Homemade WireGuard VPN on a VPS server

Discuss Tutorials
,
42

Ok, I started WireGuard on both sides, but Yunohost appears to be offline.

I opened the suggested ports in the ionos firewall settings.
I entered the IPs of the VPS.
I can access my yunohost via the web interface and via ssh.
But there’s a timeout when I ping 8.8.8.8, and in the yunohost diagnostics it says it is not connected to the internet.

Logs

Yunohost in local LAN

wg

interface: wg0
public key: yxNI4PkF/vvSg2bJZl4qiDjOnbpTk0aetCWhlYOF8wY=
private key: (hidden)
listening port: 53350
fwmark: 0xca6c

peer: XypWafYsppYXQfedVJcNA1OkO9hUKO6IjAXLS3AOVjc=
endpoint: [::1]:51820
allowed ips: 0.0.0.0/0, ::/0
transfer: 0 B received, 148 B sent
persistent keepalive: every 25 seconds

journalctl -xeu wg-quick@wg0.service

– Subject: A start job for unit wg-quick@wg0.service has begun execution
– Defined-By: systemd
– Support: Debian -- User Support

– A start job for unit wg-quick@wg0.service has begun execution.

– The job identifier is 1043.
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip link add wg0 type wireguard
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] wg setconf wg0 /dev/fd/63
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -4 address add 10.6.0.2/24 dev wg0
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -6 address add fd42:42:42::2/64 dev wg0
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip link set mtu 65456 up dev wg0
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] resolvconf -a tun.wg0 -m 0 -x
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] wg set wg0 fwmark 51820
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -6 route add ::/0 dev wg0 table 51820
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -6 rule add not fwmark 51820 table 51820
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -6 rule add table main suppress_prefixlength 0
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip6tables-restore -n
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -4 rule add not fwmark 51820 table 51820
Apr 03 10:46:41 ze.noho.st wg-quick[3521]: [#] ip -4 rule add table main suppress_prefixlength 0
Apr 03 10:46:42 ze.noho.st wg-quick[3521]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Apr 03 10:46:42 ze.noho.st wg-quick[3521]: [#] iptables-restore -n
Apr 03 10:46:42 ze.noho.st wg-quick[3521]: [#] bash /etc/wireguard/PostUp.sh
Apr 03 10:46:42 ze.noho.st systemd[1]: Started WireGuard via wg-quick(8) for wg0.
– Subject: A start job for unit wg-quick@wg0.service has finished successfully

ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.178.34 netmask 255.255.255.0 broadcast 192.168.178.255
inet6 fe80::46a1:8967:4a6e:fd6f prefixlen 64 scopeid 0x20
inet6 2001:a61:24b5:a601:990c:d95a:4fa3:4bbc prefixlen 64 scopeid 0x0
ether 82:bf:b2:df:f0:09 txqueuelen 1000 (Ethernet)
RX packets 4844 bytes 516167 (504.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2595 bytes 793955 (775.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 43

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 23188 bytes 3422152 (3.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23188 bytes 3422152 (3.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 65456
inet 10.6.0.2 netmask 255.255.255.0 destination 10.6.0.2
inet6 fd42:42:42::2 prefixlen 64 scopeid 0x0
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 136 bytes 20128 (19.6 KiB)
TX errors 0 dropped 3398 overruns 0 carrier 0 collisions 0

ionos vps

wg

interface: wg0
public key: XypWafYsppYXQfedVJcNA1OkO9hUKO6IjAXLS3AOVjc=
private key: (hidden)
listening port: 51820

peer: yxNI4PkF/vvSg2bJZl4qiDjOnbpTk0aetCWhlYOF8wY=
allowed ips: 10.6.0.2/32, fd42:42:42::2/128

journalctl -xeu wg-quick@wg0.service

Apr 03 08:45:37 localhost systemd[1]: Starting WireGuard via wg-quick(8) for wg0…
░░ Subject: A start job for unit wg-quick@wg0.service has begun execution
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit wg-quick@wg0.service has begun execution.
░░
░░ The job identifier is 1789.
Apr 03 08:45:37 localhost wg-quick[2387]: [#] ip link add wg0 type wireguard
Apr 03 08:45:37 localhost wg-quick[2387]: [#] wg setconf wg0 /dev/fd/63
Apr 03 08:45:37 localhost wg-quick[2387]: [#] ip -4 address add 10.6.0.1/24 dev wg0
Apr 03 08:45:37 localhost wg-quick[2387]: [#] ip -6 address add fd42:42:42::1/64 dev wg0
Apr 03 08:45:37 localhost wg-quick[2387]: [#] ip link set mtu 1420 up dev wg0
Apr 03 08:45:37 localhost wg-quick[2387]: [#] bash /etc/wireguard/PostUp.sh
Apr 03 08:45:37 localhost systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
░░ Subject: A start job for unit wg-quick@wg0.service has finished successfully

