Wireguard and other installations

riley226 · 26 November 2019 18:42

Hello,

I am seeking assistance with my current installation of Wireguard. I initially wanted to run docker with my wireguard installation to allow for additional docker apps that I wanted to test and run inside of docker. This didn’t work well as once I installed docker, wireguard stopped working. This, I believe was due to the way docker changed the ip tables for dietpi once installed. I then had trouble correcting the issue when attempting to follow the fix on the following threads https://dietpi.com/forum/t/docker-installation-break-wireguard-connection/3332/2 and https://dietpi.com/forum/t/vpn-breaks-docker/3207/2 So I ultimately decided to move away from docker and do local installs, but still ran into issues with wireguard. I currently have Organizr, NOIP Duc, and Fail2Ban installed. Now when I install wireguard, SSH is not working and I am unable to access my local Organizr application. When I uninstall wireguard, of course everything works as needed. Could someone possibly help point me in the right direction for troubleshooting or will I just have to run wiregurard on another dedicated pi when I get one?

MichaIng · 27 November 2019 17:28

riley226
Are you trying to install WireGuard as server or as client?

As server, it should not affect any network connection, it only enables an additional via additional wg0 interface.

As client, it depends on the config file, but often is configured to send all outgoing requests through the VPN-only. This means that any direct incoming requests (outside of the VPN) is not answered, since those answers are send through the VPN as well, where they cannot reach the correct recipient. If you need direct incoming access but have internally initiallised requests or such from specific programs/users, going through the VPN, you need some split config via routing tables and connection marks. This is a bid too complicated to quickly guide through here for now .

riley226 · 27 November 2019 18:56

MichaIng
Thank you for the reply!

I just did a reinstall of Wireguard. Now when attempting to ssh I am getting the error “ssh: connect to host 192.168.XXX.XXX port 22: Resource temporarily unavailable.” Also my local install of Organizr is getting a connection timed out error. Where as before the install ssh was working and Organizer was accessible. Should I maybe reformat and start from a fresh image and do the Wireguard install first and then do my additional installs of Organizr, NOIP Duc, and Fail2Ban?

Also after the Wireguard install I am also getting “INFO Waiting for DietPi-Postboot to finish Press CTRL+C to abort” message not sure if that should flag anything.

Below is an example of my wg0.config if needed for review

[Interface]
Address = 10.9.0.1/24
PrivateKey = PrivateKey
ListenPort = 51820

PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE

# Client 1
[Peer]
PublicKey = PublicKey
AllowedIPs = 10.9.0.2/32

# Client 2
#[Peer]
#PublicKey = XXXX
#AllowedIPs = 10.9.0.3/32

MichaIng · 27 November 2019 19:17

riley226
Hmm, which SBC/device are you using? And what does the following report:

journalctl -u wg-quick@wg0

riley226 · 27 November 2019 20:20

MichaIng
This is the Wireguard Server installation on a “Raspberry Pi 3 Model B Rev 1.2” and I have the wifi disabled as the pi is hard wired.

journalctl -u wg-quick@wg0

root@VPN:~# journalctl -u wg-quick@wg0
--Logs begin at Thu 2019-02-14 04:11:59 CST, end at Wed 2019-11-27 13:47:14 CST. --
Nov 27 12:41:12 VPN systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Nov 27 12:41:12 VPN wg-quick[421]: [#] ip link add wg0 type wireguard
Nov 27 12:41:12 VPN wg-quick[421]: [#] wg sectionf wg0 /dev/fd/63
Nov 27 12:41:12 VPN wg-quick[421]: [#] ip -4 address add 10.9.0.1/24 dev wg0
Nov 27 12:41:12 VPN wg-quick[421]: [#] ip link set mtu 1420 up dev wg0
Nov 27 12:41:12 VPN wg-quick[421]: [#] sysctl net.ipv4.conf.wg0.forwarding=1 net.ipv4.conf$(sed -n 3p /DietPi/dietpi/.netowrk).forwading=1
Nov 27 12:41:12 VPN wg-quick[421]: net.ipv4.conf.wg0.forwarding =1
Nov 27 12:41:12 VPN wg-quick[421]: net.ipv4.conf.eth0.forwarding =1
Nov 27 12:41:12 VPN wg-quick[421]: [#] sysctl net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.netowrk).accept_ra=2
Nov 27 12:41:12 VPN wg-quick[421]: net
Nov 27 12:41:12 VPN wg-quick[421]: [#] sysctl net.ipv6.conf.wg0.forwarding=1 net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.netowrk).forwading=1
Nov 27 12:41:12 VPN wg-quick[421]: net.ipv6.conf.wg0.forwarding = 1
Nov 27 12:41:12 VPN wg-quick[421]: net.ipv6.conf.eth0.forwarding = 1
Nov 27 12:41:12 VPN wg-quick[421]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.netowrk) -j MASQUERADE
Nov 27 12:41:12 VPN wg-quick[421]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.netowrk) -j MASQUERADE
Nov 27 12:41:12 VPN systemd[1]: Started WireGuard via wg-quick(8) for wg0
root@VPN:~#