This is an automated archive.

The original was posted on /r/wireguard by /u/Mother-Wasabi-3088 on 2024-01-24 14:32:52+00:00.

---

With the Android client I am forwarding all traffic through my home internet connection and using my at-home DNS server. This is only functional about half the time. At other times I lose all connectivity to the internet. If I switch my wireguard profile off whatever I was doing will immediately start working again.

I have a vague suspicion this might be some Google related bug. Does anyone else have this problem?

This is an automated archive.

The original was posted on /r/wireguard by /u/Pietrob_70 on 2024-01-24 08:52:21+00:00.

---

Hello

I would like to read the remote information about peers. In more detail I would like to read the peers comment field. Is this possible from remote client ?

Thanks

Pietro

This is an automated archive.

The original was posted on /r/wireguard by /u/Comprokit on 2024-01-24 04:24:54+00:00.

---

My (third party/commercial) VPN that I use for random web-browsing uses wireguard. (They have their own VPN client software that I use, which may be an impediment to this?)

I also have a private VPN set up on my router using wireguard so I can sign into my home network from WAN/outside my home.

Can I have both tunnels operating at the same time? I can't see why not, theoretically, but how would you wind up configuring that on a Linux machine? (I'm not super well versed in networking lingo/terminology, or playing too much with iptables)

This is an automated archive.

The original was posted on /r/wireguard by /u/skydecklover on 2024-01-24 03:55:59+00:00.

---

So I have two docker hosts, which we can call HomeServer and DockerServer. They both have manually created Docker Networks using 192.168.10.1/27 and 192.168.15.1/27 respectively. What I need is two-way communication between the docker containers on both hosts.

I used to create matching tunnel configs for both hosts and add them to the appropriate paths.

HomeServer:

[Interface]
# Name: HomeServer
Address = 192.168.50.1/27
PrivateKey = [REDACTED]
ListenPort = 51820

[Peer]
# Name: DockerServer
PublicKey = [REDACTED]
Endpoint = [REDACTED]:51820
AllowedIPs = 192.168.50.2/27, 192.168.15.1/27

DockerServer:

[Interface]
# Name: DockerServer
Address = 192.168.50.2/27
PrivateKey = [REDACTED]
ListenPort = 51820

[Peer]
# Name: HomeServer
PublicKey = [REDACTED]
Endpoint = [REDACTED]:51820
AllowedIPs = 192.168.50.1/27, 192.168.10.1/27

Both hosts are using the LinuxServer WireGuard Docker image, this is the docker-compose snippet:

# WireGuard - VPN Client Container
  WireGuard-Mesh:
    <<: *common-keys-non-critical # See EXTENSION FIELDS at the top
    image: lscr.io/linuxserver/wireguard
    container_name: WireGuard-Mesh
    network_mode: host
    cap_add:
      - NET_ADMIN
    ports:
      - 51820:51820
    environment:
      <<: *default-tz-puid-pgid
    volumes:
      - $DOCKERDIR/WireGuard-Mesh:/config

I'm using network_mode: host so that the interfaces and routes will work from the host and apply to other docker containers by default.

This setup works! On both hosts the interface comes up, the handshake occurs, traffic flows between the hosts. I can ping back and forth between any combination of 192.168.50.1, 192.168.50.2, 192.168.10.1 and 192.168.15.1. Almost there!

I have Docker containers in both 192.168.10.1/27 on HomeServer and 192.168.15.1/27 on Docker Server. HomeServer (192.168.10.1), can ping through the tunnel to 192.168.15.2 on DockerServer but DockerServer (192.168.15.1) cannot ping the other way to anything in 192.168.10.1/27 other than the host.

Both hosts are Ubuntu 22.04 LTS running Docker V25.0.0. Does ANYBODY have any idea what I should look into to see why things work one way but not the other? Thanks y'all!

This is an automated archive.

The original was posted on /r/wireguard by /u/Jolly_Charity_5739 on 2024-01-23 21:17:23+00:00.

---

Hey all! I set up a home VPN server with WireGuard, and it works great! However, I would like to be able to use UFW to configure the firewall in a way so that only my configuration's IP address can access my local network, and anyone else who tries to access has their packets to the local network dropped. I can't for the life of me figure out how UFW works, however, because when it is enabled, I can't browse the internet through my VPN, only access my local network. How would I properly set up UFW so that I can:

1. Allow only myself to be able to browse my local network

2. Still allow everyone(myself included) to browse the internet through the VPN

Thanks!

This is an automated archive.

