First off: this is not a duplicate. I've tried everything except OpenVPN or IPSec. I'm receiving a handshake between the client and server, and SSH and Ping work between clients, but I cannot access the global internet or even have access to the server's public IP. My config is just the usual, keys, endpoints, I followed the Linode guide exactly. My client is openSUSE but my server is ubuntu, which I'm assuming is the chokepoint.
Asked
Active
Viewed 6.4k times
5
-
2Does `ip route` show you have a `default` route – waltinator Nov 23 '20 at 16:59
-
waltinator yeah it does show my default route as my router. – kektagen Nov 24 '20 at 02:36
2 Answers
6
This is exactly the situation I had. Does your server have a public IP or is it behind a NAT? If it's behind a NAT, the PostUp and PostDown iptables commands from the Linode guide don't apply.
Try adding the following to your server configuration file, changing eth0 to whatever your computer calls it:
PreUp = iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0
PreDown = iptables -t nat -D POSTROUTING -j MASQUERADE -o eth0
Example configuration
Here's an example configuration where the router is at 10.0.1.1 (normal network) and 10.0.0.x is the new WireGuard network, with the server being configured for 10.0.0.1 and the client for 10.0.0.2. The port used is 51820 and the default network interface is eth0. All traffic is routed through WireGuard, but it does not stay within the WireGuard subnet. The client has access to the server's local network (10.0.1.x) and the general internet. Don't forget to forward the 51820 port from your router to your server and to enable ipv4 forwarding on the server (# sysctl -w net.ipv4.ip_forward=1)
Server configuration
[Interface]
Address = 10.0.0.1/24
PrivateKey = YOUR_SEVER_PRIVATE_KEY
ListenPort = 51820
PreUp = iptables --table nat --append POSTROUTING --jump MASQUERADE --out-interface eth0
PreDown = iptables --table nat --delete POSTROUTING --jump MASQUERADE --out-interface eth0
[Peer]
PublicKey = YOUR_CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32
Client configuration
[Interface]
Address = 10.0.0.2/24
DNS = 10.0.1.1
PrivateKey = YOUR_CLIENT_PRIVATE_KEY
ListenPort = 51820
[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = YOUR.DYNAMIC_DNS.COM:51820
Kyle
- 161
- 3
-
I'm having the same (I think) and the above doesn't seem to work. The client connects and gets 296 bytes of data. Then from the client I can ping the wg0 server ip (10.99.100.1 in my case) from 10.99.100.32/32 (the client). But it can't ping the rest of my network nor anything on the internet. Ideas? – James Hancock Feb 06 '21 at 06:15
-
Did you set DNS, PreUp, and PreDown? And is DNS set to your router's internal IP? – Kyle Feb 07 '21 at 14:48
-
I did. And I just solved this. The clients claim that they're connected when they are absolutely not. It was a firewall issue, but there was no indication in the clients (ios, android, Windows nor mac!) that it didn't actually connect. It shows as connected but isn't.) Once I realized what was happening it was a straight forward fix. – James Hancock Feb 07 '21 at 19:09
-
I was having the same issue and had to use `PreUp = iptables -t nat -I POSTROUTING -j MASQUERADE -o eth0` `PreDown = iptables -t nat -D POSTROUTING -j MASQUERADE -o eth0` instead of the above. Still trying to figure out why. – Sabar Nov 08 '22 at 04:06
-
Turns out the culprit was using `--append` vs `--insert`. Since inserting a rule without a rulenum puts the rule at the top of the table, I guess my server iptables must have an entry lower down that isn't playing nicely. – Sabar Nov 08 '22 at 05:03
1
Depending on your Cloud provider you might have to change the MTU, Wireguard default MTU is 1420 while Google Cloud MTU is 1460. So if you are using google Cloud set the MTU to 1460 by adding MTU = 1460 to the interface of both clients and server will solve the problem.
You can check my full tutorial on Github if having any trouble.
Antonin GAVREL
- 269
- 3
- 9
-
This was the issue for me; there are some outdated answers related to GCP; but this one is relevant in May 2023. – atb00ker May 20 '23 at 19:33