Still not working on my side (phone only, so I did not try to use the wg0.conf file as it seems to be for client only)
sudo wg
public key: TLApL5dllCQQN/+kFrSBxxPaYN1VG35uYygXDp7GMRY=
private key: (hidden)
listening port: 8095
I tried to restart the wg-quick@wg service, and yunohost-firewall, but still no handshake.
And I still have a wireguard service listed, unknown to the system, that was still here when my old installation was removed. Failed to get status information via dbus for service wireguard, systemctl didn't recognize this service ('NoSuchUnit').
The service is removed, thanks !
I did wq-quick down and up, and still no handshake.
And now, I have the port 8095 that is declared closed in the diagnostics (it is redirected by my box in TCP/UDP, but only opened in UDP in the YunoHost firewall)
Can you explain what I need to do on my server and/or in my phone about the xg0.conf file ?
Question about troubleshooting Wireguard server to peer behind a router.
Wireguard is setup on my Yunohost with public facing IP. It can connect to my phone with Wireguard on mobile data. So it works! I can use the internet. I can ping websites. I have my Yunohost IP address on my wireguard peer. Hurray.
Now, I’m trying to get my phone/laptop to work via Wireguard and connect to my Yunohost wireguard server from behind my works router. It connects, but I have no connectivity.
$ sudo wg-quick up wg0
Warning: `/etc/wireguard/wg0.conf’ is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.1/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
admin:/etc/wireguard$ ping google.com
PING google.com (216.58.200.46) 56(84) bytes of data.
^C
— google.com ping statistics —
15 packets transmitted, 0 received, 100% packet loss, time 14332ms
I have read to test connections between computers if netcat works, wireguard should work.
From my laptop at work:
$ nc -v -u -p 51820 49.159.85.76 51820
Connection to 49.159.85.76 51820 port [udp/*] succeeded!
^C
$ nc -v -u -p 8096 49.159.85.76 8096
Connection to 49.159.85.76 8096 port [udp/*] succeeded!
Any wireguard wizards have any suggestions?
GOAL: Primarily I’m trying to get Wireguard to work because I’m trying to use my XMPP chat at work without constantly switching between Wifi and mobile data on my phone.
I have the same thing; I think this a bug in YunoHost’s diagnosis. It tests both UDP and TCP, and reports an error if at least one is closed… event if the service wants only UDP.
I feel it will be a spammy subject. I propose to have a debug session during the weekend on IRC/Matrix and report here if we find a solution. Is that OK for you?
I am no wizard, but let’s try (and it may be a similar issue as Mamie’s). Are you sure you are getting an handshake after connecting on your laptop? (check with sudo wg)
but says operation not permitted. Hmm… I’m trying to get this to work because it seems the only way to debug Wireguard.
I made a new Yunohost server on Hetzner VPS. I can ssh into it on port 22. So it looks like my school doesn’t block port 22. I installed wireguard app on this VPS and tried to connect to it on port 8095 but still no handshake.
So my idea, I make Wireguard listen on port 22, or is there another way to test ports that may be open on my school’s firewall? or do you have other suggestions of ports that may be open?
I used nmap to look for open ports from behind the restrictive work firewall.
$ sudo nmap -p 1-9000 [domainname]
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-21 12:26 CST
Nmap scan report for [IP address]Host is up (0.017s latency).
rDNS record for [IP ADDRESS]
Not shown: 8977 filtered ports
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp closed pop3
113/tcp closed ident
123/tcp closed ntp
143/tcp closed imap
443/tcp open https
465/tcp closed smtps
993/tcp open imaps
995/tcp closed pop3s
1935/tcp closed rtmp
2083/tcp closed radsec
3389/tcp closed ms-wbt-server
5800/tcp closed vnc-http
5900/tcp closed vnc
8008/tcp open http
8010/tcp open xmpp
8020/tcp open intu-ec-svcdisc
8090/tcp closed opsmessaging
So it looks like I can use one of these ports. I will test it over the coming days. I will start with the VNC ports because I don’t use that.
update: It works! I forwarded external port 5900 to 8096 (my server) on my router at home. I can connect at work finally. Can ditch VPS with OpenVPN Access Server. This is awesome!
I had a power outage at home, and my server rebooted. On reboot, the wg-quick@wg0 service failed.
I tried to restart the service with: yunohost service restart wg-quick@wg0 but it failed.
May 14 20:57:37 wg-quick[954]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE; route add -net 127.0.0.1/32 gw 10.10.10.0; ping -c1 10.10.10.0
May 14 20:57:44 wg-quick[954]: /usr/bin/wg-quick: line 295: route: command not found
May 14 20:57:44 wg-quick[954]: [#] ip link delete dev wg0
May 14 20:57:47 systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=127/n/a
Then I tried to reboot it. It didn’t come up again on reboot. I installed ‘net-tools’ to get rid of that route message. Now it has another message in the log.
May 14 21:05:57 wg-quick[3399]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE; route add -net 127.0.0.1/32 gw 10.10.10.0; ping -c1 10.10.10.0
May 14 21:05:57 wg-quick[3399]: SIOCADDRT: Invalid argument
May 14 21:05:57 wg-quick[3399]: [#] ip link delete dev wg0
May 14 21:05:57 systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=7/NOTRUNNING
May 14 21:05:57 systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
May 14 21:05:57 systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
Any ideas on how I can get wg-quick@wg0 service to restart automatically on reboot? Anybody have this happen to them?
Sorry for not following up, I am not quite available around these days and I got only a phone to help out. I can merely direct you to try to find out why there is no Linux headers package for your kernel version. That’s what blocking your WireGuard installation.
no worries; it is summer and everything moves slower. Like it should
and yes, of course you are right: in the meantime I found that my hoster offers a VPS with a modified (hardened) kernel and the stock one. I should have taken the stock one… Will try this again later and let you know!
Anybody able to give me some troubleshooting pointers.
Yunohost server with Wireguard works works perfectly with my phone, and another laptop client. My phone/laptop can connect to the internet, and ping clients on the wg0 interface.
I have a Debian 10 server at another location connected to the Yunohost wireguard server. It can ping all clients on wg0 interface, but can’t access the internet (ping google.com times out). This is behind two routers. I can move it just behind one router though. I shall try that tomorrow, not sure why I didn’t try that hmm.
This is not a critical problem, but since it can’t access the internet, I can’t do Debian security updates over wireguard. I have to physically go to that other computer and pull down network, do updates, then pull it up again.
If anybody has any suggestions of what could be the problem, I’m open to suggestions. Thank you!
I propose to have a debug session during the weekend on IRC/Matrix and report here if we find a solution. Is that OK for you?