PiVPN with WireGuard: can access Raspberry Pi only when connected to VPN

Troubleshooting
1

I installed latest release of Dietpi on my brand new Raspberry Pi Zero 2 W. After installed system, via dietpi-software I installed the following softwares:

  • Pi-hole
  • Unbound
  • PiVPN (with WireGuard)
  • Fail2Ban
  • FileBrowser
  • ProFTPD
  • qBittorrent

After configuration, I added three devices to VPN with pivpn add command, two laptops (via conf file) and one smartphone (via QR code). All devices can connect correctly to VPN and ping the Pi Zero 2 (and connect via SSH, browse qBittorrent and Pi-hole web interfaces, etc…) but can’t connect to other devices in LAN (if I try to ping, I don’t receive response).
If I try to access internet when I’m connected to VPN, I can’t browse any web site, including Cloudflare DNS web site (https://1.1.1.1/).

I disabled DHCP server on my router, setted Pi Zero 2 IP address as DNS and enabled Pi-hole DCHP server; enabled Interface settings → Permit all origins in Pi-hole DNS settings and inside the /etc/sysctl.conf I have net.ipv4.ip_forward = 1.

What’s wrong with my configuration?

2

Which dhcp settings are you using on the pihole? Is the default gateway the Pi or the ISP router? Does the ISP router have a static route for the wireguard subnet?

3

I disabled DHCP and DNS on ISP router and enabled in Pi-hole.
I have similar configuration and settings at my parent’s home (Raspberry Pi 3 with Dietpi v8.0.2 based on Raspbian Buster, same ISP, slightly different router) and I have not problems…


4

However I think it’s not a problem related to Pi-hole, maybe the firewall? How can I check it?

5

If you are not able to reach https://1.1.1.1/ , it is not a DNS issue at all. Means Pihole is out of the game.

Are you running a software firewall on DietPi?

6

As I said, I installed Fail2Ban too, can be this the source of issues? Manually I haven’t enabled any firewall on Pi…

7

Fail2Ban is not a firewall blocking assess on port level. It is blocking assess based on failed login attempts. But as I understood, you are able to access DietPi via Wireguard clients. What is not working, is to access anything else inside the local network and internet. Correct?

Would it be possible to share server and client configuration files? Just remove personal data like DDNS or keys

8

Exactly.
Now I’m at work (Pi with WireGuard is at home), if I try to connect to the VPN with one of the clients I added, the connection is successful, but at this point I can’t communicate (even just ping) with any device connected to the LAN except the Pi itself (if I do a ping to the IP of the Pi, this responds correctly, if I ping the IP of the router I do not get a response); to the Pi I can connect via SSH and I can browse the web interfaces of the programs I have installed (for example qBittorent and File Browser), I can also connect via FTP using FileZilla on the client and ping the router (from Pi connected via SSH).

This is the .conf file I used to configure the client I am using now:

[Interface]
PrivateKey = *******************************************
Address = 10.6.0.4/24
DNS = 10.6.0.1

[Peer]
PublicKey = *******************************************
PresharedKey = *******************************************
Endpoint = *****.duckdns.org:port
AllowedIPs = 0.0.0.0/0, :: 0/0

What other file would you like to check?

9

Post here the output of the following:

iptables-save -c; echo; \
cat /proc/sys/net/ipv4/ip_forward ; echo; \
ip -4 addr; ip -4 rou list table all; ip -4 ru
10

as well, pls share Wireguard Server config file.

And one more to share

ls -l /etc/alternatives/iptables

Maybe it is similar to the issue we had on Odroid. Just thinking :thinking: https://dietpi.com/forum/t/wireguard-connection-is-not-working-on-odroid-bullseye/6180/20
Did you tried to reboot your system in between?

11 



1                                               
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo                     valid_lft forever preferred_lft forever
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000                                              inet 192.168.22.4/24 brd 192.168.22.255 scope global wlan0                                         valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000                                                inet 10.6.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever  default via 192.168.22.254 dev wlan0 onlink
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1
192.168.22.0/24 dev wlan0 proto kernel scope link src 192.168.22.4
broadcast 10.6.0.0 dev wg0 table local proto kernel scope link src 10.6.0.1
local 10.6.0.1 dev wg0 table local proto kernel scope host src 10.6.0.1
broadcast 10.6.0.255 dev wg0 table local proto kernel scope link src 10.6.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.22.0 dev wlan0 table local proto kernel scope link src 192.168.22.4
local 192.168.22.4 dev wlan0 table local proto kernel scope host src 192.168.22.4
broadcast 192.168.22.255 dev wlan0 table local proto kernel scope link src 192.168.22.4
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
12 



[Interface]
PrivateKey =
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 
### begin xps-9570 ###
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.6.0.2/32
### end xps-9570 ###
### begin Find-X2-Pro-di-Ivan ###
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.6.0.3/32
### end Find-X2-Pro-di-Ivan ###
### begin MacBook-Air-di-Ivan ###
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.6.0.4/32
### end MacBook-Air-di-Ivan ###




lrwxrwxrwx 1 root root 22 25 gen 10.38 /etc/alternatives/iptables -> /usr/sbin/iptables-nft
13

You’ll need to run the commands mentioned in the link that Joulinar posted earlier to fix the iptables.

14 
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
systemctl restart wg-quick@wg0

interesting point, for me this is working ootb using PiVPN on a RPi4B 64bit. Even having iptables pointing to iptables-nft :thinking:

root@DietPi4:~# ls -l /etc/alternatives/iptables
lrwxrwxrwx 1 root root 22 Jan 27 11:17 /etc/alternatives/iptables -> /usr/sbin/iptables-nft
root@DietPi4:~#
15

Done… no changes! :cry:

Current

ls -l etc/alternatives/iptables

output:

lrwxrwxrwx 1 root root 25 27 gen 11.23 /etc/alternatives/iptables -> /usr/sbin/iptables-legacy
16

still the question. Do you have done a reboot in between?

17

Yes, of course!
First I did:

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
systemctl restart wg-quick@wg0

then I restarded the Pi:

shutdown -r now
18

MichaIng
Can you have a look as well pls. Might be something wit routing. Not sure where the issue could be exactly.

19

Did a fresh install from scratch (microSD flash with latest ARM8 DietPi image and dietpi-software install) and now everything seems to work OOB! :thinking: :sunglasses:

Thank you to all for support! :wink:

20

thx for sharing. Maybe something did not work out on first install or got corrupted. Good it is working now.