[Solved] Trying Wireguard and setting it up only for local access from outside Topic is solved

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Garret
Posts: 52
Joined: Sat Nov 10, 2018 12:23 pm

[Solved] Trying Wireguard and setting it up only for local access from outside

Post by Garret »

I have been following the great interest in Wireguard and I can see that is planned to be added to DietPi for the next release if I have understood correctly (https://github.com/Fourdee/DietPi/pull/2398).

I have a free raspberry pi 3b+ available and would like to test it. However, I don't know how to do it. Is there an easy way to download a beta image to put on a sd card and try it?

Reading the GitHub discussion, seems that Wireguard will run that all traffic will go through the vpn server.

I would like instead to install Wireguard on a clean install of dietpi with for instance MotionEye. My ideal setup would have that I can connect through my phone via Wireguard to the raspberry server to the address and port to see the motioneye webserver but all the other internet traffic on my phone (like Facebook for instance) is not routed also to the raspberry pi server. That should go through my normal available internet connection (wifi or mobile data). I have drawn a simple scheme to help understand what I mean hopefully:
Image

Would that be possible?

Thank you very much in advance.
Last edited by Garret on Tue Feb 05, 2019 10:54 am, edited 1 time in total.
User avatar
MichaIng
Site Admin
Posts: 2293
Joined: Sat Nov 18, 2017 6:21 pm

Re: Trying Wireguard and setting it up only for local access from outside

Post by MichaIng »

@Garret
The WireGuard install option was already added to the Beta, that was released yesterday. Follow these steps to update to Beta branch: https://github.com/Fourdee/DietPi/blob/ ... _SYSTEM.md
However do a dietpi-backup first and note that it is still a testing branch. But we would assist you quickly, if you run into any issue related to the changes we made with this Beta.
More info about the current Beta: https://github.com/Fourdee/DietPi/issues/2415

Jep, the default client config, we currently create on install, forwards all traffic through the VPN tunnel. But it is veeery easy to adjust that. My aim is also to add some alternative commented settings blocks to enable other client use cases.

Currently in the client config /etc/wireguard/wg0-client.conf you will fine the line: AllowedIPs = 0.0.0.0/0
Before applying it to your mobile, replace it by AllowedIPs = 192.168.1.0/24 to only forward access to your local network through the tunnel.
If you only need access to the MotionEye server on the RPi, set it to:
AllowedIPs = 192.168.1.3/32
Perhaps it can be even limited to only a certain port, but not sure currently.

The DNS = line btw. is optional and leads to the client using the servers DNS nameserver himself. If you want to stay with the default DNS server of your mobile simply comment or remove this line.

After you did the adjustments to your need, it is very easy to apply those settings to your mobile. Run: qrencode -t ansiutf8 < /etc/wireguard/wg0-client.conf
You will see a QR code which can be scanned by the mobile WireGuard app :).
fredamn76
Posts: 1
Joined: Sat Feb 02, 2019 7:48 pm

Re: Trying Wireguard and setting it up only for local access from outside

Post by fredamn76 »

Sorry for using this thread but i cannot get the QR code to work. After running the QR command the QR code seems wrong. Anyone else have the same issue?
Garret
Posts: 52
Joined: Sat Nov 10, 2018 12:23 pm

Re: Trying Wireguard and setting it up only for local access from outside

Post by Garret »

fredamn76 wrote: Sat Feb 02, 2019 7:50 pm Sorry for using this thread but i cannot get the QR code to work. After running the QR command the QR code seems wrong. Anyone else have the same issue?
Hi @fredamn76, today I had finally time to update dietpi and install wireguard. I also tried the qrencode application but, probably because I am using putty, I get the qrcode printed in the terminal which is not usable. I tried to use the "-o" function to save the qrcode as image but windows cannot open the image file. So in the end I solved by copying manually on my android phone the content of /etc/wireguard/wg0-client.conf

However now I have another issue that @MichaIng might solve quite easily. I wanted to setup wireguard as I wrote in my first post. Everything seems fine. On my android phone I can connect to the wireguard server. If I go to 192.168.1.1 I can enter the webpage of my router but if I go to 192.168.1.3 (the raspberry pi wireguard server) I cannot login for instance on sonarr or radarr installed locally on the raspberry pi. So it seems that the android client on 4G (so in an external network) only sees the router but not all the other devices connected in my home lan.

