PiVPN with Wireguard and PiHole not working correctly Topic is solved

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
User avatar
Joulinar
Posts: 4835
Joined: Sat Nov 16, 2019 12:49 am

Re: PiVPN with Wireguard and PiHole not working correctly

Post by Joulinar »

just a side node, docker-compose is is still installed, wich doesn't make sense without docker ;)

do you have any think like iptables-persistent installed loading old data? Check dpkg -l iptable*

BTW: workaround would be iptables -I DOCKER-USER -i eth0 -o wg0 -j ACCEPT. Right after it should be working
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
nilsacht
Posts: 24
Joined: Mon Jan 18, 2021 9:33 am

Re: PiVPN with Wireguard and PiHole not working correctly

Post by nilsacht »

seems like I have iptables-persistent installed.

http://sprunge.us/SYu1ww

Do I need this?

I tried your command but still no connection to other Pis in my network. Even after a reboot.
User avatar
Joulinar
Posts: 4835
Joined: Sat Nov 16, 2019 12:49 am

Re: PiVPN with Wireguard and PiHole not working correctly

Post by Joulinar »

the workaround is temp. and not persistent at this moment. Means if you reboot, it's gone. But our goal is to remove docker rules at all ;)

Anyway, if you don't need to load specific iptables data, it simply can be removed apt remove --purge iptables-persistent
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Sibbefufzich
Posts: 17
Joined: Mon Jan 18, 2021 6:12 pm

Re: PiVPN with Wireguard and PiHole not working correctly

Post by Sibbefufzich »

trendy wrote: Tue Jan 19, 2021 12:13 pm If your problem is with IPv6 only, then these commands will not give any useful output.
Better start a new thread and we can discuss it there.
I have updated the commands with sudo (in case you run them as dietpi user) and changed the obsolete netstat with ss (old habits die hard).
Thanks, I started a new thread here: viewtopic.php?f=9&t=8544
@nilsacht I hope you can fix your problem. I doubt I can be of much help from here on, compared to trendy and Joulinar.
nilsacht
Posts: 24
Joined: Mon Jan 18, 2021 9:33 am

Re: PiVPN with Wireguard and PiHole not working correctly

Post by nilsacht »

@Sibbefufzich Thanks.

@rest
This is my iptable now after uninstall of persistent
http://sprunge.us/pz1EwX

Still doesn't work :(
User avatar
Joulinar
Posts: 4835
Joined: Sat Nov 16, 2019 12:49 am

Re: PiVPN with Wireguard and PiHole not working correctly

Post by Joulinar »

ok at least docker is gone now and -P FORWARD ACCEPT was correctly set.

Just some question

- You are sure your clients connecting correctly to the wireguard server from external/internet?
- You see an actual handshake using wg?
- you are able to ping from extern/vpn to your wireguard server?
- ping something else on the local network is failing from extern/vpn?
- sysctl net.ipv4.ip_forward is still set to 1?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
nilsacht
Posts: 24
Joined: Mon Jan 18, 2021 9:33 am

Re: PiVPN with Wireguard and PiHole not working correctly

Post by nilsacht »

I check this tomorrow.
User avatar
trendy
Posts: 314
Joined: Tue Feb 25, 2020 2:54 pm

Re: PiVPN with Wireguard and PiHole not working correctly

Post by trendy »

Joulinar wrote: Tue Jan 19, 2021 2:16 pm - ping something else on the local network is failing from extern/vpn?
For this, a SNAT should be applied, otherwise the other lan hosts will send the packets meant for wireguard to the internet gateway, which will discard the. Or the internet router must have a static route for the wireguard network via the dietpi, and it should not drop invalid packets.
nilsacht
Posts: 24
Joined: Mon Jan 18, 2021 9:33 am

Re: PiVPN with Wireguard and PiHole not working correctly

Post by nilsacht »

Good Morning (in Germany),

Handshake should be ok http://sprunge.us/t7AvRs

Ping to my wireguard server is successfull over vpn. And net.ipv4.ip_forward is still set to 1.

The Ping to other devices in my home network failed (as @trendy mentioned)
User avatar
Joulinar
Posts: 4835
Joined: Sat Nov 16, 2019 12:49 am

Re: PiVPN with Wireguard and PiHole not working correctly

Post by Joulinar »

trendy wrote: Tue Jan 19, 2021 2:26 pm
Joulinar wrote: Tue Jan 19, 2021 2:16 pm - ping something else on the local network is failing from extern/vpn?
For this, a SNAT should be applied, otherwise the other lan hosts will send the packets meant for wireguard to the internet gateway, which will discard the. Or the internet router must have a static route for the wireguard network via the dietpi, and it should not drop invalid packets.
that might be the different between PiVPN version and DietPi implementation of WireGuard. I did a test installation of the DietPi Wireguard implementation (not PiVPN) and I was able to reach every LAN device without setup anything in addition. It was working right out of the box. I explicitly used a network range not used before

Code: Select all

root@DietPi3:~# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.6.0.1/24
maybe because of the iptable settings done on /etc/wireguard/wg0.conf. They are DietPi specific and I guess missing or different on PiVPN

Code: Select all

PreUp = /boot/dietpi/func/obtain_network_details
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply