Fresh Dietpi and Pihole unbound wireguard

mojo · 7 June 2023 17:18

Creating a bug report/issue

Required Information

DietPi version | cat /boot/dietpi/.version
G_DIETPI_VERSION_CORE=8
G_DIETPI_VERSION_SUB=18
G_DIETPI_VERSION_RC=2
G_GITBRANCH=‘master’
G_GITOWNER=‘MichaIng’
bullseye 0
Linux Pi3 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
arm64
RPi 3 Model B+ (aarch64
SanDisk ultra

G4 Router 192.168.8.1
Nameserver 192.168.8.8 to Pi3
Static setting https://i.imgur.com/acE3X7o.png
WIFI on hostap
fresh Pihole , unbound and wireguard

i aktivate wireguard

start wg-quick@wg0pt
root@Pi3:~# systemctl status wg-quick@wg0pt.service
● wg-quick@wg0pt.service - WireGuard via wg-quick(8) for wg0pt
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; disabled; vendor preset: enabled)
     Active: active (exited) since Wed 2023-06-07 18:53:45 CEST; 10s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 69235 ExecStart=/usr/bin/wg-quick up wg0pt (code=exited, status=0/SUCCESS)
   Main PID: 69235 (code=exited, status=0/SUCCESS)
        CPU: 727ms

Jun 07 18:53:44 Pi3 wg-quick[69235]: [#] ip -4 address add 10.67.164.200/32 dev wg0pt
Jun 07 18:53:45 Pi3 wg-quick[69235]: [#] ip link set mtu 1420 up dev wg0pt
Jun 07 18:53:45 Pi3 wg-quick[69267]: [#] resolvconf -a tun.wg0pt -m 0 -x
Jun 07 18:53:45 Pi3 wg-quick[69235]: [#] wg set wg0pt fwmark 51820
Jun 07 18:53:45 Pi3 wg-quick[69235]: [#] ip -4 route add 0.0.0.0/0 dev wg0pt table 51820
Jun 07 18:53:45 Pi3 wg-quick[69235]: [#] ip -4 rule add not fwmark 51820 table 51820
Jun 07 18:53:45 Pi3 wg-quick[69235]: [#] ip -4 rule add table main suppress_prefixlength 0
Jun 07 18:53:45 Pi3 wg-quick[69235]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Jun 07 18:53:45 Pi3 wg-quick[69309]: [#] iptables-restore -n
Jun 07 18:53:45 Pi3 systemd[1]: Finished WireGuard via wg-quick(8) for wg0pt.

Lan = but traffic not route over wireguard
Wifi 10.42.0.1 dns 192.168.8.8 = traffic not route over wireguard

how can i fix
or
what would the optimal setting for dietpi and pihole unbound wireguard look like?

Jappe · 7 June 2023 17:56

Only wireguard is not working, the rest is okay?

So you want to create an acces point with your RPi, which uses pihole and unbound for DNS resolution, the G4 router is you gateway and wireguard is for remote access or what do you want to achieve?

Joulinar · 7 June 2023 20:21

Is Wireguard working as server or client? You are trying to connect to an external VPN server?

mojo · 7 June 2023 21:22

RPi acces point = OK 192.168.42.1
pihole and unbound for DNS resolution = OK 127.0.0.1.5335
G4 router is as gateway = OK
wireguard client conncet to mullvad = success but not load sites

mojo · 7 June 2023 21:23

Client connect to Mullvad

Joulinar · 8 June 2023 09:20

if you connected on the device itself, you are able to connect to internet via Mullvad.

mojo · 8 June 2023 11:15

i connect to RPi WIFI on hostap 192.168.42.1 = connect to internet works
i start systemctl start wg-quick@wg0pt

systemctl status wg-quick@wg0pt.service
● wg-quick@wg0pt.service - WireGuard via wg-quick(8) for wg0pt
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; disabled; vendor preset: enabled)
     Active: active (exited) since Thu 2023-06-08 13:13:24 CEST; 3s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 51386 ExecStart=/usr/bin/wg-quick up wg0pt (code=exited, status=0/SUCCESS)
   Main PID: 51386 (code=exited, status=0/SUCCESS)
        CPU: 717ms

Jun 08 13:13:24 Pi3 wg-quick[51386]: [#] ip -4 address add 10.67.164.200/32 dev wg0pt
Jun 08 13:13:24 Pi3 wg-quick[51386]: [#] ip link set mtu 1420 up dev wg0pt
Jun 08 13:13:24 Pi3 wg-quick[51417]: [#] resolvconf -a tun.wg0pt -m 0 -x
Jun 08 13:13:24 Pi3 wg-quick[51386]: [#] wg set wg0pt fwmark 51820
Jun 08 13:13:24 Pi3 wg-quick[51386]: [#] ip -4 route add 0.0.0.0/0 dev wg0pt table 51820
Jun 08 13:13:24 Pi3 wg-quick[51386]: [#] ip -4 rule add not fwmark 51820 table 51820
Jun 08 13:13:24 Pi3 wg-quick[51386]: [#] ip -4 rule add table main suppress_prefixlength 0
Jun 08 13:13:24 Pi3 wg-quick[51386]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Jun 08 13:13:24 Pi3 wg-quick[51459]: [#] iptables-restore -n
Jun 08 13:13:24 Pi3 systemd[1]: Finished WireGuard via wg-quick(8) for wg0pt.

but no Internet
internet via Mullvad: no

Joulinar · 8 June 2023 11:29

I guess you need to add iptables rules to forward traffic to Wireguard interface.

mojo · 8 June 2023 11:59

where can i find what the iptables rules should look like?

have installed everything with dietpi, thought then everything is also configured.
how do i solve this problem?

regards

Joulinar · 8 June 2023 14:36

Our scripts don’t configure the scenario you are looking for. Thinks like your external VPN would need to be configured/adjusted manually.

Maybe @trendy could help with iptables

trendy · 9 June 2023 10:08

I think only the iptables -t nat -A POSTROUTING -o wg0pt -j MASQUERADE in the tunnel up script will be enough.

mojo · 9 June 2023 11:18

Hey @trendy,
yes i have entered iptabels manually then it works.

Where can I find the ip-up script for wireguard?

Joulinar · 9 June 2023 11:41

You would need to add it to your Wireguard client configuration file.

mojo · 9 June 2023 14:16

in wg0.conf

Postup = /etc/wireguard/helper/add-nat-routing.sh
in add-nat-routing.sh iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

Postdown = /etc/wireguard/helper/remove-nat-routing.sh
in remove-nat-routing.sh iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

works