wireguard setup clamification - CLOSED

[jankom]

Edited original post on Novermber 30, 2022

I have abandoned trying to replace OVPN with wireguard tool as a VPN connector.

The nameserver set up by the ISP in Hungary does not work accessing the US based OVPN host - probably due to some EU regulations. Therefore I made a small batch script to overwrite "/etc/resolv.conf" file with nameserver IP-s used by the US VPN host. This way OVPN woks fine, and I do have access in Hungary (EU) to sites requiring US based IP.

Consequently I mark this topic as "abandoned".

End of 11/30/2022 edit by jankom
/////////////////////////////////////////////////////

I have a server (linode, remote) with public ip and a Fitlet2 machine as my desktop connected to Internet via ISP. I have been using OVPN to VPN connect to the linode machine. I'm trying to replace ovpn with wireguard, but was unable to get it going. Obviously, I stopped the ovpn server on the remote side, and my only Internet connection of the Fitlet desktop is with iwd WiFi and my ISP at home. Both the remote and home machines run Gentoo linux.

a) Recompiled kernel per gentoo instruction on both machines
b) emerged wireguard-tools on both machines
c.) followed Gentoo and Wireguard instruction to set up tunnel. ping does not work.

Questions:

(1) server-peer or peer-peer?
(2) (maybe stupid Q) private key is the server and public key is the peer wanting to connect to server?
(3) "Endpoint" is marked as optional in man 8 wg - should I specify it in the server or peer configuration (peer is the Fitlet, server is the remote with public IP)
(4) Where is configuration saved? /etc/wireguard/ is empty even after setting up tunnel using command line, so I did wg showconf wg0 > wg0.conf in any folder - both the server and peer just to save what I did.

Janos (jankom)

[szatox]

There is no server in wireguard, it's intended to operate in full-mesh topology.
At least one machine on each link needs a static-ish IP though. The other machine's IP will be discovered when it sends a hello,

Both machines must have their private keys and peers' public keys. Create a private key, extract a public key out of it, and copy the public key to the peer. Repeat the process on the peer; the configuration is mostly symmetric.

A config file like the snippet below can be loaded with wg-quick

Code: Select all

cat /etc/wireguard/wg.conf 
[Interface]
Address = 10.0.6.1/16
ListenPort = 45089
PrivateKey = [redacted]

# twin server
[Peer]
PublicKey = [redacted]
AllowedIPs = 10.0.6.2/32
Endpoint = [peers public IP]:45089

# mobile client, we don't know its IP in advance so it must send keepalive to maintain the connection. This is configured with PersistentKeepalive = 20 on the other machine in our matching Peer section
[Peer]
PublicKey = [redacted]
AllowedIPs = 10.0.6.230/32

[jankom]

What I mean "server" is the designated peer I tunnel into so that once connected my public IP will appear that of the server. Without wireguard tunneling my public IP appears that of the ISP.

I'm still not there. Finally my home machine (Fitlet2) is connected to the remote (linode) machine, the "server" via wg0 private network. I can ping back and forth within 10.x.x.x private network and vpn tunnel. However, my public IP is still that of the ISP and not of the remote machine. Here is my server config:

[Interface]
Address = 10.8.0.1/32
ListenPort = nnnn
PrivateKey = redacted

[Peer]
PublicKey = redacted
AllowedIPs = 10.8.0.2/32
PersistentKeepalive = 20

The client config:

[Interface]
Address = 10.8.0.2/32
ListenPort = nnnn
PrivateKey = redacted

[Peer]
PublicKey = redacted
Endpoint = <public IP of remote server>:nnnn
AllowedIPs = 10.8.0.1/32

My goal is to

Code: Select all

curl ifconfig.me

show the <public IP of remote server>. Can you please help?

[DavidF]

My goal is to
Code:
curl ifconfig.me
show the <public IP of remote server>. Can you please help?

If I understand what you are after ... Your tunnel to the remote server is only traffic on your private network 10.9.0.1/32. All other internet traffic will be using your isp ip. If you want all traffic to reflect the remote peer IP you need to add 0.0.0.0/0 to your AllowedIPs . That will tunnel all traffic through the remote server. Check it with whatsmyip to be sure.