The original was posted on /r/wireguard by /u/iiiGVXDiii on 2024-01-23 14:44:25+00:00.

---

I am very new to Wireguard, so I don't have much of an idea of what could be causing this issue.

Every 4 to 5 minutes I have a 15 second dropout on my connected client (displayed below running mtr), and this is extremely consistent, leading me to believe this is some kind of event or process, and not standard network drop. I am using linode for my VPS hosting.

I ran this same program on my Linode VPS, and at the time this dropout occurs, no interruption happens, leading me to believe the problem lies in the communication between client and server, as the server doesn't lose connection to the internet.

My config can be found here:

I can provide any further information upon request, I'm new to homelab stuff in general, and just wish to host a couple game servers through wireguard.

Thanks in advance

This is an automated archive.

The original was posted on /r/wireguard by /u/EldestPort on 2024-01-23 01:10:59+00:00.

---

I have PiVPN configured with Wireguard on a Raspberry Pi on my home network. When I connect to it, for example when I'm at uni, I cannot make an SSH connection to my Ubuntu box that's on the same home network as the Raspberry Pi. How can I change my configuration so that local machines are accessible when I am connected to the VPN? (I considered posting to the PiVPN subreddit but figured it may be a general Wireguard query.)

This is an automated archive.

The original was posted on /r/wireguard by /u/NightestOfTheOwls on 2024-01-22 21:05:13+00:00.

---

So obviously, it's not necessarily a WireGuard issue, it might be a bunch of other stuff that spills the beans on my real location. Still, I'd like some tips as to what I might've missed to let it detect me.

• Performed a DNS leak test, all clear
• Cleared all browser data, accessed from incognito
• Used a brand new e-mail

Still no luck with my WireGuard. However, when I was force to try free ProtonVPN it magically worked and let me in. So either I set up something wrong on my wg server or whatever blocking software OpenAI are using on their end has my wg host literally blacklisted. Anything I should check first?

This is an automated archive.

The original was posted on /r/wireguard by /u/BenjiStokman on 2024-01-22 19:17:11+00:00.

---

I have a computer with Mullvad on it and I want to connect to another WireGuard VPN that runs on it from the Internet. I can connect just fine on my LAN, but on the Internet by default any packets sent back are sent over Mullvad.

Mullvad has a guide here on how to bypass their VPN for incoming connections and that's working fine for normal applications (tested with apache2). But when I set up my WireGuard VPN on that same working port that I want to connect to, it doesn't work and return packets are still sent over Mullvad.

Any way to fix this? I have already duplicated the line in the nftables rule that specifies the port and changed tcp to udp for both incoming and outgoing. I have tried using Socat before to proxy the connection but that didn't work either. Maybe I got the command wrong?

This is an automated archive.

The original was posted on /r/wireguard by /u/-quakeguy- on 2024-01-22 16:39:25+00:00.

---

I deployed wg on my as6706t NAS like so:

version: "3.8"

services:
  wg-easy:
    environment:
      - LANG=en
      - WG_HOST=my.censored.domain

      - PASSWORD=foobar123
      - WG_PORT=51820
      - WG_DEFAULT_ADDRESS=192.168.2.x
      - WG_DEFAULT_DNS=192.168.1.2
      - WG_MTU=1420
      - WG_ALLOWED_IPS=0.0.0.0/0
      - WG_PERSISTENT_KEEPALIVE=15

    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    volumes:
      - config:/etc/wireguard
    ports:
      - "51820:51820/udp"
      - "8085:51821/tcp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1

volumes:
  config:

Home network is 192.168.1.0/24 and I want to use 192.168.2.0/24 for my wg client range. I created a client in the web UI, used the QR code to get the info to my iPhone and as long as my phone is on the same WIFI network (and assuming I adjust the iOS client to actually talk to the internal network IP for the machine running WG), the connection is established and I see it in the web UI.

The problem is when I try connect from outside the home. I disable WIFI, which drops me to my mobile connection for data, then I ensure my home router's public IP is what I'm actually connecting to in the iOS client, I ensure port 51820 is forwarded on my home router to the correct internal IP (I have a whole lot of other ports forwarded to that same exact host and these port mappings work fine) yet... the handshake never completes when connecting from outside.

This is an automated archive.

The original was posted on /r/wireguard by /u/Safe-Specialist3163 on 2024-01-22 16:05:04+00:00.

