View previous topic :: View next topic |
Author |
Message |
baak6 Tux's lil' helper
Joined: 30 Aug 2003 Posts: 141
|
Posted: Tue May 25, 2021 10:34 pm Post subject: [SOLVED] Wireguard connects but no internet access |
|
|
Hi friends.
Apologies if this isn't the right place to post this.
I recently purchased myself a little OpenBSD VPS so I could run WireGuard on it. I followed this guide to set up WireGuard: https://ianix.com/wireguard/openbsd-howto.html - very simple.
On my Gentoo machine I ran:
Code: |
~ # emerge -av wireguard-tools
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] net-vpn/wireguard-tools-1.0.20210424::gentoo USE="wg-quick" 0 KiB
|
I also created the /etc/wireguard folder with wg0.conf as such:
Code: |
[Interface]
PrivateKey = <removed>
[Peer]
PublicKey = <removed>
Endpoint = <servers_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
|
I've omitted the keys and the server IP for obvious reasons.
Then I use wg-quick and all seems normal:
Code: |
~ # wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1057ms
|
Nothing seems to get through and I cannot seem to figure out why.
Running wg show on the client machine, everything looks normal as far as I can tell:
Code: |
~ # wg show
interface: wg0
public key: <removed>
private key: (hidden)
listening port: 52833
fwmark: 0xca6c
peer: <removed>
endpoint: <servers_ip>:51820
allowed ips: 0.0.0.0/0, ::/0
|
I've been stuck trying to figure this out for a while. I had this problem a month ago for the first time. I recently wiped my VPS and started from scratch but no change. I have a feeling the issue is on the client (Gentoo) side since it's a fresh OpenBSD box with a very simple WireGuard setup. But I have no evidence for this.
I do use a custom kernel and I wondered if I was missing something compiled into the kernel perhaps, but I've enabled everything the ebuild asks for and restarted to use that kernel.
Does anyone have any ideas? Please let me know if there's any further information I can provide to help solve this.
Many thanks in advance.
Last edited by baak6 on Thu Jun 03, 2021 9:50 pm; edited 1 time in total |
|
Back to top |
|
|
wwdev16 n00b
Joined: 29 Aug 2018 Posts: 53
|
Posted: Wed May 26, 2021 6:52 am Post subject: |
|
|
Firewall on either the VPS or Gentoo system?
Does the VPS have a [Peer] section for your Gentoo box? Your /etc/wireguard/wg0.conf doesn't
specify ListenPort so it is probably the default and the VPS needs to use the Gentoo port in its [Peer] section.
I would just pick the same port for both systems, e.g. 51820
I don't use wg-quick since Gentoo provides support for wireguard. You might try Code: | /etc/conf.d/net
wireguard_wg0="/etc/wireguard/wg0.conf"
config_wg0="<private-address>/<cidr-bit-count>" |
Create a symlink: /etc/init.d/net.wg0 -> /etc/init.d/net.lo
Then start the net.wg0 service
You need to matchup the ports/keys for the tunnel end points: Code: | VPS wireguard conf:
[Interface]
PrivateKey = <vps-private-key>
ListenPort = 51820
[Peer]
PublicKey = <gentoo-public-key>
EndPoint = <gentoo-public-ip>:51820
Gentoo side /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <gentoo-private-key>
ListenPort = 51820
[Peer]
PublicKey = <VPS-public-key>
EndPoint = <VPS-public-ip>:51820 |
Note that the wireguard interfaces (wg0) must have assigned addresses. These addresses
are not the public addresses of either system. For example you could use 10.0.0.45 for wg0 on the VPS
and 10.0.0.46 for wg0 on the gentoo box and use AllowedIps = 10.0.0.0/24 on both systems. Then from Gentoo
you ping 10.0.0.45 and on the VPS you ping 10.0.0.46 to reach the peer. The address asignments for
the wg0 interfaces are not done in the wireguard config files, but by the OS net config facilities.
Get the private-address communication working before trying to get routing and nat on the wg0 interfaces working. |
|
Back to top |
|
|
baak6 Tux's lil' helper
Joined: 30 Aug 2003 Posts: 141
|
Posted: Wed May 26, 2021 1:23 pm Post subject: |
|
|
Thanks for the response.
The Gentoo system doesn't have any firewall or iptables rules, only what is added by WireGuard.
The OpenBSD server has a very basic pf.conf to make WireGuard work, plus the default config.
Code: |
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
pass in on wg0
pass in inet proto udp from any to any port 51820
pass out on egress inet from (wg0:network) nat-to (em0:0)
|
All the configs I shared previously were from the Gentoo client. Here's the WireGuard config wg0.conf for the OpenBSD host:
Code: |
[Interface]
PrivateKey = <sever_private_key>
ListenPort = 51820
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.0/24
|
I've also updated the Gentoo client to include the ListenPort as you suggested.