ifconfig

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 212.227.197.189 netmask 255.255.255.255 broadcast 212.227.197.189
inet6 2001:8d8:1801:81bc::1 prefixlen 64 scopeid 0x0
inet6 fe80::250:56ff:fe16:9fc5 prefixlen 64 scopeid 0x20
ether 00:50:56:16:9f:c5 txqueuelen 1000 (Ethernet)
RX packets 45465 bytes 5241644 (4.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9596 bytes 1417296 (1.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.6.0.1 netmask 255.255.255.0 destination 10.6.0.1
inet6 fd42:42:42::1 prefixlen 64 scopeid 0x0
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 1 dropped 0 overruns 0 carrier 0 collisions 0

43

Do you ping from YH or VPS ?

Maybe you can also try to restart the VPS and then the YH server. Sometimes it solves the issue from the diagnostic.

I have some doubts regarding your iptables rules. It seems YH server don’t receive any packets back.

44

The ping from yunohost is not successful.
After reboot it’s the same problem

What do you mean with the iptables rules? How to check / change them?

netstat -tunlp

yunohost:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6000 0.0.0.0:* LISTEN 2361/gitea
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2294/nginx: master
tcp 0 0 0.0.0.0:9137 0.0.0.0:* LISTEN 1502/sshd
tcp 0 0 127.0.0.1:10001 0.0.0.0:* LISTEN 1194/postsrsd
tcp 0 0 127.0.0.1:10002 0.0.0.0:* LISTEN 1194/postsrsd
tcp 0 0 0.0.0.0:5269 0.0.0.0:* LISTEN 1992/lua5.1
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1547/dnsmasq
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 1694/postgres
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2406/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2294/nginx: master
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1722/slapd
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 1820/dovecot
tcp 0 0 0.0.0.0:8095 0.0.0.0:* LISTEN 1426/node
tcp 0 0 127.0.0.1:20000 0.0.0.0:* LISTEN 2453/sogod
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1820/dovecot
tcp 0 0 0.0.0.0:20001 0.0.0.0:* LISTEN 1290/stunnel4
tcp 0 0 127.0.0.1:6787 0.0.0.0:* LISTEN 1378/python3
tcp 0 0 127.0.0.1:11332 0.0.0.0:* LISTEN 1711/rspamd: main p
tcp 0 0 127.0.0.1:11333 0.0.0.0:* LISTEN 1711/rspamd: main p
tcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN 1722/slapd
tcp 0 0 127.0.0.1:11334 0.0.0.0:* LISTEN 1711/rspamd: main p
tcp 0 0 0.0.0.0:5222 0.0.0.0:* LISTEN 1992/lua5.1
tcp 0 0 127.0.0.1:8008 0.0.0.0:* LISTEN 2636/python
tcp 0 0 127.0.0.1:5290 0.0.0.0:* LISTEN 1992/lua5.1
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 2406/master
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1515/redis-server 1
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 1414/memcached
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1820/dovecot
tcp6 0 0 :::80 :::* LISTEN 2294/nginx: master
tcp6 0 0 :::9137 :::* LISTEN 1502/sshd
tcp6 0 0 :::5269 :::* LISTEN 1992/lua5.1
tcp6 0 0 :::53 :::* LISTEN 1547/dnsmasq
tcp6 0 0 ::1:5432 :::* LISTEN 1694/postgres
tcp6 0 0 :::25 :::* LISTEN 2406/master
tcp6 0 0 :::443 :::* LISTEN 2294/nginx: master
tcp6 0 0 :::636 :::* LISTEN 1722/slapd
tcp6 0 0 :::4190 :::* LISTEN 1820/dovecot
tcp6 0 0 :::8448 :::* LISTEN 2636/python
tcp6 0 0 :::993 :::* LISTEN 1820/dovecot
tcp6 0 0 ::1:11332 :::* LISTEN 1711/rspamd: main p
tcp6 0 0 ::1:11333 :::* LISTEN 1711/rspamd: main p
tcp6 0 0 ::1:11334 :::* LISTEN 1711/rspamd: main p
tcp6 0 0 :::5222 :::* LISTEN 1992/lua5.1
tcp6 0 0 ::1:8008 :::* LISTEN 2636/python
tcp6 0 0 :::3306 :::* LISTEN 1698/mysqld
tcp6 0 0 ::1:5290 :::* LISTEN 1992/lua5.1
tcp6 0 0 :::587 :::* LISTEN 2406/master
tcp6 0 0 ::1:6379 :::* LISTEN 1515/redis-server 1
tcp6 0 0 :::143 :::* LISTEN 1820/dovecot
udp 0 0 0.0.0.0:31582 0.0.0.0:* 1547/dnsmasq
udp 0 0 10.6.0.2:5353 0.0.0.0:* 1362/python3
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1362/python3
udp 0 0 0.0.0.0:38929 0.0.0.0:* -
udp 0 0 0.0.0.0:53 0.0.0.0:* 1547/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 2048/dhclient
udp 0 0 10.6.0.2:123 0.0.0.0:* 2257/ntpd
udp 0 0 192.168.178.34:123 0.0.0.0:* 2257/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2257/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2257/ntpd
udp6 0 0 :::38929 :::* -
udp6 0 0 :::53 :::* 1547/dnsmasq
udp6 0 0 :::32889 :::* 1547/dnsmasq
udp6 0 0 2001:a61:24b5:a601::123 :::* 2257/ntpd
udp6 0 0 fd42:42:42::2:123 :::* 2257/ntpd
udp6 0 0 fe80::46a1:8967:4a6:123 :::* 2257/ntpd
udp6 0 0 ::1:123 :::* 2257/ntpd
udp6 0 0 :::123 :::* 2257/ntpd

