It’s actually for both client and server.
- Can you check that again after a
sudo wg-quick down wg0
andsudo wg-quick up wg0
?
You can remove it with yunohost service remove wireguard
It’s actually for both client and server.
sudo wg-quick down wg0
and sudo wg-quick up wg0
?You can remove it with yunohost service remove wireguard
The service is removed, thanks !
I did wq-quick down and up, and still no handshake.
And now, I have the port 8095 that is declared closed in the diagnostics (it is redirected by my box in TCP/UDP, but only opened in UDP in the YunoHost firewall)
Can you explain what I need to do on my server and/or in my phone about the xg0.conf file ?
Most complete docs I’ve found for Wireguard so far.
I am reading these docs to figure out more about how to use Wireguard.
Question about troubleshooting Wireguard server to peer behind a router.
Wireguard is setup on my Yunohost with public facing IP. It can connect to my phone with Wireguard on mobile data. So it works! I can use the internet. I can ping websites. I have my Yunohost IP address on my wireguard peer. Hurray.
Now, I’m trying to get my phone/laptop to work via Wireguard and connect to my Yunohost wireguard server from behind my works router. It connects, but I have no connectivity.
$ sudo wg-quick up wg0
Warning: `/etc/wireguard/wg0.conf’ is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.1/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
admin:/etc/wireguard$ ping google.com
PING google.com (216.58.200.46) 56(84) bytes of data.
^C
— google.com ping statistics —
15 packets transmitted, 0 received, 100% packet loss, time 14332ms
I have read to test connections between computers if netcat works, wireguard should work.
From my laptop at work:
$ nc -v -u -p 51820 49.159.85.76 51820
Connection to 49.159.85.76 51820 port [udp/*] succeeded!
^C
$ nc -v -u -p 8096 49.159.85.76 8096
Connection to 49.159.85.76 8096 port [udp/*] succeeded!
GOAL: Primarily I’m trying to get Wireguard to work because I’m trying to use my XMPP chat at work without constantly switching between Wifi and mobile data on my phone.
I have the same thing; I think this a bug in YunoHost’s diagnosis. It tests both UDP and TCP, and reports an error if at least one is closed… event if the service wants only UDP.
I feel it will be a spammy subject. I propose to have a debug session during the weekend on IRC/Matrix and report here if we find a solution. Is that OK for you?
I am no wizard, but let’s try (and it may be a similar issue as Mamie’s). Are you sure you are getting an handshake after connecting on your laptop? (check with sudo wg
)
Thanks for your efforts.
So I initiated connection: sudo wg-quick up wg0
Then I tried
$ sudo wg
interface: wg0
public key: [public key here]
private key: (hidden)
listening port: 55924
fwmark: 0xca6c
peer: [peer number here]
preshared key: (hidden)
endpoint: [my yunohost ip]:8096
allowed ips: 0.0.0.0/0
transfer: 0 B received, 4.19 KiB sent
persistent keepalive: every 15 seconds
So it looks like you are correct. There is no handshake. I can’t access web pages.
Small note, I am behind my own personal little router at work. I use it as a hotspot. I forwarded 8096 through it though.
Troubleshooting:
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
but says operation not permitted. Hmm… I’m trying to get this to work because it seems the only way to debug Wireguard.
So my idea, I make Wireguard listen on port 22, or is there another way to test ports that may be open on my school’s firewall? or do you have other suggestions of ports that may be open?
I used nmap to look for open ports from behind the restrictive work firewall.
$ sudo nmap -p 1-9000 [domainname]
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-21 12:26 CST
Nmap scan report for [IP address]Host is up (0.017s latency).
rDNS record for [IP ADDRESS]
Not shown: 8977 filtered ports
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp closed pop3
113/tcp closed ident
123/tcp closed ntp
143/tcp closed imap
443/tcp open https
465/tcp closed smtps
993/tcp open imaps
995/tcp closed pop3s
1935/tcp closed rtmp
2083/tcp closed radsec
3389/tcp closed ms-wbt-server
5800/tcp closed vnc-http
5900/tcp closed vnc
8008/tcp open http
8010/tcp open xmpp
8020/tcp open intu-ec-svcdisc
8090/tcp closed opsmessaging
So it looks like I can use one of these ports. I will test it over the coming days. I will start with the VNC ports because I don’t use that.
update: It works! I forwarded external port 5900 to 8096 (my server) on my router at home. I can connect at work finally. Can ditch VPS with OpenVPN Access Server. This is awesome!
I had a power outage at home, and my server rebooted. On reboot, the wg-quick@wg0 service failed.
