Ok just popping in her with positive information for the developers of this app and others…
I recently had problems with my server (dnsmasq, wireguard, pihole) and did a full reinstall.
I installed wireguard on a clean system and it works marvelously. There must’ve been some weird stuff with how those programs all reacted with each other - especially Pihole!
New install fixed the last problems I had with wireguard in the past:
my offsite wireguard machine couldn’t use the internet before - NOW FIXED!
recently before my system had major problems, i couldn’t get wireguard working - NOW FIXED!
So lots of praise to the wireguard team. The latest updates really make wireguard a breeze to install and use immediately. I didn’t even install the Wireguard headers before the install. The installer handled it well.
We will depend on the upstream WireGuard UI app for that, which does not have this feature. If you want to do it manually, check WireGuard’s documentation (I’m not sure it’s possible, actually). I have enough problems with the current feature, I cannot help you further, sorry.
on my phone client, delete and re scan the Wireguard profile
restart the wg-quick@wg0 service
sudo journalctl -u wg-quick@wg0 | tail -n 50
-- Logs begin at Tue 2022-03-15 18:11:35 CST, end at Tue 2022-03-15 18:26:26 CST. --
Mar 15 18:11:47 arkadi.one systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Mar 15 18:11:48 arkadi.one wg-quick[725]: [#] ip link add wg0 type wireguard
Mar 15 18:11:48 arkadi.one wg-quick[725]: [#] wg setconf wg0 /dev/fd/63
Mar 15 18:11:49 arkadi.one wg-quick[725]: Warning: AllowedIP has nonzero host part: fd42::1/32
Mar 15 18:11:49 arkadi.one wg-quick[725]: Warning: AllowedIP has nonzero host part: fd42::2/32
Mar 15 18:11:49 arkadi.one wg-quick[725]: Warning: AllowedIP has nonzero host part: fd42::3/32
Mar 15 18:11:49 arkadi.one wg-quick[725]: Warning: AllowedIP has nonzero host part: fd42::4/32
Mar 15 18:11:49 arkadi.one wg-quick[725]: [#] ip -4 address add 10.10.10.0/24 dev wg0
Mar 15 18:11:49 arkadi.one wg-quick[725]: [#] ip -6 address add fd42::/112 dev wg0
Mar 15 18:11:49 arkadi.one wg-quick[725]: [#] ip link set mtu 1450 up dev wg0
Mar 15 18:11:49 arkadi.one wg-quick[725]: [#] ip -6 route add fd42::/32 dev wg0
Mar 15 18:11:49 arkadi.one wg-quick[725]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat
-A POSTROUTING -o enp4s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat -
A POSTROUTING -o enp4s0 -j MASQUERADE; ip link set multicast on dev wg0
Mar 15 18:11:52 arkadi.one systemd[1]: Started WireGuard via wg-quick(8) for wg0.
Mar 15 18:17:43 arkadi.one systemd[1]: Stopping WireGuard via wg-quick(8) for wg0...
Mar 15 18:17:43 arkadi.one wg-quick[2548]: [#] ip link delete dev wg0
Mar 15 18:17:43 arkadi.one wg-quick[2548]: [#] iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t na
t -D POSTROUTING -o enp4s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -D FORWARD -o wg0 -j ACCEPT; ip6tables -t nat
-D POSTROUTING -o enp4s0 -j MASQUERADE
Mar 15 18:17:43 arkadi.one wg-quick[2548]: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 15 18:17:43 arkadi.one systemd[1]: wg-quick@wg0.service: Control process exited, code=exited, status=1/FAILURE
Mar 15 18:17:43 arkadi.one systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
Mar 15 18:17:43 arkadi.one systemd[1]: Stopped WireGuard via wg-quick(8) for wg0.
Mar 15 18:17:43 arkadi.one systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] ip link add wg0 type wireguard
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] wg setconf wg0 /dev/fd/63
Mar 15 18:17:43 arkadi.one wg-quick[2565]: Warning: AllowedIP has nonzero host part: fd42::1/32
Mar 15 18:17:43 arkadi.one wg-quick[2565]: Warning: AllowedIP has nonzero host part: fd42::2/32
Mar 15 18:17:43 arkadi.one wg-quick[2565]: Warning: AllowedIP has nonzero host part: fd42::3/32
Mar 15 18:17:43 arkadi.one wg-quick[2565]: Warning: AllowedIP has nonzero host part: fd42::4/32
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] ip -4 address add 10.10.10.0/24 dev wg0
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] ip -6 address add fd42::/112 dev wg0
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] ip link set mtu 1450 up dev wg0
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] ip -6 route add fd42::/32 dev wg0
Mar 15 18:17:43 arkadi.one wg-quick[2565]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t na
t -A POSTROUTING -o enp4s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT; ip6tables -t nat
-A POSTROUTING -o enp4s0 -j MASQUERADE; ip link set multicast on dev wg0
Mar 15 18:17:44 arkadi.one systemd[1]: Started WireGuard via wg-quick(8) for wg0.
