wireguard setup clamification - ABANDONED

[jankom]

Edited original post on Novermber 30, 2022

I have abandoned trying to replace OVPN with wireguard tool as a VPN connector.

The nameserver set up by the ISP in Hungary does not work accessing the US based OVPN host - probably due to some EU regulations. Therefore I made a small batch script to overwrite "/etc/resolv.conf" file with nameserver IP-s used by the US VPN host. This way OVPN woks fine, and I do have access in Hungary (EU) to sites requiring US based IP.

Consequently I mark this topic as "abandoned".

End of 11/30/2022 edit by jankom
/////////////////////////////////////////////////////

I have a server (linode, remote) with public ip and a Fitlet2 machine as my desktop connected to Internet via ISP. I have been using OVPN to VPN connect to the linode machine. I'm trying to replace ovpn with wireguard, but was unable to get it going. Obviously, I stopped the ovpn server on the remote side, and my only Internet connection of the Fitlet desktop is with iwd WiFi and my ISP at home. Both the remote and home machines run Gentoo linux.

a) Recompiled kernel per gentoo instruction on both machines
b) emerged wireguard-tools on both machines
c.) followed Gentoo and Wireguard instruction to set up tunnel. ping does not work.

Questions:

(1) server-peer or peer-peer?
(2) (maybe stupid Q) private key is the server and public key is the peer wanting to connect to server?
(3) "Endpoint" is marked as optional in man 8 wg - should I specify it in the server or peer configuration (peer is the Fitlet, server is the remote with public IP)
(4) Where is configuration saved? /etc/wireguard/ is empty even after setting up tunnel using command line, so I did wg showconf wg0 > wg0.conf in any folder - both the server and peer just to save what I did.

Janos (jankom)

[szatox]

There is no server in wireguard, it's intended to operate in full-mesh topology.
At least one machine on each link needs a static-ish IP though. The other machine's IP will be discovered when it sends a hello,

Both machines must have their private keys and peers' public keys. Create a private key, extract a public key out of it, and copy the public key to the peer. Repeat the process on the peer; the configuration is mostly symmetric.

A config file like the snippet below can be loaded with wg-quick

[jankom]

What I mean "server" is the designated peer I tunnel into so that once connected my public IP will appear that of the server. Without wireguard tunneling my public IP appears that of the ISP.

I'm still not there. Finally my home machine (Fitlet2) is connected to the remote (linode) machine, the "server" via wg0 private network. I can ping back and forth within 10.x.x.x private network and vpn tunnel. However, my public IP is still that of the ISP and not of the remote machine. Here is my server config:

[DavidF]

My goal is to
Code:
curl ifconfig.me
show the <public IP of remote server>. Can you please help?

If I understand what you are after ... Your tunnel to the remote server is only traffic on your private network 10.9.0.1/32. All other internet traffic will be using your isp ip. If you want all traffic to reflect the remote peer IP you need to add 0.0.0.0/0 to your AllowedIPs . That will tunnel all traffic through the remote server. Check it with whatsmyip to be sure.

[szatox]

Well, if you want to use your remote machine as a proxy for browsing the internet, the easiest way to do that is by connecting there using ssh with -D <port number> and telling your browser to use socks proxy at localhost:<port number>.

If you want to route all your traffic via wireguard, set AllowedIPs on the client to 0/0 (only on client, the server node should still have a smaller mask, 32 is perfectly fine for a single peer). Also, you will need to update your routes on the client. Add server's wireguard IP as default route with a smaller metric, or replace it completely; add a static route to the Endpoint's IP via used_to_be_the_default_gateway so your packets won't loopback into wireguard infinitely.
On top of that, reconfigure firewall on the server node to forward traffic from wireguard and MASQUERADE client's IP. This last part is exactly the same as with sharing any other connection with LAN behind your linux router.

Quite frankly, since you're switching from openvpn, you should be able to figure out the rest yourself; it's not specific to wireguard. The only tricky part here is setting masks on peer's IP for client and server, unlike in a typical lan, they won't be the same.