This is how I set up the /etc/wireguard/wg0-client.conf

Code: Select all

[Interface]
# The address must be unique for each client, use "10.8.0.3/24" for the second client and so on.
Address = 10.8.0.2/24
PrivateKey = HIDDEN
# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 192.168.1.1

# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will most likely not work on mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark  -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark  -m addrtype ! --d$
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark  -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark  -m addrtype ! --$

[Peer]
PublicKey = HIDDEN
# Tunnel all network traffic through the VPN:
#       AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
#       AllowedIPs = 192.168.1.0/24
# Tunnel access to VPN server only:
#       AllowedIPs = 192.168.1.2/32
AllowedIPs = 192.168.1.0/24
Endpoint = HIDDEN:51820

# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
#PersistentKeepalive = 25
I am very close to get everything working but still miss something :x
User avatar
MichaIng
Site Admin
Posts: 2293
Joined: Sat Nov 18, 2017 6:21 pm

Re: Trying Wireguard and setting it up only for local access from outside

Post by MichaIng »

Hmm, here running the QR code command on PuTTY (windows client) works very well. Not sure how different terminals and/or monitors and/or mobile phone cameras might affect this, but since the code is printed quite large and clear on my PuTTY... :?

What does the mobile client say when attempting to scan?

Yeah of course, if it does not work, manually copying the wg0-client.conf is the working alternative.

@Garret
From your generated client config it looks like the the WireGuard server runs on 192.168.1.2 not 192.168.1.3 :?.

I will also run some test here tomorrow.
Garret
Posts: 52
Joined: Sat Nov 10, 2018 12:23 pm

Re: Trying Wireguard and setting it up only for local access from outside

Post by Garret »

MichaIng wrote: Tue Feb 05, 2019 2:19 am @Garret
From your generated client config it looks like the the WireGuard server runs on 192.168.1.2 not 192.168.1.3 :?.
You are right. It was my mistake. The raspberry pi server is 192.168.1.2 and not 192.168.1.3.

I think I might have solved the mistery. In your first post you write to set AllowedIPs = 192.168.1.0/24. In this way I could only see 192.168.1.1 from my android phone when on 4G.
I changed to AllowedIPs = 192.168.1.0/32 and now I can see for instance the radarr or bazarr web interface when connecting to 192.168.1.2.

Actually on your post about v.20 viewtopic.php?f=8&p=16308#p16308 you write to set the AllowedIPs with 32 in the end.

What do you think?

EDIT: I marked as solved because it seems working fine. I just have some docker containers with transmission and while I can access from my local network to 192.168.1.2:9091. On my phone putting that address says there is no connection. It seems like the docker containers are not touched by wireguard. I only miss this thing because otherwise I can ping all the devices on my home network. Like I have an octoprint server on 192.168.1.32 and I can see the webinterface from my phone on 4G.
User avatar
WarHawk
Posts: 608
Joined: Thu Jul 20, 2017 8:55 am

Re: [Solved] Trying Wireguard and setting it up only for local access from outside

Post by WarHawk »

CIDR classes the /24 leave 256 total addresses with a netmask of 255.255.255.0 (minus the gateway and the broadcast IP's, so a total of 254 assignable addresses)

A CIDR class of /32 netmask is 255.255.255.255 and usually has only 2 workable IP's for routers as in only has the ability to send to one and receive from one...

https://en.wikipedia.org/wiki/Classless ... IDR_blocks

Most of the "non routable" addresses such as 192.168.*.*, 127.0.*.* are netmasked 255.255.255.0 or /24 class
Garret
Posts: 52
Joined: Sat Nov 10, 2018 12:23 pm

Re: [Solved] Trying Wireguard and setting it up only for local access from outside

Post by Garret »

Thank you @WarHawk I have never been good with network stuff.

Do you have any idea why I cannot see my docker container from wireguard? In particular I am using this docker container https://github.com/haugene/docker-transmission-openvpn
User avatar
WarHawk
Posts: 608
Joined: Thu Jul 20, 2017 8:55 am

Re: [Solved] Trying Wireguard and setting it up only for local access from outside

Post by WarHawk »

Unknown...possible port not in wireguard config?

https://www.reddit.com/r/docker/comment ... iguration/

Not up to speed on wireguard...
User avatar
MichaIng
Site Admin
Posts: 2293
Joined: Sat Nov 18, 2017 6:21 pm

Re: [Solved] Trying Wireguard and setting it up only for local access from outside

Post by MichaIng »

Indeed strange. Actually AllowedIPs = 192.168.1.0/32 should not forward all 192.168.1.X addresses through the VPN.
AllowedIPs = 192.168.1.1/32 e.g. should forward this one exact address only, AFAIK, so should only allow to access the VPN server machine, if it has this particular IP.

Need to check here if /24 somehow allows local network access but not the VPN machine itself.
Post Reply