[szatox]

Well, if you want to use your remote machine as a proxy for browsing the internet, the easiest way to do that is by connecting there using ssh with -D <port number> and telling your browser to use socks proxy at localhost:<port number>.

If you want to route all your traffic via wireguard, set AllowedIPs on the client to 0/0 (only on client, the server node should still have a smaller mask, 32 is perfectly fine for a single peer). Also, you will need to update your routes on the client. Add server's wireguard IP as default route with a smaller metric, or replace it completely; add a static route to the Endpoint's IP via used_to_be_the_default_gateway so your packets won't loopback into wireguard infinitely.
On top of that, reconfigure firewall on the server node to forward traffic from wireguard and MASQUERADE client's IP. This last part is exactly the same as with sharing any other connection with LAN behind your linux router.

Quite frankly, since you're switching from openvpn, you should be able to figure out the rest yourself; it's not specific to wireguard. The only tricky part here is setting masks on peer's IP for client and server, unlike in a typical lan, they won't be the same.

[bbgermany]

If I understand what you are after ... Your tunnel to the remote server is only traffic on your private network 10.9.0.1/32. All other internet traffic will be using your isp ip. If you want all traffic to reflect the remote peer IP you need to add 0.0.0.0/0 to your AllowedIPs . That will tunnel all traffic through the remote server. Check it with whatsmyip to be sure.

exactly, if you want to pass all your traffic through the tunnel replace 10.8.x.x/x on your client with 0.0.0.0/0

you should also set a dns server in the config with the following settings string to avoid the same issues like in your openvpn thread

Code: Select all

DNS = <your dns server>

Make sure this is in the interface section not in the peer section of your client!

Greetings Stefan

[jankom]

Thank you all for your suggestions. I'm still a noob. I did add the "0.0.0.0./0" part to client AllowedIps and the "DNS..." part as well. However when I start the client I get the error:

andraslinux /etc/wireguard # wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 10.8.0.1/32 dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
andraslinux /etc/wireguard #

My OVPN works just fine: my public IP is that of the server, and the mail server (postfix) running on the client works as well.
So far wireguard only works (without the 0.0.0.0/0 setting) with ping connections within 10.0.0.0 network but public IP of the ISP not the server, and the postfix server on the client cannot send or receive messages.

Cheers!

Janos (jankom)

[Hu]

Please show the rules that Wireguard passed to iptables-restore. You mention "0.0.0.0./0" in your text, which I think is incorrect. There should be no dot before the slash. If that was not an error in your post, but a faithful recounting of what you gave Wireguard, that might cause this failure.

[DavidF]

I am just re-reading your initial post. When you connect to the linode server via wireguard your endpoint ip server side will be your desktop isp ip. The traffic is encrypted as you were with ovpn. The only purpose in 0.0.0.0/0 would be to run all your desktop internet traffic through the server. Doing that would reflect the server ip.

I have looked at several different ways iptables and routing can be used. I do not have any routing rules in my wg0.conf. I have opened the wireguard port on all machines connecting to my netgate router running wireguard. Not sure If I have the best setup but it works.

All this assumes you have a valid handshake based on your ping response. With the 0.0.0.0/0 removed does 'wg show' show the handshake

[jankom]

When you connect to the linode server via wireguard your endpoint ip server side will be your desktop isp ip.

- My isp IP may not be the same all the time - I don't know. But my linode public P is stable.

If I connect w/o 0.0.0.0/0 setting this is what I gt at the client side:

Code: Select all

andraslinux /etc/wireguard # wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 10.8.0.1/32 dev wg0

\\\

andraslinux /etc/wireguard # wg show
interface: wg0
  public key: blah-blah
  private key: (hidden)
  listening port: nnnn

peer: another-blah-blah
  endpoint: <linode public IP>:nnnn
  allowed ips: 10.8.0.1/32

\\\

andraslinux /etc/wireguard # wg-quick down wg0
[#] ip link delete dev wg0
[#] resolvconf -d wg0 -f
andraslinux /etc/wireguard # 

but my web does not work (name resolution?) now with "DNS = 10.8.0.1" added to client [Interface] section
However, if I comment out the DNS part web browsing works, but not my postfix server. Obviously because my IP is the isp IP, not the linode IP.