[bbgermany]

[jankom]

Thank you all for your suggestions. I'm still a noob. I did add the "0.0.0.0./0" part to client AllowedIps and the "DNS..." part as well. However when I start the client I get the error:

[Hu]

Please show the rules that Wireguard passed to iptables-restore. You mention "0.0.0.0./0" in your text, which I think is incorrect. There should be no dot before the slash. If that was not an error in your post, but a faithful recounting of what you gave Wireguard, that might cause this failure.

[DavidF]

I am just re-reading your initial post. When you connect to the linode server via wireguard your endpoint ip server side will be your desktop isp ip. The traffic is encrypted as you were with ovpn. The only purpose in 0.0.0.0/0 would be to run all your desktop internet traffic through the server. Doing that would reflect the server ip.

I have looked at several different ways iptables and routing can be used. I do not have any routing rules in my wg0.conf. I have opened the wireguard port on all machines connecting to my netgate router running wireguard. Not sure If I have the best setup but it works.

All this assumes you have a valid handshake based on your ping response. With the 0.0.0.0/0 removed does 'wg show' show the handshake

[jankom]

[DavidF]

With the interface up ... what is the output of 'wg show '

[jankom]

[DavidF]

Thanks, You are not connecting , you should see a line that verifies a handshake.

Is 10.8.0.0 the subnet you are using for wireguard?

If so what is the subnet of your linode server? My assumption is that it is your public IP, ifconfig would verify

I would add your public ip to your allowed ips. See if that does not get you connected.

[jankom]

yes, 10.9.0.0 is the subnet.

[DavidF]

Try adding your public ip to allowed ips and see what happens.

perhaps .. AllowedIPs =10.8.0.0/24 , your.public.ip.xx/32

You should see the handshake on the last lines of 'wg show'

my desktop looks like this

latest handshake: 1 minute, 32 seconds ago
transfer: 37.85 MiB received, 3.64 MiB sent

[jankom]

[szatox]

[DavidF]

szatox

In the future I will not post if I have not lab tested (been there done that). My home lab is behind a pfsense firewall, so the server side wireguard setup is quite simple including firewall rules by peer. My thought was that I was not exposing the public ip since it was in a point to point tunnel. All my servers are on private networks behind the firewall. Looking at it this morning I was reading that one peer can have several endpoints within its local config with a unique wireguard lan address to be accessed by. I am looking forward to seeing the end result of this configuration.

[jankom]

@Hu - your post of Oct 3: sorry, I missed that.
(a) "Please show the rules that Wireguard passed to iptables-restore." - I don't understand iptables-restore. There is such a command, but ?
(b) 0.0.0.0./0 was a typo, the real config is without the trailing dot before /0. If I put that in the client wg0.conf file wg-quick up fails.

@szatox

[szatox]

[jankom]

Solved? - I have now handshake, internet browsing, public ip from remote server (linode), and of course ping. The question mark is because my mailserver powered by postfix on the client side (fitlet) is not working with wireguard, only with the ovpn tunnel. Maybe that is unrelated to the tunnel, so I can work on that serparately. But - there is a difference in "route -n" output between wireguard tunnel and OVPN tunnel.

My current configurations:

[bbgermany]

Hi,

can you try the following client config:

[szatox]

[jankom]

OK, I understand that 0/1 includes 10.8.0.1/32, yes - learning curve.
If I put anything other than the WiFi hotspot nameserver ip (which is a 192.168 .x.x private network ip) then there is no name resoultion if "DNS =" is included in the configuration, It looks like wireguard manipulates /etc/resolv.conf when it activates.
So my setup works as it is now even after removing superfluous 10.8.0.1 argument in alloweIPs,
However, client wg cannot start if 0/0 is specified. I must use 0/1 format.

[bbgermany]

Hi,

Please remove all pre and postup scripts for testing. We need a working config on the client BEFORE adding firewall rules at all. Usually you only need masquerade rules on the server side. Im not quite sure what "iptables-restore" tries to restore as a "raw" table.