Wireguard & pihole - ongoing problems Topic is solved

[Deleted User 7758]

Hi all,
My third time uninstalling and reinstalling both Wiregard and Pihole in an attempt to get it working.
Here's what I have;
mydomain.com pointing to my static public IP 111.222.33.44
my Odroid with Pihole and Wireguard at 192.168.20.19 on my network
Nextcloud installed and available at mydomain.com/nextcloud when I have ports 80 & 443 open (I would prefer that Nextcloud was available at next cloud.mydomain.com but I'm so frustrated at the moment that I will aim for functionality first)
Port 51820 open on my router pointing at 192.168.20.19

Here's what I want to achieve;

• Secure access to my Nextcloud instance from my laptop & phone from outside my network.

• Access to my Nextcloud instance from my desktop inside my network

• Ad-blocking from inside my network (and outside too if I can ever get it working)

• Ad-blocking on my phone (the cherry on top)

After the latest attempt to get it working I currently have;
My wg0.conf

Code: Select all

[Interface]
Address = 10.9.0.1/24
PrivateKey = **********************************************************
ListenPort = 51820

PreUp = /boot/dietpi/func/obtain_network_details
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE

# Client 1
[Peer]
PublicKey = *****************************************************f8So=
AllowedIPs = 10.9.0.2/32

# Client 2
#[Peer]
#PublicKey = XXXX
#AllowedIPs = 10.9.0.3/32

and my client.conf

Code: Select all

[Interface]
PrivateKey = *******************************************************************
Address = 10.9.0.2/24
DNS = 10.9.0.1

[Peer]
PublicKey = ***********************************************************f8So=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 111.222.33.44:51820

If I connect the client to the VPN I do not get internet (stalls looking for DNS resolution)
Regardless of whether I am connected to the VPN I currently cannot find the Pihole web admin. I can't find it at pi.hole/admin, 192.168.20.19/admin, 10.9.0.1/admin, or 111.222.33.44/admin
curl -I localhost returns;

Code: Select all

HTTP/1.1 301 Moved Permanently
Location: https://localhost/
Date: Thu, 30 Jul 2020 11:30:39 GMT
Server: lighttpd/1.4.53

I would dearly like to get this sorted out within 1 week, before semester 2 starts - I'm going to be real busy and would love my notes and resources available in Nextcloud.
If this is not possible I will have to fall back on opening ports 80 and 443 on my router.

[Joulinar]

Hi,

Pls can you check using wg command if your client is connected. Did you set listen on all interfaces, permit all origin in Pihole?

[Deleted User 7758]

Hi Joulinar

wg returns (when the client is connected)

Code: Select all

interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  allowed ips: 10.9.0.2/32

I also must add that I do not know what to do about the DNS settings in my macOS network preferences. I have my laptop set up currently with two 'locations' - pihole and no-pihole depending on whether I am on my home network or not.

[Joulinar]

I removed the keys from your post. Don't post them on a public board.

I don't think your client is not connected correctly. There is no message about last handshake. Which port did you forward on your router?

As well pls check log from the client if there are error messages.

[Deleted User 7758]

Hi again,
Port 51820 is forwarded

Attached is the Wireguard log. I can't see anything obvious for errors.
Regarding your earlier question about Pihole interfaces. Since reinstalling I have not changed anything because I can't access Pihole admin

[Joulinar]

are you stopping your WireGuard VPN after a couple of minutes always? becasue I see this quite often happen.

Code: Select all

2020-07-30 22:34:40.039526: [APP] Tunnel 'Odroid wg0-client.conf' connection status changed to 'connected'
2020-07-30 22:34:44.267478: [APP] Status update notification timeout for tunnel 'Odroid wg0-client.conf'. Tunnel status is now 'connected'.
2020-07-30 22:36:13.092335: [APP] startDeactivation: Tunnel: Odroid wg0-client.conf
2020-07-30 22:36:13.216242: [APP] Tunnel 'Odroid wg0-client.conf' connection status changed to 'disconnecting'
2020-07-30 22:36:13.489918: [NET] Network change detected with satisfied route and interface order [en0]

As well, are you located at home on same network? Or are you on a mobile network while testing?

Somehow I'm missing the handshake in your log. I don't have on iOS device at hand to test, but in Win10 as well as Android I see this on my logs

Android

Code: Select all

07-31 09:22:06.925 20810 21027 I WireGuard/GoBackend/WireGuard: Device started
07-31 09:22:06.963 20810 20837 D WireGuard/GoBackend/WireGuard: peer(BBBB…BBBB) - Sending handshake initiation
07-31 09:22:06.964 20810 20837 D WireGuard/GoBackend/WireGuard: peer(BBBB…BBBB) - Awaiting keypair
07-31 09:22:07.008 20810 20837 D WireGuard/GoBackend/WireGuard: peer(BBBB…BBBB) - Received handshake response
07-31 09:22:07.008 20810 20837 D WireGuard/GoBackend/WireGuard: peer(BBBB…BBBB) - Obtained awaited keypair

Win10

Code: Select all

2020-07-31 11:21:35.753471: [TUN] [wg0-client3] Startup complete
2020-07-31 11:21:38.026162: [TUN] [wg0-client3] peer(BBBB…BBBB) - Sending handshake initiation
2020-07-31 11:21:38.043152: [TUN] [wg0-client3] peer(BBBB…BBBB) - Awaiting keypair
2020-07-31 11:21:38.208394: [TUN] [wg0-client3] peer(BBBB…BBBB) - Received handshake response
2020-07-31 11:21:38.210391: [TUN] [wg0-client3] peer(BBBB…BBBB) - Obtained awaited keypair

On your WireGuad server, you should see something like this if connection is working. There should be a handshake message as well.

Code: Select all

root@DietPi4:~# wg
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  endpoint: x.x.x.x:49336
  allowed ips: 10.9.0.6/32
  latest handshake: 23 seconds ago
  transfer: 1.53 GiB received, 1.50 GiB sent

[Deleted User 7758]

are you stopping your WireGuard VPN after a couple of minutes always? becasue I see this quite often happen.

- according to those timestamps yeah this is probably when I was trying different dns server settings in the client config file.

As well, are you located at home on same network? Or are you on a mobile network while testing?

Yes

I don't have on iOS device at hand to test, but in Win10 as well as Android I see this on my logs

At this stage I am not setting up an iOS device (although I'd like to later). The client is my macOS laptop with the Wiregard client app.

There should be a handshake message as well.

Code: Select all

root@HC1:/home/jon# wg
interface: wg0
  public key: *********************************************************Tw=
  private key: (hidden)
  listening port: 51820

peer: ********************************************************8So=
  allowed ips: 10.9.0.2/32

[Deleted User 7758]

It seems important - first up - to figure out why I can't find the Pihole admin anymore.

[Joulinar]

PiHole should not be your problem right now because you are missing the very first step, a valid VPN connection.

Still your wg output doesn't show any handshake, means no VPN connection esteblished. Pls try to test with your macOS laptop from outside you local network (e.g. using a mobile phone as hotspot)

[Deleted User 7758]

I get no internet access when connected to the client vpn and on my phone's hotspot.
I tried both 192.168.20.19 and 1.1.1.1 in the client's config file for DNS.
Can't even ssh to the server