It seems correct. 
Have you
What are the outputs of
-
sudo wg(remove any sensitive information before copy-pasting). traceroute 1.1.1.1traceroute 2606:4700:4700::1111
Can you ping the IP address of your server endpoint?
$ sudo wg
interface: wg0
public key: KEY HERE
private key: (hidden)
listening port: 55249
fwmark: 0xca6c
peer: PEER CODE
preshared key: (hidden)
endpoint: ENDPOINTADDRESS:8096
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 15 seconds ago
transfer: 487.80 MiB received, 16.25 MiB sent
persistent keepalive: every 15 seconds
$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 10.10.10.0 (10.10.10.0) 31.592 ms 31.470 ms 31.591 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
$ traceroute 2606:4700:4700::1111
traceroute to 2606:4700:4700::1111 (2606:4700:4700::1111), 30 hops max, 80 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
$ ping 10.10.10.0 -c 5
PING 10.10.10.0 (10.10.10.0) 56(84) bytes of data.
64 bytes from 10.10.10.0: icmp_seq=1 ttl=64 time=28.0 ms
64 bytes from 10.10.10.0: icmp_seq=2 ttl=64 time=31.3 ms
64 bytes from 10.10.10.0: icmp_seq=3 ttl=64 time=27.0 ms
64 bytes from 10.10.10.0: icmp_seq=4 ttl=64 time=29.5 ms
64 bytes from 10.10.10.0: icmp_seq=5 ttl=64 time=26.5 ms
--- 10.10.10.0 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 10ms
rtt min/avg/max/mdev = 26.548/28.476/31.321/1.755 ms
note: 10.10.10.0 is my Yunohost server.
Things I need to try:
- change server to plug into first router?
- maybe some weird filtering or stuff on the routers? I can’t mess around with those. This server is at my wife’s workplace.
It’s a perplexing problem because every night over Wireguard I run a restic backup. So the link works over Wireguard, but it can’t connect to the internet. I’m a bit stumped.
Hi,
is there a way to run the wireguard server on a commonly open port like 443?
I want to be able to reach the VPN from Open Wifi Hotspots.
You could run it on another port like port 53, or other ports that are probably not blocked 22, 123 etc.
In your router, open port 53 and forward it to your Wireguard port.
I have 8096 for my Wireguard port. I have opened multiple other ports (53, 5900) on my router and get them to forward them to 8096 on my network.
This helps me get around blocking on my school network.
I just got Wireguard running, so I have no answer but more questions:
- Does a ping to the other hosts on your LAN work, from the workplace server?
- The IP of your Yunohost seems a bit peculiar, usually IP x.y.z.0 is the network address, not the address of a host.
- Where is the backup sent, to Yunohost on 10.10.10.0 or another machine/IP on the LAN?
- You already stated that other devices don’t have problems connecting to the Internet via your Yunohost’s Wireguard. Did you configure them via the QR-code, or manually? How about the workplace server?
That one is peculiar indeed, but correct. .0 is the server.
Yunohost (A) , workplace server (B)
- B can ping A on Wireguard.
- A does have an externally accessible IP. I’m just using B as a restic backup server. Using Wireguard for this saves me the trouble of securing B using an SSL certificate and users on the restic-server.
- I send a restic backup from A to B (10.10.10.6). A is on my home network. B is on the workplace network at another location.
- I configured them with QR code. B is debian so can’t use the QR code. I copy and pasted the info from Yunohost wireguard setup. I guess I could double check that is 100% correct.
For now I might have to make a workaround cron script that runs once a month:
sudo wg-quick down wg0
sudo apt update && sudo apt upgrade -y
sudo wg-quick up wg0
Basically the only reason I care that internet doesn’t work on B is so I can do Debian updates.
Yes, this problem still perplexing me. I wish wireguard had more debugging tools built in so you could at least get a hint at what the problem could be. Anyways, I have made my peace with this problem for now and am just trying to work around it.
Me too!
And ‘another machine in the LAN (C)’? I’m trying to match your problem with mine while setting things up, even though yours already is in a working state for mobile devices and I haven’t tested mine in that respect yet.
Stating the obvious, when you ping A at 10.10.10.0 from B, it is only traffic within the VPN. Because mobile clients have no problems, I expect ip_forwarding to work, did you check?
Could it be that the connection works for IPv4, but that B only uses IPv6 for internet?
You may be onto something. Something might be weird with ip6, but also is some sort of DNS/IP resolving problem.
- B can ping A on Wireguard and can ping hosts on the LAN 192.168.11.x
- B cannot ping an ip6 address like ip6.yunohost.org, times out.
- I do have an IP6 address:
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 50:af:73:22:79:91 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.101/24 brd 192.168.1.255 scope global dynamic enp4s0
valid_lft 77536sec preferred_lft 77536sec
inet6 fe80::52af:73ff:fe22:7991/64 scope link
valid_lft forever preferred_lft forever
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.10.10.6/32 scope global wg0
valid_lft forever preferred_lft forever
- With wireguard up on B trying to update debian I get this. apt-get update is trying to use ip6. Before, I tried to disable apt-get using ip6 but that didn’t have any effect.
