7

I am trying to configure a VPN server with WireGuard in order to have access to my local network when I am outside home.

I configured a raspberry pi to be the Wireguard 'server' and I have a laptop that I will use as client. I will describe the 'local network' as the network where the server (raspberry pi) lives and 'remote netwok' the network outside my home.

When I run 'wg-quick PiVPN-FT' in the 'client' from the local network, I am able to ssh to devices on my local network and I have access to internet as well. However, when I do it from a remote network (using the hot-spot from my phone) I can not ssh into other devices and I dont have internet access.

I also tried to connect from the network at work (to avoid using hotspots), with the same negative results.

The conf file on the server is:

[Interface]
PrivateKey = Private_key
Address = 10.6.0.1/24
MTU = 1420
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD
-o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = Public_Key
PresharedKey = Preshared_Key
AllowedIPs = 10.6.0.2/32

[Peer]
PublicKey = Public_Key
PresharedKey = Preshared_Key
AllowedIPs = 10.6.0.3/32
PersistentKeepalive=25

The conf file in the client is:

[Interface]
PrivateKey = Private_Key
Address = 10.6.0.3/24
MTU = 1420
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = Public_Key
PresharedKey = Preshared_Key
Endpoint = End_point:51820
AllowedIPs = 0.0.0.0/0, ::0/0

As I am new to seting up this networking system, I would like to know how to troubleshoot to find what is causing the issue.

jlunesc
  • 81
  • 1
  • 1
  • 5
  • Phones and USB hotspots often use a double NAT connection. Can you try a vanilla TCP/IP connection? I do what you want with hardware VPN and NCP Secure Entry. NCP navigates double NAT. – John Sep 06 '21 at 18:52
  • 1
    Is your router even configured to expose the pi / wireguard server to the outside world (Port forwarding / "DMZ")? Besides, is your WAN IP even a public IP (i.e. No CGNAT by your ISP)? Also make sure you update Endpoint= to your public WAN IP. – Tom Yan Sep 14 '21 at 00:49
  • 1
    @TomYan Yes, I configured port forwarding to point to the raspberry to the port 51820. Also, I configured the endpoint to the WAN IP which is constantly updated by a DDNS. – jlunesc Sep 14 '21 at 09:42
  • @jlunesc Have you found any kind of solution for that? Did you tried to clear iptables on the client? – Krzysiek Jun 12 '23 at 00:11

1 Answers1

1

It's not entirely clear from your problem description but I'm going to assume that your server is behind a consumer-grade router of some kind which provides your home with Internet access.

These devices are usually NATs (in case of IPv4) and firewalls (in case of IPv6) which prevents you to access the inner devices directly.

Also from the config, it's not quite possible to guess what the endpoint hostname actually resolves to. Is it a global IP or a local one?

I'd suggest these steps:

  1. In your router, find the option port forwarding and make sure your WireGuard port is port forwarded to the WireGuard server. This will make the device accessible from the outside. There are plenty of guides on how to do port forwarding so I won't go into detail here.
  2. Make sure your endpoint is globally resolvable. In the easiest case, that means use your global IP of the router (for IPv4) or the global IP of the WireGuard server directly (for IPv6).
svenstaro
  • 440
  • 1
  • 5
  • 12
  • 1
    Hi, thanks. Indeed I am using a consumer-grade router. I didn’t mentioned, but I configured the port-forwarding to direct incoming traffic to my raspberry pi using the port 51820. I also setup a DDNS (using a domain in dynu.com). My main concern is to know if each of these steps are correct. Thats why I want to know how to troubleshoot. I tried 'echo `module wireguard +p' | sudo tee /sys/kernel/debug/dynamic_debug/control` to get a sense of what the problems might be but I get this `error: tee: /sys/kernel/debug/dynamic_debug/control: No such file or directory module wireguard +p` – jlunesc Sep 13 '21 at 11:45
  • Debug support needs to be compiled in when building the module: https://www.wireguard.com/compilation/ Do you get your WireGuard module using your distro's package manager? – svenstaro Sep 13 '21 at 14:18
  • I installed it using pivpn. – jlunesc Sep 13 '21 at 17:43