Arch Linux

tapia

Member

Registered: 2013-03-13

Posts: 58

Unable to connect to wireguard, but phone connected to same wifi can

Hi all,

I have been struggling with this for some time, and after going to bed yesterday at 4 am without being able to solve this, I thought that I should try to get some help. Here is my situation:

I have a server at home running a Wireguard server inside a docker container. I use the docker image from "linuxserver/docker-wireguard" [1]. The server seems to be working good, as I can connect to it with my phone (android) and with my laptop. However, when connected to the wifi at my parents' house, the laptop cannot make the connection. Well, it shows as being connected, but no traffic is going through the tunnel (actually no traffic is going anywhere). To establish the connection I use NetworkManager, after properly importing the configuration file with

nmcli connection import type wireguard file "peer.conf"

I have also tried directly with the wg-quick script, but I get the same result. (And remember that this setting does work when connected via other wifis.)

The content of the peer configuration is

[Interface]
Address = 10.13.13.4
PrivateKey = xxxxxxxxxxxxxxxxxxx
ListenPort = 51820
DNS = 10.13.13.1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxx
PresharedKey =xxxxxxxxxxxxxxxxxxx
Endpoint = my-address.com:51820
AllowedIPs = 0.0.0.0/0,::/0

Additional information:

The strange thing is that an android phone connected to the same wifi has no problem in connecting and using this wireguard connection. Furthermore, if I share the wifi through the phone to my computer via USB tethering, then the connection with wireguard works perfectly. Notice that I have turned the phone's internet off, in order to be sure that the phone is accessing internet through the router.

So I have been trying to pinpoint the differences between both connections to figure out where the problem might be. Until now, I only found one difference. I use systemd-resolved to manage /etc/resolv.conf. The content of this file looks like this when connected directly to the router:

nameserver 127.0.0.53
options edns0 trust-ad
search speedport.ip

And it looks like this when connected through the USB-tethering

nameserver 127.0.0.53
options edns0 trust-ad
search .

So the only difference is the value after "search". When connected directly to the router it has the value "speedport.ip". Can this have something to do with my problem?

I'll be very grateful for any help

[1] https://github.com/linuxserver/docker-wireguard

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: Unable to connect to wireguard, but phone connected to same wifi can

The phenomenons surrounding your post strongly hint at a tunnel IPv4/IPv6 connectivity problem.

Does "my-address.com" have an AAAA (IPv6 address) record? If yes, does your WireGuard setup allow incoming IPv6 tunnel requests?

tapia

Member

Registered: 2013-03-13

Posts: 58

Re: Unable to connect to wireguard, but phone connected to same wifi can

Hi -thc, yes, "my-address.com" has an AAAA IPv6 address. The WireGuard within the docker does not support IPv6, so I guess I will have to start there?

I saw a post in Reddit [1] describing how to do this, so I will give that a try.

[1] https://www.reddit.com/r/WireGuard/comm … in_docker/

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: Unable to connect to wireguard, but phone connected to same wifi can

Either work via IPv4 exclusively or enable IPv6 tunnel support.

Be aware that
- certain routers are IPv6 capable but do not allow IPv6 forwarding to an internal device
- although IPv6 NAT is possible an IPv6 router will most likely simply forward IPv6 traffic
- the AAAA record for "my-address.com" must contain the somewhat stable IPv6 address of the WireGuard host

tapia

Member

Registered: 2013-03-13

Posts: 58

Re: Unable to connect to wireguard, but phone connected to same wifi can

Thanks for your suggestion! I just went for IPv4 exclusively (deleted the AAAA IPv6 address from "my-address.com") and now everything works perfectly I had enabled it because I thought that's just what you have to do nowadays. But I had not thought about such possible problems.

It's good to have the opinion of someone who knows about this

Thanks again!