Wireguard not establishing connection after ip range change

Fizzi · June 11, 2022, 4:57pm

Required Information

DietPi version | 8.5.1
Distro version | bullseye
Kernel version | 5.15.32
SBC model | RPi4

Additional Information

When setting up my new router today, I decided to change my local ip address range from 192.168.2.x to 10.21.21.x
I changed the relevant ip address data in dietpi-config, network options: adapters
My other applications (adguard & jellyfin) worked fine after changing the ip address there
I opened my wireguard udp port at the router (50055) and linked it to my dietpi setup (10.21.21.2)
Wireguard, however, refuses to establish a connection. Even after a fresh software install and also trying to manually create a second key pair and config, it still doesn´t work.
I assume that there is just some (dietpi) config file that still needs to know about the ip address range change. But I am not sure about that…

wg0-client.conf

[Interface]
Address = 10.9.0.2/24
PrivateKey = <private key>
ListenPort = 50055
DNS = 10.21.21.2 #dietpi ip with unbound setup

[Peer]
PublicKey = <public key>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <home ip address>:50055 #the ip is correct

wg0.conf

[Interface]
Address = 10.9.0.1/24
PrivateKey = <private key>
ListenPort = 50055

PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(ip r l 0/0 | mawk '{print $5;exit}').forwarding=1
PostUp = sysctl net.ipv6.conf.$(ip r l 0/0 | mawk '{print $5;exit}').accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(ip r l 0/0 | mawk '{print $5;exit}').forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.9.0.0/24 -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE

# Client 1
[Peer]
PublicKey = <public key>
AllowedIPs = 10.9.0.2/32

The iOS wireguard app shows barely any KiB data sent when ‘connected’ and I cannot reach the client with ping 10.9.0.2 from my dietpi terminal with the wireguard server setup.

I am all ears for any hints.

Thanks in advance!

Joulinar · June 11, 2022, 5:30pm

Did you ensured to update you DDNS after the router has been changed? Usually you should get a new public IP address.

Fizzi · June 11, 2022, 6:14pm

Hi Joulinar and thanks for your answer!

I did forget to mention that the router is connected to another one, which actually connects to the ISP. It simply creates an own sub-network.

This internet-router didn’t change and the internet ip is still the same - just double-checked that. I did also adapt the port forwarding of that ISP-router to take the new router as the new destination.

Joulinar · June 11, 2022, 6:33pm

Basically there is no own DietPi configuration. Just the files in /etc/wireguard. Nothing else.

trendy · June 12, 2022, 12:56pm

What is the output of
ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c; wg show

Fizzi · June 12, 2022, 3:22pm

Thanks Joulinar and trendy for your help.

I discovered a configuration issue with the internet-facing router and now everything works as intended.