Need help setting up WireGaurd to access my network and the internet Topic is solved

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Post Reply
SirChris93
Posts: 5
Joined: Tue Jan 28, 2020 3:02 am

Need help setting up WireGaurd to access my network and the internet

Post by SirChris93 »

So I'm new to using WireGuard and think it's a nice looking VPN however I'm struggling to get my devices to access my network and the rest of the internet through it.

My routers IP is: 172.16.1.9, I want to be able to access my router when I am away from home. Here is how I currently have my client configuration

Code: Select all

[Interface]
Address = 10.9.0.1/24
PrivateKey = ***
# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 172.16.1.9
# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN $
# NB: This requires "iptables" to be installed, thus will not work on most mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT &&$
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT &$

[Peer]
PublicKey = ***
# Tunnel all network traffic through the VPN:
#       AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
       AllowedIPs = 172.16.1.0/24
# Tunnel access to VPN server only:
#AllowedIPs = 0.0.0.0/0, ::/0

AllowedIPs = 172.16.1.0/24
Endpoint = XXX.asuscomm.com:51820
#
# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
#PersistentKeepalive = 25

Why am I not able to connect to the VPN?
User avatar
Joulinar
Posts: 2559
Joined: Sat Nov 16, 2019 12:49 am

Re: Need help setting up WireGaurd to access my network and the internet

Post by Joulinar »

Hi,

do you activated port forwarding on your Internet router?

Next to that there are some parts who did not seems to be correct on your client config

Code: Select all

[Interface]
Address = 10.9.0.1/24
10.9.0.1 should be the IP address of your WireGuard Server. It can't be used for your client.

Code: Select all

AllowedIPs = 172.16.1.0/24
This will tunnel traffic of your local network only through the VPN. Rest of the traffic will go to the internet directly from your mobile device.

Pls can you past server config file as well
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
SirChris93
Posts: 5
Joined: Tue Jan 28, 2020 3:02 am

Re: Need help setting up WireGaurd to access my network and the internet

Post by SirChris93 »

Alright so a couple questions, so for the 10.9.0.2 address would i swap that with my DietPI IP? How do I get the WG Server IP?

Also since I posted this I was having issues with DietPi so just reinstalled the whole thing, but I'm still having issues connecting through the VPN

Here is my server config

Code: Select all

[Interface]
Address = 10.9.0.1/24
PrivateKey = *****
ListenPort = 51820

PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE

# Client 1
[Peer]
PublicKey = ******
AllowedIPs = 10.9.0.2/32

Client conf

Code: Select all


[Interface]
Address = 10.9.0.2/24
PrivateKey = ***
# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 172.16.*.*

# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will not work on most mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = ****
# Tunnel all network traffic through the VPN:
#	AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
	AllowedIPs = 172.16.*.0/24
# Tunnel access to VPN server only:
#	AllowedIPs = 172.16.*.*/32
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ****:51820

# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
#PersistentKeepalive = 25
Also I'm pretty sure I forwarded it correctly on my router

My forward settings no router
User avatar
Joulinar
Posts: 2559
Joined: Sat Nov 16, 2019 12:49 am

Re: Need help setting up WireGaurd to access my network and the internet

Post by Joulinar »

Hi,

there is no need to swap any IP's. Your DietPi system will keep the local IP (172.16.1.x) for local connection inside your local network. But the VPN server will get an own IP address in addition (10.9.0.1). This IP is used for VPN communication between VPN Server and VPN Client. So your DietPi system will have 2 IP/Interfaces if the WireGuard service is started. For your WireGuard clients you would need to assign IP's starting 10.9.0.2 and following.

Ok let's do it step by step and try to connect from internal local network first before checking the external connection.
  1. your mobile device needs to be connected with your local network
  2. delete the client configuration on your mobile device
  3. adjust wg0-client.conf and change the EndPoint to your DietPi System local IP
    1. Endpoint = <local dietpi IP>:51820
  4. restart the WireGuard Service
    1. systemctl restart wg-quick@wg0.service
  5. create a new QR code
    1. grep -v '^#' /etc/wireguard/wg0-client.conf | qrencode -t ansiutf8
  6. scan the QR Code with your mobile device
  7. try to connect with your mobile device to the WireGuard Server.
  8. check if you see the connection established on your WireGuard Server. Execute the following command
    1. wg
  9. if connection is working, you should see something like this
    1. Code: Select all

      root@DietPi4:/etc/wireguard# wg
      interface: wg0
        public key: ******
        private key: (hidden)
        listening port: 51820
      
      peer: ******
        endpoint: 192.168.0.95:46858
        allowed ips: 10.9.0.2/32
        latest handshake: 4 seconds ago
        transfer: 5.36 KiB received, 6.18 KiB sent
      
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
SirChris93
Posts: 5
Joined: Tue Jan 28, 2020 3:02 am

Re: Need help setting up WireGaurd to access my network and the internet

Post by SirChris93 »

Good news, so out of the blue it started working. However I cant seem to configure it on my computer. I use Ubuntu but whenever I choose the "Import from VPN configuration" I get a message saying "The file <name> could not be read or does not contain VPN connection information"
User avatar
Joulinar
Posts: 2559
Joined: Sat Nov 16, 2019 12:49 am

Re: Need help setting up WireGaurd to access my network and the internet

Post by Joulinar »

I guess you can't simply import WireGuard Config file into Ubuntu. You would need to install WireGuard as well and run it in client mode.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply