Wireguard & pihole - ongoing problems

Having issues with your DietPi installation, or, found a bug? Post it here.
Deleted User 7758

Wireguard & pihole - ongoing problems

Post by Deleted User 7758 »

Hi all,
My third time uninstalling and reinstalling both Wiregard and Pihole in an attempt to get it working.
Here's what I have;
mydomain.com pointing to my static public IP 111.222.33.44
my Odroid with Pihole and Wireguard at 192.168.20.19 on my network
Nextcloud installed and available at mydomain.com/nextcloud when I have ports 80 & 443 open (I would prefer that Nextcloud was available at next cloud.mydomain.com but I'm so frustrated at the moment that I will aim for functionality first)
Port 51820 open on my router pointing at 192.168.20.19

Here's what I want to achieve;
  • Secure access to my Nextcloud instance from my laptop & phone from outside my network.
  • Access to my Nextcloud instance from my desktop inside my network
  • Ad-blocking from inside my network (and outside too if I can ever get it working)
  • Ad-blocking on my phone (the cherry on top)
After the latest attempt to get it working I currently have;
My wg0.conf

Code: Select all

[Interface]
Address = 10.9.0.1/24
PrivateKey = **********************************************************
ListenPort = 51820

PreUp = /boot/dietpi/func/obtain_network_details
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE

# Client 1
[Peer]
PublicKey = *****************************************************f8So=
AllowedIPs = 10.9.0.2/32

# Client 2
#[Peer]
#PublicKey = XXXX
#AllowedIPs = 10.9.0.3/32
and my client.conf

Code: Select all

[Interface]
PrivateKey = *******************************************************************
Address = 10.9.0.2/24
DNS = 10.9.0.1

[Peer]
PublicKey = ***********************************************************f8So=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 111.222.33.44:51820

If I connect the client to the VPN I do not get internet (stalls looking for DNS resolution)
Regardless of whether I am connected to the VPN I currently cannot find the Pihole web admin. I can't find it at pi.hole/admin, 192.168.20.19/admin, 10.9.0.1/admin, or 111.222.33.44/admin
curl -I localhost returns;

Code: Select all

HTTP/1.1 301 Moved Permanently
Location: https://localhost/
Date: Thu, 30 Jul 2020 11:30:39 GMT
Server: lighttpd/1.4.53
I would dearly like to get this sorted out within 1 week, before semester 2 starts - I'm going to be real busy and would love my notes and resources available in Nextcloud.
If this is not possible I will have to fall back on opening ports 80 and 443 on my router.
Last edited by Deleted User 7758 on Thu Jul 30, 2020 2:01 pm, edited 2 times in total.
User avatar
Joulinar
Posts: 2072
Joined: Sat Nov 16, 2019 12:49 am

Re: Wireguardpihole ongoing problems

Post by Joulinar »

Hi,

Pls can you check using wg command if your client is connected. Did you set listen on all interfaces, permit all origin in Pihole?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Deleted User 7758

Re: Wireguard & pihole - ongoing problems

Post by Deleted User 7758 »

Hi Joulinar

wg returns (when the client is connected)

Code: Select all

interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  allowed ips: 10.9.0.2/32
I also must add that I do not know what to do about the DNS settings in my macOS network preferences. I have my laptop set up currently with two 'locations' - pihole and no-pihole depending on whether I am on my home network or not.
User avatar
Joulinar
Posts: 2072
Joined: Sat Nov 16, 2019 12:49 am

Re: Wireguard & pihole - ongoing problems

Post by Joulinar »

I removed the keys from your post. Don't post them on a public board.

I don't think your client is not connected correctly. There is no message about last handshake. Which port did you forward on your router?

As well pls check log from the client if there are error messages.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Deleted User 7758

Re: Wireguard & pihole - ongoing problems

Post by Deleted User 7758 »

Hi again,
Port 51820 is forwarded
Screen Shot 2020-07-31 at 8.39.17 am.png
Attached is the Wireguard log. I can't see anything obvious for errors.
Regarding your earlier question about Pihole interfaces. Since reinstalling I have not changed anything because I can't access Pihole admin
Attachments
wireguard-log-2020-07-30T224513Z.txt
(92.92 KiB) Downloaded 25 times
User avatar
Joulinar
Posts: 2072
Joined: Sat Nov 16, 2019 12:49 am

Re: Wireguard & pihole - ongoing problems

Post by Joulinar »

are you stopping your WireGuard VPN after a couple of minutes always? becasue I see this quite often happen.