[DavidF]

With the interface up ... what is the output of 'wg show '

[jankom]

andraslinux /usr/src # wg show
interface: wg0
public key: gibberish
private key: (hidden)
listening port: nnnn

peer: another-gibberish
endpoint: <linode publi IP>:nnnn
allowed ips: 10.8.0.1/32

[DavidF]

Thanks, You are not connecting , you should see a line that verifies a handshake.

Is 10.8.0.0 the subnet you are using for wireguard?

If so what is the subnet of your linode server? My assumption is that it is your public IP, ifconfig would verify

I would add your public ip to your allowed ips. See if that does not get you connected.

[jankom]

yes, 10.9.0.0 is the subnet.

If so what is the subnet of your linode server?

- don't know. It looks like, from "route -n" command, that linode eth0 is connected to a public ip gateway and has a permanent piblic IP on that same ARIN allocated ip pool.
I am connected to the Internet, but not through the wireguard interface but my isp (WiFi interface). Wireguard connects me only to the 10.0.0.0 private subnet crated for wg0 interfaces on the server (kinude) and client (fitlet, my desktop).
OPENVPN on the otherhand puts me on the 10.8.0.0 private network that is routed to linode's public IP. How can wireguard do the same thing?

[DavidF]

Try adding your public ip to allowed ips and see what happens.

perhaps .. AllowedIPs =10.8.0.0/24 , your.public.ip.xx/32

You should see the handshake on the last lines of 'wg show'

my desktop looks like this

latest handshake: 1 minute, 32 seconds ago
transfer: 37.85 MiB received, 3.64 MiB sent

[jankom]

andraslinux /etc/wireguard # wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add <my server public IP>/32 dev wg0
[#] ip -4 route add 10.8.0.1/32 dev wg0
andraslinux /etc/wireguard # wg show
interface: wg0
public key: <gibberish>
private key: (hidden)
listening port: nnn

peer: <another gibberish>
endpoint: <my server public IP>:nnnn
allowed ips: 10.8.0.1/32, <my server public IP>/32
andraslinux /etc/wireguard #

Added my server public IP to clien configuration, but no handshaking, and my public IP on the client is still the ISP.
Tried to add it to the server (linode) configuration - same resul, same output except that I cannot ssh to my server unless I down the client wg

[szatox]

Try adding your public ip to allowed ips and see what happens.
perhaps .. AllowedIPs =10.8.0.0/24 , your.public.ip.xx/32

Why?
It creates ACLs in kernel which makes it accept packets with listed IP incoming via wireguard interface from this peer.
VPN server is not supposed to _ever_ receive a packet with client's public IP via wireguard interface, there is no need to go out of your way to allow it in.
By default, wg-quick also uses this information to add routes, but this behaviour can be disabled with a switch if you'd rather manage routes manually, but you still need the ACL to allow traffic in (and probably select the peer on packet's way out).

jankom, post your wg configs from both sides.
You can mask the keys and endpoints, but keep the private IPs and don't remove any options.
Also, ip route with wireguard active.

[DavidF]

szatox

In the future I will not post if I have not lab tested (been there done that). My home lab is behind a pfsense firewall, so the server side wireguard setup is quite simple including firewall rules by peer. My thought was that I was not exposing the public ip since it was in a point to point tunnel. All my servers are on private networks behind the firewall. Looking at it this morning I was reading that one peer can have several endpoints within its local config with a unique wireguard lan address to be accessed by. I am looking forward to seeing the end result of this configuration.

[jankom]

@Hu - your post of Oct 3: sorry, I missed that.
(a) "Please show the rules that Wireguard passed to iptables-restore." - I don't understand iptables-restore. There is such a command, but ?
(b) 0.0.0.0./0 was a typo, the real config is without the trailing dot before /0. If I put that in the client wg0.conf file wg-quick up fails.