vps:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9988 0.0.0.0:* LISTEN 762/sshd: /usr/sbin
tcp6 0 0 :::9988 :::* LISTEN 762/sshd: /usr/sbin
root@localhost:/home/juser# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9988 0.0.0.0:* LISTEN 762/sshd: /usr/sbin
tcp6 0 0 :::9988 :::* LISTEN 762/sshd: /usr/sbin
udp 0 0 0.0.0.0:51820 0.0.0.0:* -
udp6 0 0 :::51820 :::*

iptables -L

yunohost:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp – anywhere anywhere tcp dpt:ssh
ACCEPT tcp – anywhere anywhere tcp dpt:smtp
ACCEPT tcp – anywhere anywhere tcp dpt:domain
ACCEPT tcp – anywhere anywhere tcp dpt:http
ACCEPT tcp – anywhere anywhere tcp dpt:https
ACCEPT tcp – anywhere anywhere tcp dpt:submission
ACCEPT tcp – anywhere anywhere tcp dpt:imaps
ACCEPT tcp – anywhere anywhere tcp dpt:xmpp-client
ACCEPT tcp – anywhere anywhere tcp dpt:xmpp-server
ACCEPT tcp – anywhere anywhere tcp dpts:49153:49193
ACCEPT tcp – anywhere anywhere tcp dpt:8448
ACCEPT tcp – anywhere anywhere tcp dpt:5349
ACCEPT tcp – anywhere anywhere tcp dpt:5350
ACCEPT tcp – anywhere anywhere tcp dpt:9137
ACCEPT udp – anywhere anywhere udp dpt:domain
ACCEPT udp – anywhere anywhere udp dpt:mdns
ACCEPT udp – anywhere anywhere udp dpts:49153:49193
ACCEPT udp – anywhere anywhere udp dpt:5349
ACCEPT udp – anywhere anywhere udp dpt:5350
ACCEPT all – anywhere anywhere
ACCEPT icmp – anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

vps:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp – anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT tcp – 10.0.6.2 anywhere tcp dpt:smtp
ACCEPT tcp – 10.0.6.2 anywhere tcp dpt:submission
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:smtp
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:http
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:140
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:https
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:submission
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:imaps
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:xmpp-client
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:xmpp-server
ACCEPT tcp – anywhere 10.6.0.2 tcp dpt:9137

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This text will be hidden

45

These rules seem correct. If you want, you can send me in PM your two wg0.conf, PostUp and PostDown and I can check if everything looks good.