May 14 20:57:37 wg-quick[954]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE; route add -net 127.0.0.1/32 gw 10.10.10.0; ping -c1 10.10.10.0
May 14 20:57:44 wg-quick[954]: /usr/bin/wg-quick: line 295: route: command not found
May 14 20:57:44 wg-quick[954]: [#] ip link delete dev wg0
May 14 20:57:47 systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=127/n/a
May 14 21:05:57 wg-quick[3399]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE; route add -net 127.0.0.1/32 gw 10.10.10.0; ping -c1 10.10.10.0 May 14 21:05:57 wg-quick[3399]: SIOCADDRT: Invalid argument May 14 21:05:57 wg-quick[3399]: [#] ip link delete dev wg0 May 14 21:05:57 systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=7/NOTRUNNING May 14 21:05:57 systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'. May 14 21:05:57 systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
Any ideas on how I can get wg-quick@wg0 service to restart automatically on reboot? Anybody have this happen to them?
The last PostUp command in your WireGuard UI is wrong.
; route add -net 127.0.0.1/32 gw 10.10.10.0; ping -c1 10.10.10.0
should be
; ip route add -net 127.0.0.1/32 gw 10.10.10.0; ping -c1 10.10.10.0
Change it, and do not forget to “Apply changes” at the top right of the UI.
Great. I did that but still has an issue.
May 15 12:20:36 wg-quick[10482]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -
o enp4s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o enp4s0 -
j MASQUERADE; ip route add -net 127.0.0.1/32 gw 10.10.10.0; ping -c1 10.10.10.0
May 15 12:20:36 wg-quick[10482]: Error: any valid prefix is expected rather than "-net".
Trying to remove the -net but it didn’t like it either.
May 15 12:24:05 wg-quick[10764]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -
o enp4s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o enp4s0 -
j MASQUERADE; ip route add 127.0.0.1/32 gw 10.10.10.0; ping -c1 10.10.10.0
May 15 12:24:05 wg-quick[10764]: Error: either "to" is duplicate, or "gw" is a garbage.
So after some googling, it seems that I need to write ‘via’ instead of ‘gw’.
ip route add 127.0.0.1/32 via 10.10.10.0; ping -c1 10.10.10.0
The service restarted without any error. I can connect and it all works again. Thanks again!
NOTE:
In my Post Down I have this:
route del -net 127.0.0.1/32 gw 10.10.10.0
It doesn’t give me any error messages but I’m wondering if I should change it to:
route del 127.0.0.1/32 via 10.10.10.0
I’ll leave it for now…
I am sorry I did not realize what you wrote…
ip route add -net 127.0.0.1/32 gw 10.10.10.0
This very wrong. You are telling all your devices that their localhost has to go through your VPN server. It will not work. (cf. this post)
What is your system architecture? RPi?
No, Debian VPS.
Sorry; I was in a rush and should’ve provided (way) more context. I hope this helps:
/
(on device /dev/xvda1
) still has 18 GiB (90%) space left (out of 20 GiB)!Ports:
ps. also things do not look well here: Jobs for app wireguard
Hi
Wouldn’t you miss some file descendants on your fresh container install?
maybe a link to orient you!
https://archlinux.org/packages/core/x86_64/linux-lts/
nb: look at depndencies
I am not sure I follow you. I have a debian VPS, not Arch.
Also, isn’t YNH kinda meant to take care of dependencies…?
Sorry for not following up, I am not quite available around these days and I got only a phone to help out. I can merely direct you to try to find out why there is no Linux headers package for your kernel version. That’s what blocking your WireGuard installation.
no worries; it is summer and everything moves slower. Like it should
and yes, of course you are right: in the meantime I found that my hoster offers a VPS with a modified (hardened) kernel and the stock one. I should have taken the stock one… Will try this again later and let you know!
Anybody able to give me some troubleshooting pointers.
Yunohost server with Wireguard works works perfectly with my phone, and another laptop client. My phone/laptop can connect to the internet, and ping clients on the wg0 interface.
I have a Debian 10 server at another location connected to the Yunohost wireguard server. It can ping all clients on wg0 interface, but can’t access the internet (ping google.com times out). This is behind two routers. I can move it just behind one router though. I shall try that tomorrow, not sure why I didn’t try that hmm.
This is not a critical problem, but since it can’t access the internet, I can’t do Debian security updates over wireguard. I have to physically go to that other computer and pull down network, do updates, then pull it up again.
If anybody has any suggestions of what could be the problem, I’m open to suggestions. Thank you!
What does ip route get 1.1.1.1
give you?
On the offsite machine that’s having problems here are those commands:
$ sudo ip route get 1.1.1.1
1.1.1.1 dev wg0 table 51820 src 10.10.10.6 uid 0
cache
$ ip route
default via 192.168.11.1 dev enp4s0
192.168.11.0/24 dev enp4s0 proto kernel scope link src 192.168.11.10