2 RPi connected via Wireguard

Hello,

I have a RPi4 running with DietPi and Wireguard (PiVPN). I can access this RPi4 from my Laptop and Smartphone from outside as expected.

Now I installed a RPi3 with DietPi located in a different location. My plan is to create a connection from this RPi3 as VPN-Client to the RPi4 as the VPN-Server (File access from RPi3 to RPi4 at the end via VPN-Tunnel). My question is: Should I install the PiVPN-Package on this RPi3 too or is it sufficient to install

apt install wireguard

and start the interface via

wg-quick up wg0

only? I will work next to the standard and the proposal from the DietPi-Team.

apt install wireguard does not work OOTB since the package is not available on plain Debian Buster.
wg-quick up wg0 does not work OOTB since there is no /etc/wireguard/wg0.conf present by default.

Install WireGuard via dietpi-software on the RPi3: dietpi-software install 172
When being asked, select to use it as VPN client, rather than VPN server.

Then you can basically follow the instructions from our docs: https://dietpi.com/docs/software/vpn/#wireguard-an-extremely-simple-yet-fast-and-modern-vpn > “Installing as VPN client”
=> Copy or move the created client config to the RPi3 and start the service, or jep running wg-quick up wg0 also works if you named the client config on the RPi3 wg0.conf.

It could be also done the other way round: Creating a key pair and client config on the client, and copying/adding only the new public key to the servers wg0.conf, which matches more intended standards to avoid transferring the sensitive client key around .

Yep infeed that should be the easiest way to install Wireguard as client using dietpi-software and to copy client config file that needs to been created on PiVPN server.

Unfortunately it will not work. What I did: Fresh installation of my RPi3 with DietPI, changed standard PWs to my own, changed ssh-Server to OpenSSH, installed wireguard with

dietpi-software install 172

On my VPN-Server I created a new config-file for this RPi3-VPN-Client, transfered this to

/etc/wireguard/wg0.conf

and startet VPN as you mentioned

wg-quick up wg0

Output:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.6.0.4/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

If I try now to ping like

ping www.heise.de

nothing happens. Same for a local pc in the VPN-Server-Network

 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.

 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:27:eb:02:c4:d2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.222/24 brd 192.168.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2a02:810d:9440:ad98:ba27:ebff:fe02:c4d2/64 scope global dynamic mngtmpaddr
       valid_lft 5399sec preferred_lft 2699sec
    inet6 fe80::ba27:ebff:fe02:c4d2/64 scope link
       valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.6.0.4/24 scope global wg0
       valid_lft forever preferred_lft forever

wg

on the VPN-Server shows me my peers and here are the part of the new/not working one:

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  preshared key: (hidden)
  allowed ips: 10.6.0.4/32

With wireguard on my MacBook/Android-Smartphone and config-files for this clients the VPN-Connection works fine. Any idea?

your client is not connecting to your VPN server because you are missing the latest handshake message on your wg output. That’s how wg should looks like

Server side

root@DietPi4:# wg
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  endpoint: x.x.x.x:52738
  allowed ips: 10.9.0.2/32
  latest handshake: 57 seconds ago
  transfer: 1.27 KiB received, 1.25 KiB sent

Client side

root@DietPi3:# wg
interface: wg0-client1
  public key: xxx
  private key: (hidden)
  listening port: 52738
  fwmark: 0xca6c

peer: xxx
  endpoint: x.x.x.x:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 23 seconds ago
  transfer: 124 B received, 484 B sent

The RPi3 client can ping the remote network where the VPN-Server is located (behind a DynDNS-MyFritz-address). In the same local network where the RPi3 there is my laptop and smartphone working fine with the VPN-Tunnel. That seems there is no problem between local and remote network or provider settings.

