Update to 7.1.2 - VPN via wireguard no longer working

Troubleshooting
#1

Hi there,

Were there any wire guard related changes with the latest update?

I haven’t changed any settings but can no longer access my home nextcloud instance with activated wireguard connection.

wg show

doesn’t show any handshake information.
Not sure if this could be related to pihole (which is installed as well on my pi3).

I would like to avoid starting from scratch with wireguard, pihole, unbound) so thought would check first here to see if there are any trouble shooting ideas. (I don’t have any)

Many thanks for any input on the matter.

T

#2

Hi,

PiHole and unbound are not involved within the basic VPN connection between client and server. They play a role later one once clients will do DNS resolution. But for this VPN connection needs to be established first.

Does wg command give anything back or nothing?
What is the status of WireGuard service systemctl status wg-quick@wg0.service?
Do you use plain WireGuard or PiVPN?

#3

Thanks for your quick reply. Here is the info you asked for:

root@DietPi:~# wg
interface: wg0
  public key: [...]
  private key: (hidden)
  listening port: 51820

peer: [...]
  allowed ips: 10.9.0.2/32, fd86::2/128

peer: [...]
  allowed ips: 10.9.0.3/32, fd86::3/128

peer: [...]
  allowed ips: 10.9.0.4/32, fd86::4/128

peer: [...]
  allowed ips: 10.9.0.5/32, fd86::5/128




root@DietPi:~# systemctl status wg-quick@wg0.service?
root@DietPi:~# systemctl status wg-quick@wg0.service
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)   Active: active (exited) since Fri 2021-05-14 22:16:16 CEST; 24min ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 12372 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
 Main PID: 12372 (code=exited, status=0/SUCCESS)

May 14 22:16:16 DietPi wg-quick[12372]: net.ipv4.conf.wg0.forwarding = 1
May 14 22:16:16 DietPi wg-quick[12372]: net.ipv4.conf.wlan0.forwarding = 1
May 14 22:16:16 DietPi wg-quick[12372]: [#] sysctl net.ipv6.conf.$(sed -n 3p /run/dietpi/.network).accept_ra=2
May 14 22:16:16 DietPi wg-quick[12372]: net.ipv6.conf.wlan0.accept_ra = 2
May 14 22:16:16 DietPi wg-quick[12372]: [#] sysctl net.ipv6.conf.wg0.forwarding=1 net.ipv6.conf.$(sed -n 3p /run/dietpi/.network).forwarding=1
May 14 22:16:16 DietPi wg-quick[12372]: net.ipv6.conf.wg0.forwarding = 1
May 14 22:16:16 DietPi wg-quick[12372]: net.ipv6.conf.wlan0.forwarding = 1
May 14 22:16:16 DietPi wg-quick[12372]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $(sed -n 3p /run/dietpi/.network) -j MASQUERADE
May 14 22:16:16 DietPi wg-quick[12372]: [#] ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(sed -n 3p /run/dietpi/.network) -j MASQUERADE
May 14 22:16:16 DietPi systemd[1]: Started WireGuard via wg-quick(8) for wg0.
#4

ok server side seems to be fine.

Are you sure port forwarding is correctly set? and your clients use the correct external IP/DDNS? Usually a missing handshake means, your clients do not connect to your server.

Unfortunately WireGuard don’t have a log on server side that can be checked. But on the client there is a log on the app where you can have a look into

#5

Thanks for your hints.

I updated my domain (duckdns) via Http call and all is working again. Hadn’t done it for 9 months.

No configuration issue.

Many thanks again.

T

#6

you could use dietpi-ddns to update your duckdns once your external IP will change

#7

Just did.
Test seemed to work fine.

Thank you!

T