2 RPi connected via Wireguard Topic is solved

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
cc13
Posts: 27
Joined: Wed Mar 13, 2019 1:31 pm

2 RPi connected via Wireguard

Post by cc13 »

Hello,

I have a RPi4 running with DietPi and Wireguard (PiVPN). I can access this RPi4 from my Laptop and Smartphone from outside as expected.

Now I installed a RPi3 with DietPi located in a different location. My plan is to create a connection from this RPi3 as VPN-Client to the RPi4 as the VPN-Server (File access from RPi3 to RPi4 at the end via VPN-Tunnel). My question is: Should I install the PiVPN-Package on this RPi3 too or is it sufficient to install

Code: Select all

apt install wireguard
and start the interface via

Code: Select all

wg-quick up wg0
only? I will work next to the standard and the proposal from the DietPi-Team.
User avatar
MichaIng
Site Admin
Posts: 2422
Joined: Sat Nov 18, 2017 6:21 pm

Re: 2 RPi connected via Wireguard

Post by MichaIng »

apt install wireguard does not work OOTB since the package is not available on plain Debian Buster.
wg-quick up wg0 does not work OOTB since there is no /etc/wireguard/wg0.conf present by default.
:P

Install WireGuard via dietpi-software on the RPi3: dietpi-software install 172
When being asked, select to use it as VPN client, rather than VPN server.

Then you can basically follow the instructions from our docs: https://dietpi.com/docs/software/vpn/#w ... modern-vpn > "Installing as VPN client"
=> Copy or move the created client config to the RPi3 and start the service, or jep running wg-quick up wg0 also works if you named the client config on the RPi3 wg0.conf.

It could be also done the other way round: Creating a key pair and client config on the client, and copying/adding only the new public key to the servers wg0.conf, which matches more intended standards to avoid transferring the sensitive client key around ;).
User avatar
Joulinar
Posts: 2572
Joined: Sat Nov 16, 2019 12:49 am

Re: 2 RPi connected via Wireguard

Post by Joulinar »

Yep infeed that should be the easiest way to install Wireguard as client using dietpi-software and to copy client config file that needs to been created on PiVPN server.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
cc13
Posts: 27
Joined: Wed Mar 13, 2019 1:31 pm

Re: 2 RPi connected via Wireguard

Post by cc13 »

Unfortunately it will not work. What I did: Fresh installation of my RPi3 with DietPI, changed standard PWs to my own, changed ssh-Server to OpenSSH, installed wireguard with

Code: Select all

dietpi-software install 172
On my VPN-Server I created a new config-file for this RPi3-VPN-Client, transfered this to

Code: Select all

/etc/wireguard/wg0.conf
and startet VPN as you mentioned

Code: Select all

wg-quick up wg0
Output:

Code: Select all

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.6.0.4/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
If I try now to ping like

Code: Select all

ping www.heise.de
nothing happens. Same for a local pc in the VPN-Server-Network

Code: Select all

 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.

Code: Select all

 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:27:eb:02:c4:d2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.222/24 brd 192.168.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2a02:810d:9440:ad98:ba27:ebff:fe02:c4d2/64 scope global dynamic mngtmpaddr
       valid_lft 5399sec preferred_lft 2699sec
    inet6 fe80::ba27:ebff:fe02:c4d2/64 scope link
       valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.6.0.4/24 scope global wg0
       valid_lft forever preferred_lft forever

Code: Select all

wg
on the VPN-Server shows me my peers and here are the part of the new/not working one:

Code: Select all

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  preshared key: (hidden)
  allowed ips: 10.6.0.4/32
With wireguard on my MacBook/Android-Smartphone and config-files for this clients the VPN-Connection works fine. Any idea?
User avatar
Joulinar
Posts: 2572
Joined: Sat Nov 16, 2019 12:49 am

Re: 2 RPi connected via Wireguard

Post by Joulinar »

your client is not connecting to your VPN server because you are missing the latest handshake message on your wg output. That's how wg should looks like

Server side

Code: Select all

root@DietPi4:# wg
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  endpoint: x.x.x.x:52738
  allowed ips: 10.9.0.2/32
  latest handshake: 57 seconds ago
  transfer: 1.27 KiB received, 1.25 KiB sent
Client side

Code: Select all

root@DietPi3:# wg
interface: wg0-client1
  public key: xxx
  private key: (hidden)
  listening port: 52738
  fwmark: 0xca6c

peer: xxx
  endpoint: x.x.x.x:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 23 seconds ago
  transfer: 124 B received, 484 B sent
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
cc13
Posts: 27
Joined: Wed Mar 13, 2019 1:31 pm

Re: 2 RPi connected via Wireguard

Post by cc13 »

The RPi3 client can ping the remote network where the VPN-Server is located (behind a DynDNS-MyFritz-address). In the same local network where the RPi3 there is my laptop and smartphone working fine with the VPN-Tunnel. That seems there is no problem between local and remote network or provider settings.

Client side:

Code: Select all

root@DietPi:/etc/wireguard# wg
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 45079
  fwmark: 0xca6c

peer: xxx
  preshared key: (hidden)
  endpoint: [x:x:x:x:x:x:x:x]:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 2.75 KiB sent
Could the IP6-address the reason? On my other clients it looks like they are using a ip4-network. I'm not sure (yet) if the VPN-Server is reachable via IPV6.
User avatar
Joulinar
Posts: 2572
Joined: Sat Nov 16, 2019 12:49 am

Re: 2 RPi connected via Wireguard

Post by Joulinar »

just give it a try and remove , ::/0 from allowed ips

One interesting point (not sure if this has any meaning), you are using preshared key?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
cc13
Posts: 27
Joined: Wed Mar 13, 2019 1:31 pm

Re: 2 RPi connected via Wireguard

Post by cc13 »

Looks similar:

Code: Select all

root@DietPi:/etc/wireguard# wg
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 33597
  fwmark: 0xca6c

peer: xxx
  preshared key: (hidden)
  endpoint: [x:x:x:x:x:x:x:x]:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 3.47 KiB sent
I'm not sure what you mean with pre-shared-keys. But I guess no. I installed PiVPN on the VPN-Server with Wireguard-Option.

After the installation I created 3 client-configs via

Code: Select all

pivpn -a
The first 2 I transfered seperately to each client (laptop, smartphone). The last one, created yesterday, I c&p via 2 open putty terminals (nano editor running) from server

Code: Select all

/etc/wireguard/configs/RPi3.conf
to client

Code: Select all

/etc/wireguard/wg0.conf
User avatar
Joulinar
Posts: 2572
Joined: Sat Nov 16, 2019 12:49 am

Re: 2 RPi connected via Wireguard

Post by Joulinar »

unfortunately Wireguard is not really helpful as there are not that much logs :(

Did you tested RPi3.conf on one of your mobile devices?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
cc13
Posts: 27
Joined: Wed Mar 13, 2019 1:31 pm

Re: 2 RPi connected via Wireguard

Post by cc13 »

Good idea. I tested the RPi3 config-file on my smarphone and it's working fine. Both version IP4-only and the original one with , ::/0
Post Reply