Could you also check that you can ping google.com and ping -6 google.com from VPS ?

46

Hello,

@rungeard thank you for your work!

Could you tell me from which device the ip 10.0.6.2 is from in your iptables?

47

10.6.0.2 is the ip assign to the YunoHost server (the WireGuard client)

48

So could it be a little typo here?

50

In your iptables for routing port 25 and 587

there is the ip corrent
iptables -t nat -A POSTROUTING -s 10.6.0.2 -p tcp --dport $j -j SNAT --to [insert public IPV4 of the VPS];
ten.six.zero.two

but one row after it
iptables -A FORWARD -s 10.0.6.2 -p tcp --dport $j -j ACCEPT;
ten.zero.six.two

51

You are right ! I made the changes in the main post.

52

Bonjour merci pour ce tuto qui le donne envie de passer à l’achat :grin:

Question

SI dans le cas d’autres utilisateurs souhaiteraient s’y connecter pour l’utiliser comme simple VPN tout en gardant les règles pour le yunohost quelle tête aurai le postup et postdown ?

Merci

53

yes it’s possible.
You generate on every client a private and a public key.

On the VPS you add to wg0.cong the line

### begin new client ###
[Peer]
PublicKey = [insert public key of the new client]
AllowedIPs = 10.6.0.X/32,fd42:42:42::X/128     #with X = 3 then 4, 5, etc
### end new client###

On the VPS you add to PostUp

iptables -t nat -A POSTROUTING -s 10.6.0.X  -j SNAT --to [insert public IPV4 of the VPS]; 
iptables -A FORWARD -s 10.6.0.X  -j ACCEPT; 
ip6tables -t nat -A POSTROUTING -s fd42:42:42::X -j SNAT --to [insert public IPV6 of the VPS]; 
ip6tables -A FORWARD -s fd42:42:42::X -j ACCEPT;

On the VPS you add to PostDown

iptables -t nat -D POSTROUTING -s 10.6.0.X  -j SNAT --to [insert public IPV4 of the VPS]; 
iptables -D FORWARD -s 10.6.0.X  -j ACCEPT; 
ip6tables -t nat -D POSTROUTING -s fd42:42:42::X -j SNAT --to [insert public IPV6 of the VPS]; 
ip6tables -D FORWARD -s fd42:42:42::X -j ACCEPT;

wg0 of the new client

[Interface]
PrivateKey = [insert private key of the new client]
Address = 10.6.0.X/24, fd42:42:42::X/64
# choose your DNS - for instance FDN DNS resolver
DNS = 80.67.169.12, 2001:910:800::12 

[Peer]
PublicKey = [insert public key of the VPS]
Endpoint = [insert your domain name (link to the ips of the VPS server)]:51820
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepalive = 25

Don’t forget to replace X with 3 then 4,5,6, etc everywhere

1 Like
54

Merci pour 'es infos.

Par contre si l’on suis ce tuto et que l’on rajoute les lignes que m’a donné est-ce que cela va poser un soucis ?

Encore merci.

55

En théorie non après j’ai pas testé personnellement avec plusieurs appareils. Tous retour est le bienvenue !

1 Like
56

Enfin j’ai déjà wireguard à la maison en tant que serveur et je fais passer quelque client. Donc j’ai vraiment une configuration de base avec
J’aimerai faire évoluer tout ça en faisant passer plus de chose dans les tuyaux.
Je vais essayer en partant de zéro avec les clients (ce que je sais faire a peu près) et je rajouterai ta config.

:pray:

57

Bonjour,
Si tu arrives à connecter le YNH + d’autres client, je suis intéressé par ta config.
MErci :slight_smile:

58

Salut.
J’ai commendé le vos hier et déjà bidouillé mais j’ai j’arrive pas à me connecter pour l’instant. Faut que je me pose tranquillement.

:grin:

59

C’est bizarre j’ouvre les ports dans l’interface de IONOS et faisant un check ça me dit que c’est fermé :~

60

de mémoire certains ports dont le 25 nécessite un appel au service client par téléphone pour être ouvert, on ne peut pas le faire directement sur l’interface web.

61

Rien que celui du VPN est ouvert dans IONOS mais pas quand je check l’extérieur, faut pas non plus ouvrir ailleur?

62

celui que j’ai a mon domicile avec ubuntu j’avais aussi ouvert avec UFW