---

I'd like to setup a wireguard VPN to remotely connect to my home network but I am quite a newbie and a I am not fully aware of the security implications and shortcomings. So my questions:

1. What are the security measures should I take?
2. If I setup a DDNS in my router and the IP is not updated immediately for some reasons, then when I try to connect to the home network, the credentials will be sent to a wrong IP and then revealed?
3. I read that wireguard dosn't support 2FA by default. Is this shortcoming an actual risk?
4. Since there is no 2FA, how could I be aware of intrusions in the local network?

This is an automated archive.

The original was posted on /r/wireguard by /u/avgenius on 2024-01-22 11:31:56+00:00.

---

Hi everyone, I have problem on IOS 16.3.1 using Wireguard protocol. On my iPhone, it said it is successfully connected. However, I cannot go Online. On the router setup page, the instructions state that " For iOS users, you must assign a specific DNS server to WireGuard app before accessing the internet through WireGuard Server. " I asked ASUS and they can't help me. Hope this is the right place to ask. Thanks.

This is an automated archive.

The original was posted on /r/wireguard by /u/Schwippps on 2024-01-22 08:28:10+00:00.

---

Hi all,

I have two machines that I need to connect via Wireguard.Due to restrictive Firewall settings on my ISP side (which is totally fine with me), I would like to use pre defined ports on both machines.However once a handshake has been made, wireguard changes the port on one side, which ultimately is blocked. One side runs in a Podman container, but I don't think that is part of the problem?I will refer as "Native" and "Podman" for the two peers / clients & server.See below my configs:

"Podman"

[Interface]

PrivateKey = ICZPq9iqKYxxxxxxI6B3FAA5hQHI=

Address = 10.0.0.2/32

ListenPort = 51822

[Peer]

PublicKey = KUPIzlIqXYHhxoesvexxxxxxxxxGfOaVixXj4=

Endpoint = 135.125.133.xxx:51820

AllowedIPs = 0.0.0.0/0

PersistentKeepalive = 25

**"Native"**Address = 10.0.0.1/32

SaveConfig = true

PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30

PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE

PreUp = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.0.0.2:32400

PreUp = iptables -t nat -A PREROUTING -p udp --dport 32400 -j DNAT --to-destination 10.0.0.2:32400

PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30

PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE

PostDown = iptables -t nat -D PREROUTING -p udp --dport 32400 -j DNAT --to-destination 10.0.0.2:32400

PostDown = iptables -t nat -D PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.0.0.2:32400

ListenPort = 51820

FwMark = 0xca6c

PrivateKey = aKl8mnu1Hoxxxxxxxxxn56hHWWNFiv2oRcmnw=

[Peer]

PublicKey = ZgOCElEHQ8j0X7ExxxxxxxKWHe1FMgiUiyQyU=

AllowedIPs = 10.0.0.2/32, 10.0.0.1/32, 10.0.0.0/24

Endpoint = 135.181.143.xxx:51822

Output before handshake:

**"Native"**alfred@Batarang:~$ sudo wg show wg0

interface: wg0

public key: KUPIzlIqXYxxxxxxxQSdlGfOaVixXj4=

private key: (hidden)

listening port: 51820

fwmark: 0xca6c

peer: ZgOCElEHQ8j0X7xxxxxxHe1FMgiUiyQyU=

*endpoint: 135.181.143.xxx:*51822

allowed ips: 10.0.0.2/32, 10.0.0.1/32, 10.0.0.0/24

Output after handshake:

"Native"

interface: wg0

public key: KUPIzlIqXYHhxoexxxxxdlGfOaVixXj4=

private key: (hidden)

listening port: 51820

fwmark: 0xca6c

peer: ZgOCElEHQ8j0X7EJnxxxxxxxxxcKWHe1FMgiUiyQyU=

endpoint: 135.181.143.xxx:52260

allowed ips: 10.0.0.2/32, 10.0.0.1/32, 10.0.0.0/24

transfer: 148 B received, 92 B sent

For whatever reason my port appears to be changing. Do you have any idea why?

Obviously, the changed port is not accessible through my firewall, leading to the fact that wireguard is not working.

This is an automated archive.

The original was posted on /r/wireguard by /u/gators939 on 2024-01-22 07:13:22+00:00.

---

Hello,

I am trying to set up a new client on my RaspberryPi and struggling to identify where I'm going wrong. The client doesnt wok on any devices I try it on. I am using an Arris S33 modem and an Eero router. I have DDNS via Eero which is set up for the client. Also set up Port forwarding to 51810 on my Eero with the IP of my raspi reserved.

This is an automated archive.

