Hi there!
I’ve been running pihole on dietpi/vmware workstation on win10 for a while and it’s been working great! Love it. I’ve wanted to get a vpn sorted out for a while and was hoping to use the same vm. had nothing but issues so I started a new vm today just to solve this issue.
Newly downloaded vmware dietpi, no other installations except wireguard. Port 51820 forwarded to this new dietpi vm.
I can connect successfully from the outside with wireguard android
DNS seems to be working as I’m registering entries on my existing pihole (192.168.1.24)
Internally i’m using 192.168.1.0/24, keeping the default wireguard of 10.9.0.0/24, no other subnets around.
I’ve previously tried the openvpn installation and same exact issue - can connect but no real traffic.
I’m hardly a linux expert so I could definitely use a hand! I believe it’s a routing issue in dietpi somewhere
wg:
interface: wg0
public key: *****************
private key: (hidden)
listening port: 51820
peer: ******************
endpoint: myphoneexternalip:6907
allowed ips: 10.9.0.2/32
latest handshake: 50 seconds ago
transfer: 268.04 KiB received, 494.47 KiB sent
ip addr:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:8f:cf:69 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.25/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 84003sec preferred_lft 84003sec
inet6 fe80::20c:29ff:fe8f:cf69/64 scope link
valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.9.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
wg0.conf:
[Interface]
Address = 10.9.0.1/24
PrivateKey = **********************
ListenPort = 51820
PreUp = /boot/dietpi/func/obtain_network_details
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
# Client 1
[Peer]
PublicKey = **********************
AllowedIPs = 10.9.0.2/32
# Client 2
#[Peer]
#PublicKey = XXXX
#AllowedIPs = 10.9.0.3/32
wg0-client.conf:
[Interface]
Address = 10.9.0.2/24
PrivateKey = ************************************
# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 192.168.1.24
# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will not work on most mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
[Peer]
PublicKey = **********************
# Tunnel all network traffic through the VPN:
# AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
# AllowedIPs = 192.168.1.0/24
# Tunnel access to VPN server only:
# AllowedIPs = 192.168.1.208/32
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = MYEXTERNALIP:51820
# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
#PersistentKeepalive = 25