Wireguard server start issue, Failed to start WireGuard via wg-quick(8) for wg0

Required Information

  • DietPi version | 8.14.2
  • Distro version | bullseye 0
  • Kernel version | 5.15.84-v8+

I’m working on getting a Wireguard VPN server setup through attempting the tutorial listed here, for being able to use pihole’s DNS on the go, as well as having the option to tunnel all traffic through the pihole if the case needs:

I’m aware that PiVPN also exists as an alternative, but I was curious to why PiVPN was not listed or mentioned in the docs here from pihole’s developers if it’s so easy and safe and does the same thing this guide explains, so i just went with this instead.

Running kernel version 5.15.84-v8+, I did the additional
sudo apt-get install for the wireguard-dkms as the guide specified as well. I am running into an issue when trying to start the server.

I wasn’t sure about why setting specifically, fd08:4711::1/64 addresses.
But I guess the idea is to set it outside of your routers range so it it wont accidentally be overwritten?

root@DietPi:~# sudo systemctl enable wg-quick@wg0.service
sudo systemctl daemon-reload
sudo systemctl start wg-quick@wg0
Job for wg-quick@wg0.service failed because the control process exited with error code.
See "systemctl status wg-quick@wg0.service" and "journalctl -xe" for details.

root@DietPi:~# systemctl status wg-quick@wg0.service
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2023-02-27 02:25:32 CET; 20s ago
       Docs: man:wg-quick(8)
    Process: 1772 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=2)
   Main PID: 1772 (code=exited, status=2)
        CPU: 120ms

Feb 27 02:25:32 DietPi systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Feb 27 02:25:32 DietPi wg-quick[1772]: [#] ip link add wg0 type wireguard
Feb 27 02:25:32 DietPi wg-quick[1772]: [#] wg setconf wg0 /dev/fd/63
Feb 27 02:25:32 DietPi wg-quick[1772]: [#] ip -4 address add dev wg0
Feb 27 02:25:32 DietPi wg-quick[1772]: [#] ip -6 address add fd08:4711::1/64 dev wg0
Feb 27 02:25:32 DietPi wg-quick[1791]: RTNETLINK answers: Permission denied
Feb 27 02:25:32 DietPi wg-quick[1772]: [#] ip link delete dev wg0
Feb 27 02:25:32 DietPi systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Feb 27 02:25:32 DietPi systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
Feb 27 02:25:32 DietPi systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.

I have attempted rebooting the system and running it again with the same error.

Why are you doing that complicated? Simply select native Wireguard or PiVPN from our software catalouge and you are done. Personally I’m using native Wireguard together with Pihole since years without any issue.

should not be needed on current kernel version

there is an issue on your configuration as you are running into

Googling that seems to point to some issue with ipv6 configuration, could this be right? I have disabled currently in dietpi.conf, the guide did specify an ipv6 address to put. But I’m sure enabling wont do any harm, pihole just won’t resolve or with nxdomain as it’s not supported on my network if I’m correct about that.

It’s just what the official Pihole docs tutorial suggests, I figured to do this as it would be the safest route to give the desired results for me with Pihole, following the tutorial there. I’m open for using the Dietpi software way though.

One question, reading through the description on the Wireguard software docs here, it tells me:

to allow VPN clients accessing your local Pi-hole instance, you need to allow DNS requests from all network interfaces: pihole -a -i local

in Pihole’s tutorial it mentions you can leave it allowing local requests only.

What is the difference in the configuration here? Or maybe I’m misunderstanding the context. It sounds like it wants me to permit all origins. Maybe I’m overly concerned about this.

The plan currently for me is to use my iOS phone only to remote connect my mobile network to the pihole, for context. I’m very weary of opening ports as it is, but this is a fun learning experience.

It still feels like you are trying to over architecture thinks. Our installation script will setup your Wiregard VPN completely. No need to do any manual configuration on server side. Of course, client config can be adjusted on personal needs.

Just remove IPv6 from your configuration if you don’t use IPv6 at all.

For PiHole listen to all interface option: this should not be an issue because you don’t open port 53 (DNS) to the internet and nobody will be able to reach PiHole from outside your local network. The listen to all interface option depends on what you set inside your Wireguard client configuration. There you could choose between the VPN IP address 10.xx and the local network IP 192.xx. Choosing the VPN IP require PiHole to listen to all interface. If you go with local network, this is not required.

Thank you.

I attempted a configuration through Dietpi-software, got my server set up and phone client config, I guess this is where i will configure the AllowIP. Went a lot smoother than my previous attempt with Pihole’s guide for sure, but I could not get it to resolve any traffic on the client side unfortunately, so not working right.

Are there any extra measures you have to take if you use unbound as a recursive resolver as well?

Will give it another go tomorrow and update here with a fresh install again. And if there is something again I could maybe post a debug of some kind. I also ran into some headache while trying to port forward, where my router would overwrite what i had set prior as static IP for the Pi to another new address.

first thing to ensure is an established VPN connection. To do so, run wg command on service side. This should show a successful handshake. Do you see that handshake happen?

I got things reinstalled and set up, this time i’m happy to say it looks like it’s working, wg shows successful connection to the peer, and endpoint seems to match the IP of my phone, but queries are going through my Pihole!

Tunnel is set to server-side local network only for my config.

Dnsleak shows me the address of my peer and not pihole’s address, am i right to assume this means there is no leak?

Edit: Sorry, I confused the test… upon visiting the site it’s telling me the address of my phone, but when i do a standard test it’s showing the address of my home network. I guess this test is not really valid for my case… of course it will show two different addresses for my home ip when i’m using a vpn to connect to my home local network, I guess why that’s called split-tunnel…

you are connecting to the internet using IP address of your mobile phone. The only thing done towards your network is the DNS request :slight_smile: At least that’s how I understood your setup.