The original was posted on /r/wireguard by /u/hackzino on 2024-01-22 06:59:32+00:00.

---

PrivaivateKey = ***************** ListenPort = 49152

[Peer] PublicKey = ******************* AllowedIPs = 0.0.0.0, ::/0

[Peer] PublicKey = ****************** AllowedIPs = 0.0.0.0, ::/0

PersistentKeepalive = 25

That's my wg0.conf Then doing sh /etc/net start wg0 I just see that

wg show interface: wg0 listening port: 46495 I do not see any peer I just ping to 10.0.0.1 Any tips to correct?I must say that I configured pf.conf as well as

set skip on wg0

set block-policy drop

int="vio0"

pass in on $int from any to any keep state

block return # block stateless traffic#pass # establish keep-state

pass in on wg0 pass in inet proto udp from any to any port 49152 pass out on egress inet from (wg0:network) nat-to (vio0:0) Thank you

This is an automated archive.

The original was posted on /r/wireguard by /u/Puzzleheaded-Fact498 on 2024-01-22 01:29:20+00:00.

---

My setup

The config used in my laptop: client.conf

[Interface]
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = OJ4ut77k0UGmKeTk21HrvJTT8sfxHxtbvRMRdtnvBEQ=
DNS = 1.1.1.1

[Peer]
PublicKey = Xbrev2jqgb3rXARRmayeHFZmbwWTGaNQQGFQ+Moc01Y=
Endpoint = RASPBERRYPI_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 20

setup command: sudo wg-quick up ./client.conf

The config used in the raspberry pi server: server.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = uF0l0gIIHBPxQCPt0SHFeZRwIaaGA+s7kibunTasT3Q=
DNS = 1.1.1.1

[Peer]
PublicKey = y5bGZxEuaWpU9yX7UUwywjXLs7P2DDrTOJY+aQFMaEQ=
AllowedIPs = 10.0.0.2/32

setup command: sudo wg-quick up ./server.conf

I'm trying to setup a wireguard server on my friend's raspberry pi. Everything went pretty smoothly, but the problem is that I cannot make a request to anything other than the server's wireguard ip (10.0.0.1 in this case) on my laptop after running the setup command.

The handshakes are established (I can see the latest handshake: 48 seconds ago text when using sudo wg show on both my laptop and the server)

After running the setup commands on both machines:

• pinging 10.0.0.1 on my laptop works
• pinging 8.8.8.8 and 1.1.1.1 doesn't work on my laptop
• pinging 8.8.8.8 and 1.1.1.1 works in the raspberry pi
• curl -L google.com doesn't work on my laptop
  • After waiting for a while, curl returns curl: (6) Could not resolve host: google.com
• curl -L google.com works in the raspberry pi
• Setting up a temporary server on the raspberry pi using python -m http.server
  • Using curl 10.0.0.1:8000 on my laptop returns things expected

Any idea on how I can fix the fact that I can only make request to 10.0.0.1 instead of all possible domains/IPs?

This is an automated archive.

The original was posted on /r/wireguard by /u/AndroidWG on 2024-01-22 00:09:55+00:00.

---

Basically I have a home server and I have one interface already set up as a VPN Tunnel to my local network, so I can for example SSH from outside my home's WiFi.

I want to add a Proton VPN WG interface to use when torrenting. I configured it following Proton's guide and it works correctly (routing all traffic by default), however accessing Jellyfin and other services thru my NGINX reverse proxy remotely doesn't work if I have the VPN active, and I have no need to route that through Proton anyway.

I use qBittorrent client on the server and it has an option to select which interface to use, so I thought I could add the Proton VPN interface but make it so no traffic is routed through it by default, but so I can just select it on qBittorrent and use it like that. Is that possible?

This is an automated archive.

The original was posted on /r/wireguard by /u/ImaBusterMan on 2024-01-19 17:16:00+00:00.

---

Now the scenario is I wanna play a game by port forwarding by bypassing CGNAT on my Windows.

But the terminal commands exist for linux, so I dual boot windows and linux on my pc to setup wireguard and need confirmation who to make client and who to make server or host.

The condition is I should be able to play my game on Windows through Wireguard VPN, should I execute all the commands on my linux and make android phone the server and windows the client so when I install wireguard app on it the connection is setup ? If that is possible then tell me how ?

Secondly, using a VPS I only require to give its public IPV4 and nothing else right ?

This is an automated archive.

The original was posted on /r/wireguard by /u/OuchMyArmHurty on 2024-01-21 20:55:57+00:00.

