You are not logged in.

#1 2022-07-26 17:30:09

tejonaco
Member
Registered: 2018-08-05
Posts: 37

Wireguard server - cannot access services outside server

Hi, I have a Raspberry PI under ManjaroARM, I had make a script to create a wireguard profile (just because I was tired of trial and error).

VPN works fine to connect to other services running on the Raspberry, but I cannot connect other machines on lan (like router admin page) neither webpages outside my network (like reddit).

Before install Manjaro I had Raspbian with PIVPN and I was able to do everything, even I would say that it was faster althoght then I had 4g internet and now I have 300Mb symmetric fiber.


This is my script to create peers:


ENDPOINT='<MYDDNS>:<PORT>'

wg-quick down vpn

wg genkey | (umask 0077 && tee server.key) | wg pubkey > server.pub
wg genkey | (umask 0077 && tee peer.key) | wg pubkey > peer.pub

echo "[Interface]
PrivateKey = $(cat server.key)
Address = 10.0.2.1/24
ListenPort = PORT
DNS = 10.0.2.1

[Peer]
PublicKey = $(cat peer.pub)
AllowedIPs = 10.0.2.2/32
" > vpn.conf

echo "[Interface]
PrivateKey = $(cat peer.key)
Address = 10.0.2.2/24

[Peer]
PublicKey = $(cat server.pub)
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $ENDPOINT
" > peer.conf

qrencode -t ansiutf8 -r peer.conf

wg-quick up vpn
systemctl enable wg-quick@vpn.service

Offline

#2 2022-07-26 17:37:54

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Wireguard server - cannot access services outside server

Wireguard doesn't care about your distro but these forums are for Arch not Arch clones.  You should reword your post making it pure wireguard.  That said, what firewall settings are in place on your WG box?  If you haven't already, recommend that you read our excellent WG wiki page: https://wiki.archlinux.org/title/WireGuard

Last edited by graysky (2022-07-26 17:38:22)


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#3 2022-07-27 05:27:16

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,932
Website

Re: Wireguard server - cannot access services outside server

If you want the WireGuard peers to be able to traverse between networks, you'll need to properly configure routing.

Offline

#4 2022-07-27 16:34:16

tejonaco
Member
Registered: 2018-08-05
Posts: 37

Re: Wireguard server - cannot access services outside server

schard wrote:

If you want the WireGuard peers to be able to traverse between networks, you'll need to properly configure routing.

how should I do that? please give me a little example.

Offline

#5 2022-07-27 16:35:42

tejonaco
Member
Registered: 2018-08-05
Posts: 37

Re: Wireguard server - cannot access services outside server

graysky wrote:

Wireguard doesn't care about your distro but these forums are for Arch not Arch clones.  You should reword your post making it pure wireguard.  That said, what firewall settings are in place on your WG box?  If you haven't already, recommend that you read our excellent WG wiki page: https://wiki.archlinux.org/title/WireGuard

I dindn't configure any firewall yet to avoid these problems, I read the wiki post a lot of times but I cannot make this part work, maybe is some concept with routing that Id didnt understand ery well.

Offline

#6 2022-07-27 16:48:39

GeorgeJP
Member
From: Czech Republic
Registered: 2020-01-28
Posts: 185

Re: Wireguard server - cannot access services outside server

At first you need enable ip forwarding (by default disabled)
https://wiki.archlinux.org/title/Intern … forwarding

Last edited by GeorgeJP (2022-07-27 16:52:40)

Offline

#7 2022-07-27 17:39:26

tejonaco
Member
Registered: 2018-08-05
Posts: 37

Re: Wireguard server - cannot access services outside server

GeorgeJP wrote:

At first you need enable ip forwarding (by default disabled)
https://wiki.archlinux.org/title/Intern … forwarding

this is the result of

sysctl -a | grep forward
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.vpn.bc_forwarding = 0
net.ipv4.conf.vpn.forwarding = 1
net.ipv4.conf.vpn.mc_forwarding = 0
net.ipv4.conf.wlan0.bc_forwarding = 0
net.ipv4.conf.wlan0.forwarding = 1
net.ipv4.conf.wlan0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.vpn.forwarding = 0
net.ipv6.conf.vpn.mc_forwarding = 0
net.ipv6.conf.wlan0.forwarding = 0
net.ipv6.conf.wlan0.mc_forwarding = 0

I think its enabled, did you detect any mistake? Raspi is connected to the internet by wifi.

Offline

#8 2022-07-27 18:36:37

GeorgeJP
Member
From: Czech Republic
Registered: 2020-01-28
Posts: 185

Re: Wireguard server - cannot access services outside server

How are routes set?
Are you sure, that no iptables/nftables are not set?

Offline

#9 2022-07-27 19:34:40

tejonaco
Member
Registered: 2018-08-05
Posts: 37

Re: Wireguard server - cannot access services outside server

GeorgeJP wrote:

How are routes set?
Are you sure, that no iptables/nftables are not set?

How could I check this?

Offline

#10 2022-07-27 20:58:00

GeorgeJP
Member
From: Czech Republic
Registered: 2020-01-28
Posts: 185

Re: Wireguard server - cannot access services outside server

ip a
ip r
sudo iptables -nvL
sudo iptables -t nat -nvL
sudo nft list ruleset

Offline

#11 2022-07-27 21:02:16

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: Wireguard server - cannot access services outside server

What OS's are the connecting devices using?


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

Board footer

Powered by FluxBB