Hello everyone,
I am running Pihole, Unbound and PiVPN (Wireguard) on my RPI3 on latest Dietpi 8.5.1 (Debian 11.3) and Linux DietPi3 5.15.32-v8+ #1538 SMP PREEMPT Kernel
I changed from OpenVPN to Wireguard because I wanted to benefit from net-roaming features, especially on smartphones.
The problem is, that sometimes VPN works, sometimes not.
Not only after nightly internet reconnects but also during daytime.
Portforwarding on my fritzbox is set to UDP 51820 and I only use IPv4.
I tried to view the log via “journalctl -f wg-quick@wg0”
but it’s always empty.
Using the kernel module does not work because the path does not exist
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
So I can only use the smartphone log
06-28 21:18:37.126 28365 22882 E WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Failed to send data packet: write udp4 0.0.0.0:51267->192.168.10.50:51820: sendto: network is unreachable
06-28 21:18:39.682 28365 28365 I ViewRootImpl@d19ea0b[MainActivity]: Relayout returned: old=(0,0,1080,2340) new=(0,0,1080,2340) req=(1080,2340)8 dur=2 res=0x5 s={false 0} ch=false fn=-1
06-28 21:18:51.529 28365 28422 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Retrying handshake because we stopped hearing back after 15 seconds
06-28 21:18:51.529 28365 28422 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Sending handshake initiation
06-28 21:18:56.819 28365 28422 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Handshake did not complete after 5 seconds, retrying (try 2)
06-28 21:18:56.819 28365 28422 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Sending handshake initiation
06-28 21:19:02.102 28365 28427 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Handshake did not complete after 5 seconds, retrying (try 3)
06-28 21:19:02.102 28365 28427 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Sending handshake initiation
06-28 21:19:06.930 28365 28427 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Retrying handshake because we stopped hearing back after 15 seconds
I can see that requests from my android smartphone reach unbound
I did several reinstalls of pihole, unbound and pivpn without changing any defaults.
Somedays it works, somedays not.
What is different to all internet-howto’s is, that the installer does not change pihole settings from “allow only local requests” to “permit all origins”
pihole blocks fine from local net.
Hereafter my settings:
Pihole:
Upstream DNS Server: 127.0.0.1#5335
permit all origins
never forward nonFQDN A AAAA and reverse lookups
conditional forwarding: 192.168.10.0/24 192.168.10.254 fritz.box
System:
nameserver 9.9.9.9
nameserver 149.112.112.112
/etc/systemctl.conf
net.ipv4.ip_forward=1
Wireguard:
[Interface]
PrivateKey =
Address = 10.239.187.2/24
DNS = 10.239.187.1[Peer]
PublicKey = REDACTED
PresharedKey = REDACTED
Endpoint = dyndns-ip:51820
AllowedIPs = 0.0.0.0/0, ::0/0[Interface]
PrivateKey =
Address = 10.239.187.1/24
MTU = 1420
ListenPort = 51820
— begin Handy —
[Peer]
PublicKey = XXXXX
PresharedKey = XXXXX
AllowedIPs = 10.239.187.2/32
–# end Handy --#debug output:
:::: e[4mPiVPN debuge[0m ::::
:::: e[4mLatest commite[0m ::::
Branch: master
Commit: f8cb945af15a1ca0cf063475c6e1557c6e8da06c
Author: 4s3ti
Date: Fri Jun 10 16:10:57 2022 +0200
Summary: Merge branch ‘test’
:::: e[4mInstallation settingse[0m ::::
PLAT=Debian
OSCN=bullseye
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=eth0
IPv4addr=192.168.10.50/24
IPv4gw=192.168.10.254
install_user=dietpi
install_home=/home/dietpi
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=10.239.187.1
pivpnDNS2=
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=1
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.239.187.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS=“0.0.0.0/0, ::0/0”
UNATTUPG=0
INSTALLED_PACKAGES=()
:::: e[4mServer configuration shown belowe[0m ::::
[Interface]
PrivateKey = server_priv
Address = 10.239.187.1/24
MTU = 1420
ListenPort = 51820
–# begin Handy --#
[Peer]
PublicKey = Handy_pub
PresharedKey = Handy_psk
AllowedIPs = 10.239.187.2/32
–# end Handy —
–# begin TabletHuawei -
[Peer]
PublicKey = TabletHuawei_pub
PresharedKey = TabletHuawei_psk
AllowedIPs = 10.239.187.3/32
–# end TabletHuawei --#
–# begin Notebook --#
[Peer]
PublicKey = Notebook_pub
PresharedKey = Notebook_psk
AllowedIPs = 10.239.187.4/32
–# end Notebook --#
:::: e[4mClient configuration shown belowe[0m ::::
[Interface]
PrivateKey = Handy_priv
Address = 10.239.187.2/24
DNS = 10.239.187.1[Peer]
PublicKey = server_pub
PresharedKey = Handy_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0
:::: e[4mRecursive list of files ine[0m ::::
:::: e[4m/etc/wireguard shown belowe[0m ::::
/etc/wireguard:
configs
keys
wg0.conf/etc/wireguard/configs:
Handy.conf
Notebook.conf
TabletHuawei.conf
clients.txt/etc/wireguard/keys:
Handy_priv
Handy_psk
Handy_pub
Notebook_priv
Notebook_psk
Notebook_pub
TabletHuawei_priv
TabletHuawei_psk
TabletHuawei_pub
server_priv
server_pub
:::: e[4mSelf checke[0m ::::
:: [OK] IP forwarding is enabled
Done
Done
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled (it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp
[INFO] Run e[1mpivpn -de[0m again to see if we detect issues
iptables
------------#
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere 10.239.187.0/24 ctstate RELATED,ESTABLISHED /* wireguard-forward-rule /
ACCEPT all – 10.239.187.0/24 anywhere / wireguard-forward-rule /
ACCEPT all – anywhere 10.93.235.0/24 ctstate RELATED,ESTABLISHED / wireguard-forward-rule /
ACCEPT all – 10.93.235.0/24 anywhere / wireguard-forward-rule */
ACCEPT all – anywhere anywhere
Any hints?
Thanks