$ sudo apt update
Err:1 http://deb.debian.org/debian buster InRelease
Could not connect to debian.map.fastlydns.net:80 (151.101.42.132), connection timed out Could not connect to debian.map.fastlydns.net:80 (2a04:4e42:a::644), connection timed out Unable to connect to deb.debian.org:http:
Err:2 http://deb.debian.org/debian buster-updates InRelease
Unable to connect to deb.debian.org:http:
Err:3 http://deb.debian.org/debian buster-backports InRelease
Unable to connect to deb.debian.org:http:
Err:4 http://security.debian.org/debian-security buster/updates InRelease
Could not connect to debian.map.fastlydns.net:80 (151.101.42.132), connection timed out Could not connect to debian.map.fastlydns.net:80 (2a04:4e42:a::644), connection timed out
-wg0.conf I added ::/0 to AllowedIPs since I figured it couldn’t hurt. No change.
- I plugged in B server to first router at work. It didn’t work for 7-8 hours, but I checked today and magically it connected and is still working. Wireguard is mysterious at times.
IP6 has nothing to do with my problem
-
I disabled ip6. No change.
-
My Wireguard A (yunohost) seems to be able to resolve IPs for B according to nslookup and dig.
$ nslookup yunohost.org
Server: 10.10.10.0
Address: 10.10.10.0#53
Non-authoritative answer:
Name: yunohost.org
Address: 80.67.172.144
Name: yunohost.org
Address: 2001:910:1410::1
$ dig google.com
; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54172
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 186 IN A 142.250.191.78
;; Query time: 159 msec
;; SERVER: 10.10.10.0#53(10.10.10.0)
;; WHEN: Mon Nov 01 15:12:50 CST 2021
;; MSG SIZE rcvd: 55
So, again I’m stumped for now.
SOLUTION:
Reinstall Debian 11 on computer B. I think long ago when I tried to mess around with network manager, nmtui, and setup up Wifi networking, I must’ve messed up something.
I reinstalled last night and it works flawlessly now.
1 Like
Hello all!
A new version of WireGuard’s package is available for testing:
-
Upgrade WireGuard UI to 0.3.2. (thanks @ericg !)
- All its new features (namely the Status page) are not fully functional, but base function (configuration of interface and clients) are working.
- Some improvements have been made in the installation script: automatic Internet interface detection and setup of the Internet sharing through the network.
- Sorry current users, that’s not available in the upgrade script for compatibility reasons.
- Installation of the Linux kernel headers has been greatly improved. It should go smoothly now, whatever your hardware (RPi, VM, etc.)
- Services have been slightly tweaked, and your YunoHost admin panel should now display if your VPN interface is up or not in the
wg-quick@wg0service.
To try it out:
yunohost app install https://github.com/YunoHost-Apps/wireguard_ynh/tree/testing --force
or upgrade with yunohost app upgrade wireguard -u https://github.com/YunoHost-Apps/wireguard_ynh/tree/testing
Testing and feedback are most welcome, if you feel adventurous, so that the upgrade can benefit all. 
5 Likes
Testing phase done, time for new release !
Package version 0.3.2~ynh1, 2021-12-30 (PR 45):
-
Upgrade WireGuard UI to 0.3.2. (thanks again @ericg !)
- Base functions are working,
except Status page (cf. Status page is not working · Issue #46 · YunoHost-Apps/wireguard_ynh · GitHub )
- Base functions are working,
-
: Automatic Internet interface detection and setup of the Internet sharing through the network, no need to setup the Post Up and Post Down scripts nor enabling port forwarding within your server.
- Sorry current users, that’s not available in the upgrade script for compatibility reasons.
-
Installation of the Linux kernel headers has been greatly improved. It should go smoothly now, whatever your hardware (RPi, VM, etc.) -
Services have been slightly tweaked, and your YunoHost admin panel should now display if your VPN interface is up or not in the wg-quick@wg0 service.
7 Likes
Upgrading from 0.2.7~ynh6 to 0.3.2~ynh1 failed for me.
Warning: Unknown service 'wireguard_ui_conf'
Warning: [Error] Upgrade failed.
Warning: Failed to stop wireguard_ui_conf.path: Unit wireguard_ui_conf.path not loaded.
Warning: Failed to disable unit: Unit file wireguard_ui_conf.path does not exist.
Warning: 13741 Packagers: ynh_add_app_dependencies is deprecated and is now only an alias to ynh_install_app_dependencies
Warning: The app was restored to the way it was before the failed upgrade.
Error: Could not upgrade wireguard: An error occurred inside the app upgrade script
Thanks! That’s fixed now.
Package version 0.3.2~ynh2, 2022-01-01 (PR 48):
- Hotfix for minor bug in service integration removal
1 Like
Salut!