Code: Select all

2020-07-30 22:34:40.039526: [APP] Tunnel 'Odroid wg0-client.conf' connection status changed to 'connected'
2020-07-30 22:34:44.267478: [APP] Status update notification timeout for tunnel 'Odroid wg0-client.conf'. Tunnel status is now 'connected'.
2020-07-30 22:36:13.092335: [APP] startDeactivation: Tunnel: Odroid wg0-client.conf
2020-07-30 22:36:13.216242: [APP] Tunnel 'Odroid wg0-client.conf' connection status changed to 'disconnecting'
2020-07-30 22:36:13.489918: [NET] Network change detected with satisfied route and interface order [en0]
As well, are you located at home on same network? Or are you on a mobile network while testing?

Somehow I'm missing the handshake in your log. I don't have on iOS device at hand to test, but in Win10 as well as Android I see this on my logs

Android

Code: Select all

07-31 09:22:06.925 20810 21027 I WireGuard/GoBackend/WireGuard: Device started
07-31 09:22:06.963 20810 20837 D WireGuard/GoBackend/WireGuard: peer(BBBB…BBBB) - Sending handshake initiation
07-31 09:22:06.964 20810 20837 D WireGuard/GoBackend/WireGuard: peer(BBBB…BBBB) - Awaiting keypair
07-31 09:22:07.008 20810 20837 D WireGuard/GoBackend/WireGuard: peer(BBBB…BBBB) - Received handshake response
07-31 09:22:07.008 20810 20837 D WireGuard/GoBackend/WireGuard: peer(BBBB…BBBB) - Obtained awaited keypair
Win10

Code: Select all

2020-07-31 11:21:35.753471: [TUN] [wg0-client3] Startup complete
2020-07-31 11:21:38.026162: [TUN] [wg0-client3] peer(BBBB…BBBB) - Sending handshake initiation
2020-07-31 11:21:38.043152: [TUN] [wg0-client3] peer(BBBB…BBBB) - Awaiting keypair
2020-07-31 11:21:38.208394: [TUN] [wg0-client3] peer(BBBB…BBBB) - Received handshake response
2020-07-31 11:21:38.210391: [TUN] [wg0-client3] peer(BBBB…BBBB) - Obtained awaited keypair
On your WireGuad server, you should see something like this if connection is working. There should be a handshake message as well.

Code: Select all

root@DietPi4:~# wg
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  endpoint: x.x.x.x:49336
  allowed ips: 10.9.0.6/32
  latest handshake: 23 seconds ago
  transfer: 1.53 GiB received, 1.50 GiB sent
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Deleted User 7758

Re: Wireguard & pihole - ongoing problems

Post by Deleted User 7758 »

Joulinar wrote: Fri Jul 31, 2020 11:44 am are you stopping your WireGuard VPN after a couple of minutes always? becasue I see this quite often happen.
- according to those timestamps yeah this is probably when I was trying different dns server settings in the client config file.
As well, are you located at home on same network? Or are you on a mobile network while testing?
Yes
I don't have on iOS device at hand to test, but in Win10 as well as Android I see this on my logs
At this stage I am not setting up an iOS device (although I'd like to later). The client is my macOS laptop with the Wiregard client app.

There should be a handshake message as well.

Code: Select all

root@HC1:/home/jon# wg
interface: wg0
  public key: *********************************************************Tw=
  private key: (hidden)
  listening port: 51820

peer: ********************************************************8So=
  allowed ips: 10.9.0.2/32
Deleted User 7758

Re: Wireguard & pihole - ongoing problems

Post by Deleted User 7758 »

It seems important - first up - to figure out why I can't find the Pihole admin anymore.
User avatar
Joulinar
Posts: 2072
Joined: Sat Nov 16, 2019 12:49 am

Re: Wireguard & pihole - ongoing problems

Post by Joulinar »

PiHole should not be your problem right now because you are missing the very first step, a valid VPN connection.

Still your wg output doesn't show any handshake, means no VPN connection esteblished. Pls try to test with your macOS laptop from outside you local network (e.g. using a mobile phone as hotspot)
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Deleted User 7758

Re: Wireguard & pihole - ongoing problems

Post by Deleted User 7758 »

I get no internet access when connected to the client vpn and on my phone's hotspot.
I tried both 192.168.20.19 and 1.1.1.1 in the client's config file for DNS.
Can't even ssh to the server
Post Reply