Client side:

root@DietPi:/etc/wireguard# wg
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 45079
  fwmark: 0xca6c

peer: xxx
  preshared key: (hidden)
  endpoint: [x:x:x:x:x:x:x:x]:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 2.75 KiB sent

Could the IP6-address the reason? On my other clients it looks like they are using a ip4-network. I’m not sure (yet) if the VPN-Server is reachable via IPV6.

just give it a try and remove , ::/0 from allowed ips

One interesting point (not sure if this has any meaning), you are using preshared key?

Looks similar:

root@DietPi:/etc/wireguard# wg
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 33597
  fwmark: 0xca6c

peer: xxx
  preshared key: (hidden)
  endpoint: [x:x:x:x:x:x:x:x]:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 3.47 KiB sent

I’m not sure what you mean with pre-shared-keys. But I guess no. I installed PiVPN on the VPN-Server with Wireguard-Option.

After the installation I created 3 client-configs via

pivpn -a

The first 2 I transfered seperately to each client (laptop, smartphone). The last one, created yesterday, I c&p via 2 open putty terminals (nano editor running) from server

/etc/wireguard/configs/RPi3.conf

to client

/etc/wireguard/wg0.conf

unfortunately Wireguard is not really helpful as there are not that much logs

Did you tested RPi3.conf on one of your mobile devices?

Good idea. I tested the RPi3 config-file on my smarphone and it’s working fine. Both version IP4-only and the original one with , ::/0

Is the IPv6 of the endpoint the one that the Wireguard RPi4 server has? Or does it belong to the router of your ISP?

It could be that the port forwarding is limited to IPV4 on the router from the RPi4. I have to double check that later this week. But wondering why a actual MAC OS and Android 10 is working fine with the same setup, with the same local networks.

Is there a possibility to restrict the VPN connection to IP4 only. I know it’s old but for testing purpose good enough.

well I have limited my entire network to IPv4

You could disable IPv6 on your client server within dietpi-config network settings and remove, ::/0 inside your Wireguard client configuration.

In another Thread about Wireguard I saw the following command sysctl net.ipv4.ip_forward

On my PI3 it shows:

root@DietPi:/etc/wireguard# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

on the PI4:

root@DietPi4:/etc/wireguard/configs# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Make that sense?

that should be ok if your RPi3 is just a client and there are no other clients on that network who like to access the VPN tunnel.

But anyway you are still lacking the basic very first think. A valid VPN connection. As long as you don’t see a handshake on the wg command output, your VPN connection is not established.

There is no NAT6 by default. The port forwarding rule will work only on IPv4. So if you are trying to access over IPv6 you need to use the global IPv6 of the RPi4.

In endpoint use the IPv4. That should work.
For a permanent workaround you can discard the AAAA answers you receive from the resolver.
In dnsmasq this can be done with these 2 lines:

address=/server.example.com/::
server=/server.example.com/#

Hello,

after changing the portforwarding my RPi4 Router to IPV4 and IPV6 no changes with the RPi3.

But what I regocized last week and tested again today, the resolv.conf changed and removed the DNS entries.

What I did: Fresh installation of DietPi, OpenSSH, Docker (plus some containers). All was working fine with DNS. I installed wireguard, added a wg0.conf and tried to connect RPi3 with RPi4 over VPN. Same issue, no VPN handshake. But DNS was working fine too.

After a reboot of the RPi3, DNS is not longer working. Second entry is my backup-file.

root@DietPi:/etc# ls -al resolv*
lrwxrwxrwx 1 root root   31 Nov 16 11:15 resolv.conf -> /etc/resolvconf/run/resolv.conf
-rw-r--r-- 1 root root   23 Nov 10 09:33 resolv.conf_org

root@DietPi:/etc# cat resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

That’s not what I expected. Before the reboot in the resolv.conf 2 DNS entries was included.

can you have a look to dietpi-config > Network Options: Adapters. Usually there you should be able to set DNS server. Strange that it is gone on your config.

After applaying the DNS seeting again in the config it’s working fine.

still strange settings got removed.

But good that it is solved now