Wireguard on dietpi/vmware workstation

thejuan · September 1, 2021, 6:13pm

Hi there!

I’ve been running pihole on dietpi/vmware workstation on win10 for a while and it’s been working great! Love it. I’ve wanted to get a vpn sorted out for a while and was hoping to use the same vm. had nothing but issues so I started a new vm today just to solve this issue.

Newly downloaded vmware dietpi, no other installations except wireguard. Port 51820 forwarded to this new dietpi vm.

I can connect successfully from the outside with wireguard android
DNS seems to be working as I’m registering entries on my existing pihole (192.168.1.24)
Internally i’m using 192.168.1.0/24, keeping the default wireguard of 10.9.0.0/24, no other subnets around.
I’ve previously tried the openvpn installation and same exact issue - can connect but no real traffic.
I’m hardly a linux expert so I could definitely use a hand! I believe it’s a routing issue in dietpi somewhere

wg:

interface: wg0
  public key: *****************
  private key: (hidden)
  listening port: 51820

peer: ******************
  endpoint: myphoneexternalip:6907
  allowed ips: 10.9.0.2/32
  latest handshake: 50 seconds ago
  transfer: 268.04 KiB received, 494.47 KiB sent

ip addr:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:8f:cf:69 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.25/24 brd 192.168.1.255 scope global dynamic eth0
       valid_lft 84003sec preferred_lft 84003sec
    inet6 fe80::20c:29ff:fe8f:cf69/64 scope link
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.9.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

wg0.conf:

[Interface]
Address = 10.9.0.1/24
PrivateKey = **********************
ListenPort = 51820

PreUp = /boot/dietpi/func/obtain_network_details
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE

# Client 1
[Peer]
PublicKey = **********************
AllowedIPs = 10.9.0.2/32

# Client 2
#[Peer]
#PublicKey = XXXX
#AllowedIPs = 10.9.0.3/32

wg0-client.conf:

[Interface]
Address = 10.9.0.2/24
PrivateKey = ************************************

# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 192.168.1.24

# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will not work on most mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = **********************
# Tunnel all network traffic through the VPN:
#       AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
#       AllowedIPs = 192.168.1.0/24
# Tunnel access to VPN server only:
#       AllowedIPs = 192.168.1.208/32
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = MYEXTERNALIP:51820

# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
#PersistentKeepalive = 25

Joulinar · September 1, 2021, 8:06pm

Hi,

just for testing, are you able to reach PiHole web interface using 192.168.1.24/admin ?

thejuan · September 1, 2021, 8:18pm

Thanks, tried and I cannot, nor anything internal.
I’ve tried changing the client conf to only allow 192.168.1.0/24 for just internal access but same result.
Unsure if necessary but every time I make changes I recreate the tunnel with a new qr code just in case

Joulinar · September 1, 2021, 8:21pm

how do you setup the VM? Using NAT or does the VM has an own IP on your network like 192.168.1.xxx?

thejuan · September 1, 2021, 8:26pm

Bridged network in vmware - it has it’s own ip: 192.168.1.25
The ip is mapped statically by mac via the router/dhcp

thejuan · September 1, 2021, 8:40pm

also forgot to mention I’ve turned on ipv4 forwarding as many have suggested. it’s persistent after a reboot

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Joulinar · September 1, 2021, 8:43pm

your client is located outside your local network? Means it’s using a different hot spot or mobile network and not the same local one? Are you able to connect to your Wireguard server using SSH from the client while connected via VPN and not located in your local network?

also forgot to mention I’ve turned on ipv4 forwarding as many have suggested. it’s persistent after a reboot

This is set by WireGuard server configuration already

PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1

thejuan · September 1, 2021, 8:59pm

Neat! Ssh to my new dietpi is working as is ssh’ing to my pihole
So that works!
I’ve tried 2 different browsers to try connections to my router and pihole admin page by ip, no dice. also tried named external websites like google.com, same result

Correct, this is on a mobile device, I’ve connections internally, then switched Wifi off and connecting on my cell provider network then switching on wireguard

Joulinar · September 1, 2021, 9:04pm

Probably we misunderstood on the SSH stuff. If your mobile phone is connected to your cell provider and you have activated Wireguard, are you able to connect via SSH from that mobile device using a SSH app?

thejuan · September 1, 2021, 9:58pm

apologies - yes, internal and external (with wireguard) ssh connections are working to my pihole instance and my wireguard instance. any http(s) is not

Joulinar · September 2, 2021, 10:03am

strange that you can connect via SSH to your local network (PiHole device) but not using HTTP.

Ok if you have time and mood, we could perform some tcp tracing to check where HTTP connection breaks.

thejuan · September 2, 2021, 3:22pm

It is strange, I was surprised ssh worked, good call!
Sure, I’m down, I really appreciate the help!
I might not be timely today but I’d like to solve this, it’s been bugging me

trendy · September 2, 2021, 4:15pm

Can we verify first that it is not blocked by the firewall?
iptables-save -c

thejuan · September 2, 2021, 6:34pm

iptables-save -c

# Generated by xtables-save v1.8.2 on Thu Sep  2 19:34:10 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[4342:671586] -A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Thu Sep  2 19:34:10 2021

# Generated by xtables-save v1.8.2 on Thu Sep  2 19:34:10 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[791:52332] -A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Sep  2 19:34:10 2021

Joulinar · September 3, 2021, 10:34am

thejuan
is the following correct?

IP PiHole VM - 192.168.1.24
IP WireGuard VM - 192.168.1.25
IP WireGuard Client - 10.9.0.2

if yes, I will let you know the commands we would need to capture the HTTP connection

trendy · September 3, 2021, 3:28pm

Install tcpdump apt install tcpdump and then run:
tcpdump -evn tcp port 80

thejuan · September 3, 2021, 3:35pm

yes, the ip’s are correct
IP PiHole VM - 192.168.1.24
IP WireGuard VM - 192.168.1.25
IP WireGuard Client - 10.9.0.2

Joulinar · September 3, 2021, 3:37pm

Ok I will post tcpdump command later the evening. I played with it and I guess I found a good filter to show important information only.

thejuan · September 3, 2021, 4:01pm

awesome! thanks so much for the help

Joulinar · September 3, 2021, 8:22pm

ok for testing install tcpdump on both VM’s

dietpi-software install 15

Following will start traffic capture on WireGuard VM

tcpdump -i any -c200 -nn port 80 and '((src 10.9.0.2 and dst 192.168.1.24) or (src 192.168.1.24 and dst 10.9.0.2))'

it will capture 200 lines
on HTTP port 80
where source is wg client IP 10.9.0.2 and target PiHole VM for incomming traffic
and the other way around to check on an answer

Following will start traffic capture on PiHole VM

tcpdump -i any -c200 -nn port 80

it will capture 200 lines
on HTTP port 80
traffic from all sources will be captured

Test to be done

Ensure no device on your network is actually connected to PiHole web interface
connect your mobile device to cellular network
connect WireGuard app
open web browser and try pi.hole/admin/
close browser window
disconnect WireGuard app
you could cancel tcpdump if not already stopped
post output for both VM’s