@szatox

# remote server (linode)
[Interface]
Address = 10.8.0.1/32
ListenPort = nnnn
PrivateKey = [redacted]

[Peer]
PublicKey = 28Q2MH3fqDvl4FtNVmhziq2vKTff4P26l/zpaEvpgQI=
AllowedIPs = 10.8.0.2/32
PersistentKeepalive = 20

# local client (Fitlet)
[Interface]
Address = 10.8.0.2/32
ListenPort = 17141
PrivateKey = [redacted]

[Peer]
# jgklinux (linode) with public IP
PublicKey = kIcG2Bh2SAzD7st8z3kL9esMxw1kwEB09slYGdatvnc=
Endpoint = <server public IP>:nnnn
AllowedIPs = 10.8.0.1/32

xxxxxxxxxxxxxxx

# ip route server
gellert@jgklinux ~ $ ip route
default via 198.74.55.1 dev eth0 proto dhcp src <server public ip> metric 1003
10.8.0.2 dev wg0 scope link
169.254.0.0/16 dev dummy0 scope link src 169.254.229.246 metric 1002
198.74.55.0/24 dev eth0 proto dhcp scope link src <server public ip> metric 1003

# ip route client
janos@andraslinux ~ $ ip route
default via 192.168.72.139 dev wlan0 proto dhcp src 192.168.72.11 metric 3006
10.8.0.1 dev wg0 scope link
192.168.72.0/24 dev wlan0 proto dhcp scope link src 192.168.72.11 metric 3006

Looks like 192.168.72.139 is the local ip of the router on my isp and my client WiFi local ip is 192.168.72.11. On the server side client 10.8.0.2 wireguard private network ip is connecting to Internet so I can ping 10.8.0.1 or 10.8.0.2 from server or client as long as wg0 in active. But traffic from client 10.8.0.2 is routed through client isp and not through the tunnel. This is why the client's IP is that of the isp.
OPENVPN sends all Internet traffic through the tunnel and yet can send local traffic (printers, other machines in my home WiFi private network 192.168.x.x) correctly within the home network. How can I do that with wireguard?

[szatox]

Looking at it this morning I was reading that one peer can have several endpoints within its local config with a unique wireguard lan address to be accessed by.

It can. It's particularly convenient for mobile stations, you can change ISP without breaking your TCP sessions inside wireguard if you reconnect fast enough.
Peers are recognized based on their keys rather than endpoint IPs.
It also means multiple devices can't share a single "account" at the same time. Server will get confused and start sending packets to semi-random, but definitely wrong clients.


jankom:

PersistentKeepalive = 20 should be in the same section as Endpoint → client's side. Since server does not know client's IP in advance, it's client's responsibility to maintain the tunnel.
Also, AllowedIPs = 10.8.0.1/32 in client's config will not allow you to use your server as a gateway. 0.0.0.0/0 does work for me (though it does not replace default route. You might try splitting it into 2 ranges the way openvpn used to: 128.0/1 and 0/1)

Code: Select all

# wg show
interface: wg
  public key: [...]
  private key: (hidden)
  listening port: 40874
  fwmark: 0xca6c

peer: [..]
  endpoint: [...]:45089
  allowed ips: 0.0.0.0/0 <--- here it is. wireguard accepted 0.0.0.0/0
  latest handshake: 31 seconds ago
  transfer: 156 B received, 32.00 KiB sent
  persistent keepalive: every 20 seconds

OPENVPN sends all Internet traffic through the tunnel and yet can send local traffic (printers, other machines in my home WiFi private network 192.168.x.x) correctly within the home network. How can I do that with wireguard?

Set correct routes with ip route.
Longer masks (like 24 typical for LAN) take precedence over shorter (default gw lenth is 0).
You have /24 on wlan0, so this part is covered.
Also, traffic is not routed from 10.8.0.2. Unicast is always routed "to destination", not "from source". Your ip route dump looks wierd though. Lines with "dev wg" seem incomplete. Anyway, fix that client-side config first, there is no next step until tunnel connects. Make sure you have a direct route to the Endpoint, via your ISP's gw and not via wireguard. Add this one manually.