Code: |
[Interface]
PrivateKey = <client_private_key>
ListenPort = 51820
[Peer]
PublicKey = <server_public_key>
Endpoint = <server_ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
|
Switching to use netifrc is a great idea, I've done as you suggested:
Code: |
~ # ls -l /etc/init.d/net.wg0
lrwxrwxrwx 1 root root 18 May 26 13:25 /etc/init.d/net.wg0 -> /etc/init.d/net.lo
~ # cat /etc/conf.d/net
config_wg0="10.0.0.2/32"
wireguard_wg0="/etc/wireguard/wg0.conf"
|
That seems to do what it is supposed to when I start Wireguard:
Code: |
~ # /etc/init.d/net.wg0 start
* Bringing up interface wg0
* Creating WireGuard interface wg0 ... [ ok ]
* Configuring WireGuard interface wg0 ... [ ok ]
* 10.0.0.2/32 ... [ ok ]
~ # ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.0.0.2 netmask 255.255.255.255 destination 10.0.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
This doesn't make me lose internet access (presumably since I'm not NATing as you suggested) but I still cannot ping the server's IP, 10.0.0.1.
This is the wg0 interface on the server by the way:
Code: |
# ifconfig wg0
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 5 priority 0 llprio 3
wgport 51820
wgpubkey <server_public_key)
wgpeer <client_public_key>
tx: 0, rx: 0
wgaip 10.0.0.0/24
groups: wg
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
|
It makes sense to try to just get the connection to the server working correctly. But I seem to not even be able to get there which is odd. Any ideas? |
|
Back to top |
|
|
wwdev16 n00b
Joined: 29 Aug 2018 Posts: 53
|
Posted: Thu May 27, 2021 6:28 am Post subject: |
|
|
Maybe a simple thing, your cidr prefix is 32 for the wg0 interface on the gentoo box. You might want to try /24
so that the VPS private address 10.0.0.1 will be accepted on wg0.
It looks like you may have nat enabled on wg0 on the VPS. I think it would be easier to debug if that
were turned off for now.
Your ifconfig results say the wg0 interfaces are up. So from the VPS you should be able to ping 10.0.0.1
and from the Gentoo side 10.0.0.2.
If setting the cidr prefix and disabling nat fixed the issues, then pinging the peer private address should also work.
If not, on the gentoo box I would start a tcpdump for the public interface in a separate window and then
ping 10.0.0.1 (vps private addr). There should be some outbound traffic on the public interface if the ping packet is
getting sent along by wireguard.
If you have a second local gentoo box, you could also experiment in a simplified environment. Just define a second vpn
that uses wg1 for the wireguard interfaces on the local boxes, use address from 10.10.0.0/24 on the wg1 interfaces,
and make sure that firewalls aren't going to block local packets. It would be easier to watch both ends of the tunnel. |
|
Back to top |
|
|
wwdev16 n00b
Joined: 29 Aug 2018 Posts: 53
|
Posted: Fri May 28, 2021 7:16 am Post subject: Wireguard diagnostics |
|
|
The command wg show wg0 displays info about the wg0 interface.
If the output doesn't include a latest handshake line there is probably
an issue with the keys or the AllowedIps. |
|
Back to top |
|
|
baak6 Tux's lil' helper
Joined: 30 Aug 2003 Posts: 141
|
Posted: Mon May 31, 2021 10:53 am Post subject: |
|
|
Many thanks for the help again friend.
Changing /etc/conf.d/net to have /24 instead of /32 did the trick!
Code: |
config_wg0="10.0.0.2/24"
|
It makes sense actually, thinking about it, since it's for the network interface.
I can ping the VPS (10.0.0.1) from my Gentoo box (10.0.0.2) and the other way around now, great success.
How do I go about making sure all my traffic is routed to the VPS via WireGuard now using netifrc? Assuming that my VPS is correctly set up to NAT the wg0 interface to the internet. Do I just have to add a route default via the VPS IP to netifrc? Or do I need to use IP tables for this? I'd prefer to keep using netifrc instead of going back to wg-quick really. |
|
Back to top |
|
|
baak6 Tux's lil' helper
Joined: 30 Aug 2003 Posts: 141
|
Posted: Thu Jun 03, 2021 9:50 pm Post subject: |
|
|
I ended up switching away from netifrc for this and switched to using wg-quick. The main issue I was having with it originally was that the interface didn't have an IP configured. I added Address = 10.0.0.2/24 under the [Interface] section on the client and removed the ListenAddress as it wasn't needed. Then bringing up wg0 via wg-quick made everything work. |
|
Back to top |
|
|
|