Wireguard on dietpi/vmware workstation

Having issues with your DietPi installation or found a bug? Post it here.
thejuan
Posts: 12
Joined: Wed Sep 01, 2021 7:35 pm

Wireguard on dietpi/vmware workstation

Post by thejuan »

Hi there!

I've been running pihole on dietpi/vmware workstation on win10 for a while and it's been working great! Love it. I've wanted to get a vpn sorted out for a while and was hoping to use the same vm. had nothing but issues so I started a new vm today just to solve this issue.

Newly downloaded vmware dietpi, no other installations except wireguard. Port 51820 forwarded to this new dietpi vm.

I can connect successfully from the outside with wireguard android
DNS seems to be working as I'm registering entries on my existing pihole (192.168.1.24)
Internally i'm using 192.168.1.0/24, keeping the default wireguard of 10.9.0.0/24, no other subnets around.
I've previously tried the openvpn installation and same exact issue - can connect but no real traffic.
I'm hardly a linux expert so I could definitely use a hand! I believe it's a routing issue in dietpi somewhere

wg:

Code: Select all

interface: wg0
  public key: *****************
  private key: (hidden)
  listening port: 51820

peer: ******************
  endpoint: myphoneexternalip:6907
  allowed ips: 10.9.0.2/32
  latest handshake: 50 seconds ago
  transfer: 268.04 KiB received, 494.47 KiB sent
ip addr:

Code: Select all

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:8f:cf:69 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.25/24 brd 192.168.1.255 scope global dynamic eth0
       valid_lft 84003sec preferred_lft 84003sec
    inet6 fe80::20c:29ff:fe8f:cf69/64 scope link
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.9.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
wg0.conf:

Code: Select all


[Interface]
Address = 10.9.0.1/24
PrivateKey = **********************
ListenPort = 51820

PreUp = /boot/dietpi/func/obtain_network_details
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE

# Client 1
[Peer]
PublicKey = **********************
AllowedIPs = 10.9.0.2/32

# Client 2
#[Peer]
#PublicKey = XXXX
#AllowedIPs = 10.9.0.3/32
wg0-client.conf:

Code: Select all

[Interface]
Address = 10.9.0.2/24
PrivateKey = ************************************

# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 192.168.1.24

# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will not work on most mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = **********************
# Tunnel all network traffic through the VPN:
#       AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
#       AllowedIPs = 192.168.1.0/24
# Tunnel access to VPN server only:
#       AllowedIPs = 192.168.1.208/32
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = MYEXTERNALIP:51820

# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
#PersistentKeepalive = 25
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Wireguard on dietpi/vmware workstation

Post by Joulinar »

Hi,

just for testing, are you able to reach PiHole web interface using 192.168.1.24/admin ?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
thejuan
Posts: 12
Joined: Wed Sep 01, 2021 7:35 pm

Re: Wireguard on dietpi/vmware workstation

Post by thejuan »

Thanks, tried and I cannot, nor anything internal.
I've tried changing the client conf to only allow 192.168.1.0/24 for just internal access but same result.
Unsure if necessary but every time I make changes I recreate the tunnel with a new qr code just in case
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Wireguard on dietpi/vmware workstation

Post by Joulinar »

how do you setup the VM? Using NAT or does the VM has an own IP on your network like 192.168.1.xxx?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
thejuan
Posts: 12
Joined: Wed Sep 01, 2021 7:35 pm

Re: Wireguard on dietpi/vmware workstation

Post by thejuan »

Bridged network in vmware - it has it's own ip: 192.168.1.25
The ip is mapped statically by mac via the router/dhcp
thejuan
Posts: 12
Joined: Wed Sep 01, 2021 7:35 pm

Re: Wireguard on dietpi/vmware workstation

Post by thejuan »

also forgot to mention I've turned on ipv4 forwarding as many have suggested. it's persistent after a reboot

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Wireguard on dietpi/vmware workstation

Post by Joulinar »

your client is located outside your local network? Means it's using a different hot spot or mobile network and not the same local one? Are you able to connect to your Wireguard server using SSH from the client while connected via VPN and not located in your local network?
also forgot to mention I've turned on ipv4 forwarding as many have suggested. it's persistent after a reboot
This is set by WireGuard server configuration already

Code: Select all

PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
thejuan
Posts: 12
Joined: Wed Sep 01, 2021 7:35 pm

Re: Wireguard on dietpi/vmware workstation

Post by thejuan »

Neat! Ssh to my new dietpi is working as is ssh'ing to my pihole
So that works!
I've tried 2 different browsers to try connections to my router and pihole admin page by ip, no dice. also tried named external websites like google.com, same result

Correct, this is on a mobile device, I've connections internally, then switched Wifi off and connecting on my cell provider network then switching on wireguard
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Wireguard on dietpi/vmware workstation

Post by Joulinar »

Probably we misunderstood on the SSH stuff. If your mobile phone is connected to your cell provider and you have activated Wireguard, are you able to connect via SSH from that mobile device using a SSH app?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
thejuan
Posts: 12
Joined: Wed Sep 01, 2021 7:35 pm

Re: Wireguard on dietpi/vmware workstation

Post by thejuan »

apologies - yes, internal and external (with wireguard) ssh connections are working to my pihole instance and my wireguard instance. any http(s) is not
Post Reply