[jankom]

Solved? - I have now handshake, internet browsing, public ip from remote server (linode), and of course ping. The question mark is because my mailserver powered by postfix on the client side (fitlet) is not working with wireguard, only with the ovpn tunnel. Maybe that is unrelated to the tunnel, so I can work on that serparately. But - there is a difference in "route -n" output between wireguard tunnel and OVPN tunnel.

My current configurations:

## remote server (linode)
jgklinux /etc/wireguard # cat wg0.conf
[Interface]
ListenPort = nnnn
PrivateKey = [...]
Address = 10.8.0.1/32

[Peer]
PublicKey = [gibberish-1]
AllowedIPs = 10.8.0.2/32

## local peer (filet)
andraslinux /etc/wireguard # cat wg0.conf
[Interface]
Address = 10.8.0.2/32
ListenPort = nnnn
PrivateKey = [...]

[Peer]
PublicKey = [gibberish-2]
Endpoint = <my server public ip>:nnnn
PersistentKeepalive = 20
allowedIPs = 0.0.0.0/1, 10.8.0.1/32

(a) Apparently 0.0.0.0/0 does NOT work, but 0.0.0.0/1 DOES indeed work.[/quote]
(b) Need to add "Address = " stance explicitely to both ends of tunnel otherwise cannot ping.
(c) Wireguard uses ip command sets to create the tunnel.
(d) There is a difference in routing with wireguard or OVPN:

# with wireguard:
janos@andraslinux ~ $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 wg0
0.0.0.0 192.168.72.139 0.0.0.0 UG 3006 0 0 wlan0
10.8.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 wg0
192.168.72.0 0.0.0.0 255.255.255.0 U 3006 0 0 wlan0
janos@andraslinux ~ $

# with OVPN:
janos@andraslinux ~ $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.72.139 0.0.0.0 UG 3006 0 0 wlan0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
192.168.72.0 0.0.0.0 255.255.255.0 U 3006 0 0 wlan0
<my server public ip> 192.168.72.139 255.255.255.255 UGH 0 0 0 wlan0

# w/o tunneling (OVPN or wireguard):
janos@andraslinux ~ $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.72.139 0.0.0.0 UG 3006 0 0 wlan0
192.168.72.0 0.0.0.0 255.255.255.0 U 3006 0 0 wlan0

I'm sorry, I'm not experienced enough in ip commands and routing and therefore I cannot understand the above difference,

[bbgermany]

Hi,

can you try the following client config:

Code: Select all

[Interface]
Address = 10.8.0.2/32
PrivateKey = <your client private key>
DNS = <your dns server of choice>

[Peer]
PublicKey = <your public key>
Endpoint = <your server ip/hostname>:<wireguard server port>
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21

Your serverconfig looks good as far as i can see.

Greetings Stefan

[szatox]

allowedIPs = 0.0.0.0/1, 10.8.0.1/32

0.0.0.0/1 contains 10.8.0.1/32.
You're missing the other half of the internet though.

[jankom]

OK, I understand that 0/1 includes 10.8.0.1/32, yes - learning curve.
If I put anything other than the WiFi hotspot nameserver ip (which is a 192.168 .x.x private network ip) then there is no name resoultion if "DNS =" is included in the configuration, It looks like wireguard manipulates /etc/resolv.conf when it activates.
So my setup works as it is now even after removing superfluous 10.8.0.1 argument in alloweIPs,
However, client wg cannot start if 0/0 is specified. I must use 0/1 format.

andraslinux /etc #
andraslinux /etc/wireguard # wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
andraslinux /etc/wireguard #

[bbgermany]

Hi,

Please remove all pre and postup scripts for testing. We need a working config on the client BEFORE adding firewall rules at all. Usually you only need masquerade rules on the server side. Im not quite sure what "iptables-restore" tries to restore as a "raw" table.

[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

this is the issue, not 0.0.0.0/0 since a few lines before the route was set correctly!

Greetings Stefan