Wireguard & pihole - ongoing problems

[Joulinar]

please put aside the DNS topic for the time being. First you would need to ensure that your WireGuard client is connecting correctly to you WireGuard server. And this, seems not the case at the moment. As long as wg is not showing any endpoint IP address, handshake and transfer data, your connection is not established.

Code: Select all

root@DietPi4:~# wg
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  endpoint: x.x.x.x:49336
  allowed ips: 10.9.0.6/32
  latest handshake: 23 seconds ago
  transfer: 1.53 GiB received, 1.50 GiB sent

[Deleted User 7758]

Sure.
How?

Shall I uninstall both and start over?
If so in which order?

[MichaIng]

Do the clients not show any error message when (trying to) connect to the server?
The server can be reached otherwise, e.g. the webserver (Nextcloud) on port 80/443 via the same domain/hostname that you use in your VPN client configs right?
Then WireGuard must actually receive something, in case re-check WG logs. I mean initially it was working, the logs clearly show the connections, hence wg should show handshake/last connected entries as well for the clients you connected with.

[Deleted User 7758]

There is no difference in the output of

Code: Select all

sudo wg

when the client is either active or inactive

There are no error messages shown by the client.
The timestamps in the log are not correlating with the time on my laptop, so I'm not sure which time they are relating to?
Attached is the log from the short period when I connected the client to take those screenshots
Nextcloud is reachable at mydomain.com when port 443 is opened on the router.

[Joulinar]

Well WireGuard server did not show any connection established. Probably it would be necessary to perform some package tracings on the router to so if there is some communication between client and server. Usually it's possible to identify the WireGuard packages

Connection is not active for long. It get disconnected after a couple of second's

Code: Select all

2020-08-01 10:20:30.173455: [APP] Tunnel 'Odroid wg0-client.conf' connection status changed to 'connected'
2020-08-01 10:20:34.298061: [APP] Status update notification timeout for tunnel 'Odroid wg0-client.conf'. Tunnel status is now 'connected'.
2020-08-01 10:21:06.724452: [APP] startDeactivation: Tunnel: Odroid wg0-client.conf
2020-08-01 10:21:06.727976: [APP] Tunnel 'Odroid wg0-client.conf' connection status changed to 'disconnecting'

[Deleted User 7758]

So,
I reinstalled Wireguard on its own.
Straight up vanilla install with the pre-written wg0-client.conf and the output for wg is the same

Code: Select all

 public key: ************************************************GUg=
  private key: (hidden)
  listening port: 51820

peer: *******************************************************+bB0=
  allowed ips: 10.9.0.2/32

In fact, running wg returns the same even if the client isn't running on my laptop.
In double fact, even after rebooting the server and running sudo wg I get exactly the same output as above with the client still not running on the laptop. Like there's some phantom config left over from an earlier install or something?
The peer key above matches the public key of the wg0.conf file
Same thing after stopping and restarting Wireguard.
I've also just discovered that the client connection remains active even after the client app is quit.

Update to the update:
So, I configured it on my phone this time using the QR code printed to the screen, so it's using wg0-client.conf and when running sudo wg it returns

Code: Select all

root@HC1:/home/jon# wg
interface: wg0
  public key: ***************************************************GUg=
  private key: (hidden)
  listening port: 51820

peer: ********************************************************+bB0=
  endpoint: 192.168.20.1:59283
  allowed ips: 10.9.0.2/32
  latest handshake: 3 seconds ago
  transfer: 9.60 KiB received, 16.18 KiB sent

but... I can't access my nextcloud instance on the phone and my public ip remains the same as when not connected to the VPN

[MichaIng]

Okay we're one step further. How did you add the config before when not using the QR code? Copying public and private key files manually around sounds not very handy .

Okay please assure that on the phone AllowedIPs: 0.0.0.0/0, ::/0 is set so that all requests are forced through the tunnel.
Also a check is if http://www.whatsmydnsserver.com/ used on the phone reports the DNS configured in the wg0-client.conf instead of the mobile network provider DNS.

On the server, iptables forwarding rules have been established correctly?

Code: Select all

iptables -L
iptables6 -L

and sysctl allows it as well?

Code: Select all

sysctl net.ipv4.conf.wg0.forwarding net.ipv4.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding
sysctl net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).accept_ra
sysctl net.ipv6.conf.wg0.forwarding net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding

[Joulinar]

I found an iPhone SE somewhere on my home office and was testing WireGuard without issues. Pls can you post both, WireGuard server as well as client config files. And I would recommend to test VPN from outside your local network. (eg. use mobile internet on your mobile phone)

[Deleted User 7758]

@MichaIng Previously I was trying to configure my laptop, which was the machine I was using to ssh to the server, so I was just copying and pasting the config files between the two.

Neither my laptop (not connected to VPN) nor my phone (either when connected to the vpn or not) had a result returned by whatsmydnsserver.com. The gears gif is still spinning away on my laptop trying to figure it out.

In fact, there was no internet access at all on the phone when the VPN was on, regardless of whether I was connected to my wifi network or using cellular data.
Wireguard seems to be horribly broken or there's something deeply amiss somewhere else.


**** server seems to be hung on iptables -L ***
5 minutes now and no response from that command

[MichaIng]

Okay if server hangs on iptables -L then your issues are at a different level, since this independent from WireGuard .
Have you checked dmesg for kernel errors or upgraded the kernel to latest version: apt update && apt full-upgrade