet from peer 78 (217.97.99.123:51820)But I can't access any LAN resource.
turowicz
commented
3 years ago The following changes have helped and now I connect to LAN resources:
/32 masks to all IPs that are fully specified, ie. don't end with a .0turowicz
commented
3 years ago Unfortunately the internet works terribly
turowicz
commented
3 years ago OK it now works all right with the following:
Server:
[Interface]
ListenPort = 51820
PrivateKey = 0MC...XG0=
[Peer]
PublicKey = Bym...yjs=
AllowedIPs = 192.168.101.2/32Client
[Interface]
PrivateKey = iPH...8VQ=
Address = 192.168.101.2/32
DNS = 192.168.101.1
[Peer]
PublicKey = LIe...B1E=
AllowedIPs = 192.168.0.0/16
Endpoint = [redacted]:51820
PersistentKeepalive = 21Unfortunately for some reason the internet is unreliable,
Logs keep saying:
[ +1,687070] IPv6: ADDRCONF(NETDEV_CHANGE): calid015d1cc1f0: link becomes ready
[ +0,000032] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ +0,065509] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ +0,057192] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ +0,713200] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ +0,144245] nvidia-nvswitch: Version mismatch, kernel version 465.31 user version 450.51.06
[ +2,199836] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ +8,346095] IPv6: ADDRCONF(NETDEV_CHANGE): calie2ee7c43ff1: link becomes ready
[ +0,000023] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ +0,376580] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ +1,013473] IPv6: ADDRCONF(NETDEV_CHANGE): cali89b7d9559c1: link becomes ready
[ +0,000021] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ +0,051982] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
As if the eth0 was having trouble
turowicz
commented
3 years ago Although the public internet traffic doesn't go through wg0, when wg0 is up, it somehow impacts the public internet connectivity. It becomes really flaky. When I go to google.com and ask for my IP it does give me the local public internet IP, not the server's.
Why would this have an impact?
gtrabanco
commented
2 years ago Try with this:
Server
[Interface]
# Name = Wireguard Server
Address = 192.168.101.1/24
ListenPort = 51820
PrivateKey = #Server Private Key#
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = echo "$(date +%s) WireGuard Started" >> /var/log/wireguard.log
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = echo "$(date +%s) WireGuard Going Down" >> /var/log/wireguard.log
[Peer]
# Name = Peer 1
PublicKey = #Client Public Key#
AllowedIPs = 192.168.101.2/32Client
[Interface]
# Name = Peer 1
Address = 192.168.101.2/32
PrivateKey = # Client Private Key #
DNS = 1.1.1.1,1.0.0.1
[Peer]
# Name = Wireguard Server
Endpoint = #Server FQDN or IP with :51820
PublicKey = # Server Public Key #
# AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1 # This is necessary if you have some advanced routing, check split-vpn project.
AllowedIPs = 0.0.0.0/0, ::/0With my knowledge could be:
If you do not want to tunnel traffic between your peer and wg to go to Internet and route only local traffic see my repository wireguard-site-to-site.
If you any doubt with wg configuration check pirate docs
alxwolf
commented
2 years ago Any progress on this topic @turowicz ?
With the simple files described in Step 4 and 5 of the wiki it should work. If so, maybe you can close the issue.
turowicz
commented
2 years ago Hey @alxwolf I managed to solve it by changing the DNS to:
DNS = 1.1.1.1,1.0.0.1,192.168.101.1All other files as per my previous https://github.com/boostchicken/udm-utilities/issues/211#issuecomment-883505518 untouched.
Changing the files as you suggested resulted in failed connections.
It all works perfectly now. Seems like the public internet DNS just needs to be in front of the VPN one.
turowicz
commented
2 years ago *Actually I've also changed the AllowedIPs to my VPN and on-premise networks on UDM.
AllowedIPs = 192.168.100.0/24, 192.168.101.0/24, 192.168.200.0/24
up2geek
commented
2 years ago OK it now works all right with the following:
Server:
[Interface] ListenPort = 51820 PrivateKey = 0MC...XG0= [Peer] PublicKey = Bym...yjs= AllowedIPs = 192.168.101.2/32Client
[Interface] PrivateKey = iPH...8VQ= Address = 192.168.101.2/32 DNS = 192.168.101.1 [Peer] PublicKey = LIe...B1E= AllowedIPs = 192.168.0.0/16 Endpoint = [redacted]:51820 PersistentKeepalive = 21
I logged in just to say thank you for this... I am not using podman, but instead wireguard that is supported directly in the later udm pro versions kernel.
I was facing a very similar issue.. would connect/handshake, but couldn't access anything. I spent hours trying to figure out what the heck was going on.. I still don't quite understand it, but removing the 'Address' line under the '[Interface]' section worked for me as well. Everything just started working...
Can't tell you how much time I wasted quadruple checking all my firewall rules in udm and other settings.
Thanks! @turowicz
turowicz
commented
2 years ago @up2geek I've been through the same. This is all trail and error discovery to make it work.
turowicz
commented
2 years ago @up2geek how to use wireguard without podman?
Slychocobo
commented
1 year ago Again, Also had this Exact same problem, you've stopped me pulling my hair out! Thank you @turowicz
turowicz
commented
1 year ago Nowadays I also remove the DNS entry on client.
Hi @boostchicken,
First I'd like to thank you for your amazing work on this repository!
I have followed the guide here: https://github.com/boostchicken/udm-utilities/wiki/Run-a-Wireguard-VPN-server-on-UDM-Pro
The
wg0connection does indeed come up and I do complete a handshake, but shortly after the connection fails. I am unable to access any resources through the VPN.Client Logs:
Server Logs:
My confguration:
VPN network on 192.168.101.0/24 VPN server on 192.168.101.1/24 VPN port 51820 Private Networks: 192.168.100.0/24, 192.168.101.0/24, 192.168.102.0/24, 192.168.200.0/24
All rules configured as you mention, except I am using different IP for the VPN network, 101 instead 240.