Any suggestions? The allowed IP warning seems ominous…but not sure how to fix that.
That one may have been due to an unprocessed Post Down script. The next service start does not complain about this rule.
AllowedIP determines on which IPs the client wireguard interface can connect.
It should be something like fd42::/32 if the client is only allowed to connect to the VPN’s network while in IPv6. Can you check the settings of your clients?
(Remark on the network mask.)
However this /32 mask would cover this IP range:
Start IP: fd42:0000:0000:0000:0000:0000:0000:0000
End IP: fd42:0000:ffff:ffff:ffff:ffff:ffff:ffff
If you don’t need a network that large, you could aim at /96 or /112 to get End IP: fd42:0000:0000:0000:0000:0000:ffff:ffff and End IP: fd42:0000:0000:0000:0000:0000:0000:ffff, respectively.
However, if you want them to connect to the Internet through the VPN, then it should be ::/0, 0.0.0.0/0 for example.
It does not look like it, it’s the allocated IPv6 you are mentioning. However, can you share the confguration file you can download, anonymized with the private and public keys removed, as well as your server address?
In the latest version, the QR code will appear if you click the gray Scan button.
Ok so I got rid of the AllowedIPs error by changing all clients to have fd42::#/128. I added allowed ip of ::/0 too.
sudo journalctl -u wg-quick@wg0
Mar 16 11:03:50 arkadi.one systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Mar 16 11:03:51 arkadi.one wg-quick[12075]: [#] ip link add wg0 type wireguard
Mar 16 11:03:51 arkadi.one wg-quick[12075]: [#] wg setconf wg0 /dev/fd/63
Mar 16 11:03:51 arkadi.one wg-quick[12075]: [#] ip -4 address add 10.10.10.0/24 dev wg0
Mar 16 11:03:51 arkadi.one wg-quick[12075]: [#] ip -6 address add fd42::/112 dev wg0
Mar 16 11:03:51 arkadi.one wg-quick[12075]: [#] ip link set mtu 1450 up dev wg0
Mar 16 11:03:51 arkadi.one wg-quick[12075]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTI
Mar 16 11:03:51 arkadi.one systemd[1]: Started WireGuard via wg-quick(8) for wg0.
But is the ip -6 address supposed to be fd42::/112
sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.3/32 dev wg0
[#] ip -6 address add fd42::3/128 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
SOLVED!
I reinstalled and it works fine. I’m not sure why it always gets like this every 3-6 months with updates.
During the installation it said this…
Warning: Packagers: ynh_add_app_dependencies is deprecated and is now only an alias to ynh_install_app_dependencies
Warning: wg-quick.target is a disabled or a static unit, not starting it.
Info: '/etc/apt/trusted.gpg.d/wireguard.asc' wasn't deleted because it doesn't exist.
It’s me again. I seem to always have problems with Wireguard.
Wireguard stopped getting handshake with one of my computers about 21 days ago (Debian 11 system)
Phone to Wireguard kept working up until a few days ago
I reinstalled wireguard
tried test connection, doesn’t work
I found this link that mentioned a way to test UDP connections between machines
I tried it out but can’t get UDP messages to get through.
On Yunohost I did this:
sudo systemctl stop wg-quick@wg0.service
sudo nc -vv -u -l 8095
On phone and another laptop (both different networks) I did this:
sudo nc -u <Yunohost_Public_IP> 8095
I tried sending some text both ways, but it fails. Is that the right way to test this? Does this mean UDP is not going through? Any suggestions of how to investigate further?
EDIT:
Update, I made a Digital Ocean Droplet (VPS, Debian 11) installed Wireguard.
Connected to it with my phone and it worked right away
I tried using netcat to see if messages get through that way, they do.
so something wrong with my router? or ISP? so strange.
EDIT2:
I did netcat test on local network and it worked. I guess it’s a router problem.
I changed forwarding rules on my router to not list the internal port it redirects to and forward TCP/UDP. It was only forwarding UDP before.
I tried to get wireguard work for the last 3 days, but I dont know what I do wrong.
Raspberry 4 - current Version
Webinstallation of Wireguard and only add a client, nothing else changed (yes I pressed apply and restarted the server )
Opened Port 8097 (UDP and TCP) on my FritzBox (router).
But my smartphone cannot connect => no handshake.
wg0 is up.
>dmesg | grep wireguard
[ 2.053734] systemd[1]: Configuration file /etc/systemd/system/wireguard_ui.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
[ 2.067736] systemd[1]: Created slice system-wireguard.slice.
[ 3.164799] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
[ 3.164801] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserv
> ip a
3: wg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.10.10.0/24 scope global wg0
valid_lft forever preferred_lft forever
inet6 fd42::/112 scope global
valid_lft forever preferred_lft forever
No worries, it’s needed if kernel version is lower than 5.
Yes, this page needs the web UI to be run as root and… meh.
Is eno1 the interface mentioned in the PostUp and PostDown commands in the “WireGuard Server” section of the UI?
For example, I have eth0 so the PostUp command is
iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip link set multicast on dev %i