Wireguard Isn't Sending Data Back to Peer

snitty · 7 March 2020 13:17

I set up wireguard on a new install of DietPi and I, for the life of me, cannot get it to work. I set up WG on my phone using a QR code.

root@DietPi:/etc/wireguard# more wg0.conf 

[Interface]
PrivateKey = [PRIVATE KEY]
Address = 10.6.0.1/24
ListenPort = 51820
# begin USERNAME
[Peer]
PublicKey = [PUBLIC KEY]
PresharedKey = [PRESHARE KEY]
AllowedIPs = 10.6.0.2/32
# end USERNAME
# begin USERNAME_MOBILE
[Peer]
PublicKey = [PUBLIC KEY]
PresharedKey = [PRESHARE KEY]
AllowedIPs = 10.6.0.3/32
# end USERNAME_MOBILE

and

root@DietPi:/etc/wireguard/configs# more USERNAME_MOBILE.conf 

[Interface]
PrivateKey = [PRIVATE KEY]
Address = 10.6.0.3/24
DNS = 1.1.1.1

[Peer]
PublicKey = [PUBLIC KEY]
PresharedKey = [PRESHARE KEY]
Endpoint = MYURL.com:51820
AllowedIPs = 0.0.0.0/0

I changed the DNS to 1.1.1.1 at the urging of folks here.

finally,

root@DietPi:/etc/wireguard/configs# wg
interface: wg0
  public key: [PUBLIC KEY]
  private key: (hidden)
  listening port: 51820

peer: [PEER]
  preshared key: (hidden)
  endpoint: 99.203.121.17:49841
  allowed ips: 10.6.0.3/32
  latest handshake: 1 minute, 43 seconds ago
  transfer: 346.77 KiB received, 27.04 KiB sent

peer: [PEER2]
  preshared key: (hidden)
  allowed ips: 10.6.0.2/32

It’s connecting, and clearly sending something back to the phone, but it always times out.

Joulinar · 7 March 2020 14:31

Hi,

how did you install WireGuard? Did you used dietpi-software? Barbecue it seems you are missing some parts in your wg0.conf to forward traffic. My config files looks like this:

root@DietPi4:/etc/wireguard# cat wg0.conf
[Interface]
Address = 10.9.0.1/24
PrivateKey = xxx
ListenPort = 51820
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE

# Client 1
[Peer]
PublicKey = xxx
AllowedIPs = 10.9.0.2/32

snitty · 7 March 2020 14:39

I did install using the built in tools. Maybe I uninstall and just try again…

Joulinar · 7 March 2020 14:47

As well you are using a different IP range for WireGuard > 10.6.0.x.
Usually the default configured by dietpi-software should be 10.9.0.x

did you adjusted this by your own or do you use the default values provided by dietpi-software scripts?

snitty · 7 March 2020 21:02

I didn’t do anything weird with the setup first time around, but I uninstalled and reinstalled and now everything is humming along.

Joulinar · 7 March 2020 21:47

as I said, your server config file was looking quite different than usually provided by dietpi-software. but good that this is working now.