Je l’ai installé pour voir, mais comme d’autres l’ont signalé je n’ai pas accès à internet et je ne comprends pas pourquoi.
J’ai installé l’app, j’ai ouvert le port 8095 sur mon routeur, j’ai décommenté les bonnes lignes dans /etc/sysctl.conf et j’ai exécuté les scripts postup et postdown dans un terminal. Faut-il faire autre chose ?
Is that the port listed in the UI, to be sure?
As of two days ago it is no longer necessary, but anyhow, have you reloaded systctl config afterwards?
This was never expected to be done by the user. These commands are to be fed to WireGuard UI, they are automatically run when the VPN interface is started. As of two days ago, they should automatically be populated.
- Can you confirm that the server has been rebooted after installation of the app?
- Can you confirm that you the service
wg-quick@wg0is up and running? - What is the output of the command
sudo wg? - What is the output of the command
sudo ip a?
Oups, j’aurais dû être un peu plus attentif 
Oui, j’ai bien rechargé sysctl. Faut-il que je recommente les lignes ?
-
J’ai bien redémarré le serveur.
-
Je ne vois pas de service
wg-quick@wg0mais un servicewireguard@wg0qui est bien en cours d’exécution. -
sudo wg :
interface: wg0
public key: /XXX
private key: (hidden)
listening port: 8095peer: XXX
preshared key: (hidden)
allowed ips: 10.10.10.1/32, fd42::/32
- sudo ip a :
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether X:X:X:b8:e0:b6 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
valid_lft 80626sec preferred_lft 69826sec
inet6 X:X:X:c200:b63:f338:c7e3:9cdc/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 597sec preferred_lft 597sec
inet6 X:X:X:991e:1b00:a9e3/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether X:X:X:ed:b5:e3 brd ff:ff:ff:ff:ff:ff
4: wg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.10.10.0/24 scope global wg0
valid_lft forever preferred_lft forever
inet6 fd42::/112 scope global
valid_lft forever preferred_lft forever
Thanks for your help 
A priori c’est un souci de redirection de port :
Cependant c’est incompréhensible car côté routeur tout me semble OK :
Le pare-feu routeur est désactivé.
Côté serveur, tout est ouvert :
Un truc m’échappe…
Since installing Wireguard v0.3.2~ynh2, my Wireguard doesn’t seem to function. I can’t get a handshake.
Should I have two services for Wireguard? (I have wireguard_ui too but that doesn’t seem like a duplication)
$ sudo yunohost service status
wg-quick@wg0:
configuration: unknown
description: WireGuard VPN
last_state_change: 2022-01-02 20:50:52
start_on_boot: enabled
status: running
wireguard@wg0:
configuration: unknown
description: WireGuard VPN
last_state_change: 2022-01-02 20:50:52
start_on_boot: enabled
status: running
$ sudo yunohost service log wireguard@wg0
journalctl:
- -- Logs begin at Sat 2021-12-18 16:51:12 CST, end at Tue 2022-01-04 20:30:31 CST. --
- Jan 02 20:50:51 systemd[1]: Starting WireGuard on wg0...
- Jan 02 20:50:52 systemd[1]: Started WireGuard on wg0.
$ sudo yunohost service log wg-quick@wg0
journalctl:
- -- Logs begin at Sat 2021-12-18 16:51:12 CST, end at Tue 2022-01-04 20:30:45 CST. --
- Jan 02 20:50:51 systemd[1]: Stopping WireGuard via wg-quick(8) for wg0...
- Jan 02 20:50:51 wg-quick[2672]: [#] ip link delete dev wg0
- Jan 02 20:50:52 wg-quick[2672]: [#] iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp4s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -D FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o enp4s0 -j MASQUERADE
- Jan 02 20:50:52 wg-quick[2672]: iptables: Bad rule (does a matching rule exist in that chain?).
- Jan 02 20:50:52 systemd[1]: wg-quick@wg0.service: Control process exited, code=exited, status=1/FAILURE
- Jan 02 20:50:52 systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
- Jan 02 20:50:52 systemd[1]: Stopped WireGuard via wg-quick(8) for wg0.
- Jan 02 20:50:52 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
- Jan 02 20:50:52 wg-quick[2748]: [#] ip link add wg0 type wireguard
- Jan 02 20:50:52 wg-quick[2748]: [#] wg setconf wg0 /dev/fd/63
- Jan 02 20:50:52 wg-quick[2748]: [#] ip -4 address add 10.10.10.0/24 dev wg0
- Jan 02 20:50:52 wg-quick[2748]: [#] ip link set mtu 1450 up dev wg0
- Jan 02 20:50:52 wg-quick[2748]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
- Jan 02 20:50:52 systemd[1]: Started WireGuard via wg-quick(8) for wg0.
In the previous version, I was not able to get handshakes.
With this one, I did zero configuration and I can connect 
(I did not upgrade, I uninstalled Wireguard weeks ago and did a new install)
2 Likes