---

I've noticed that even when connected to networks that support IPv6, users of our wireguard VPN service get routed over IPv4 when they are using the iOS app. Is there a way to change the config so that it prefers IPv6 when available? The only way I've gotten it to work is to use a IPv6 only domain, but that runs into the problem of not being able to connect when the user goes onto a IPv4 only network.

This is an automated archive.

The original was posted on /r/wireguard by /u/palomban on 2024-01-21 17:09:51+00:00.

---

I have a WireGuard VPN server set up on an always-on Linux box on my home network, which also acts as a file server as well as a DNS server with Pi-hole. On my iPhone, I had "Allowed IPs" set to "0.0.0.0/0, ::/0" to send all traffic through the VPN, where my Linux box functions as a default gateway. Over time, I had noticed that I was unable to reach the Pi-hole web interface and file server only when connected to some WiFi networks away from home, even though DNS queries were still adequately being resolved by Pi-hole. I could instantly resolve this problem by turning off WiFi and using cellular data. After some troubleshooting, I discovered the subnet mask of my home network and WiFi network being used (away from home) were the same (e.g., 192.168.1.0/24). This made me suspect the root of the issue, which is that evidently some network data is being leaked to the iPhone's local network. For example, entering the default gateway IP (e.g., 192.168.1.1) into a browser results in the web interface of the WiFi router away from home and not my home router's web interface. Note that the "Exclude private IPs" setting is toggled off. As such, it is evident that the "Allowed IPs" setting is not working as I expected.

To apparently resolve the issue, I've changed the "Allowed IPs" setting to, say, "0.0.0.0/0, ::/0, 192.168.1.2/32", which now explicitly includes the IP address of my Linux box. This allows me to to use all of the functions on my Linux box through the VPN. Note that I still get the web interface of the WiFi router away from home, but this should be because I did not explicitly add the entire subnet to the list of allowed IPs.

Is this a known issue with iPhone or the WireGuard app? Am I doing something wrong?

This is an automated archive.

The original was posted on /r/wireguard by /u/PsychologicalCat6978 on 2024-01-21 13:30:32+00:00.

---

Hi all!

I am running WireGuard VPN as a server on my untangle NG Firewall for remote worker VPNs. The network has about 20 users so to standardize deployment I thought I would write a script.

The script runs as SYSTEM, deploys wireguard via chocolatey, adds the standard user to the Network Configuration Operators group, and creates the registry key to allow the standard user to access the wireguard gui. Once installed it runs wireguard /installtunnelservice to apply the appropriate configuration for that machine ( each computer has its own config file)

All seems to work smoothly (no errors). The tunnel is definitely active because I can ping the server from the remote worker pc. However, the connection does not show in the WireGuard GUI so the users are unable to turn it on or off depending if they are in the office(off) or home(on)

Any ideas on how to deploy the configuration through a script that gets added to the GUI?

This is an automated archive.

The original was posted on /r/wireguard by /u/Frozen_Gecko on 2024-01-21 13:26:53+00:00.

---

Hey guys,

WireGuard has been a part of my homelab for about 2 years now and I have been absolutely loving it. Recently I decided to set it up on my wife's iPhone 12 so that she has access to homelab services while on the go. The tunnel connects fine and I can access local services through http://: without any issue as expected.

The strange part happens when I try to connect to services through local DNS records. For example when trying to connect to https://immich..com I can not find the server, even though my local DNS (Unbound DNS on OPNsense) points all traffic on *..com to my nginx instance. When I check Adguardhome query logs I can see that the requests to https://..com are being forwarded to Unbound, but I do not get a correct response. When I connect to these services first over wifi and then turn off wifi and try to connect over WireGuard I see that these requests receive the correct A record response (these are cached on Adguardhome), but the service still will not connect.

A bit of background. I am running WireGuard on OPNsense and have Adguardhome as main DNS with Unbound DNS as upstream DNS and CloudFlare DoT as upstream in unbound. This setup works perfectly fine on my Android phone and my Linux laptop.

On the iPhone I have allowed ip's set to 10.11.0.0/16 because Apple Carplay does not like being routed over a vpn and I could not figure out a way to split tunnel WireGuard on iOS so that all traffic except specific apps use my vpn. I would prefer to have allowed ip's on iOS WireGuard settings be 0.0.0.0/0 . Also as DNS server I point it to my OPNsense install on 10.11.12.1 (OPNsense ip on local network).

Another issue I ran into is that Google Maps no longer seems to work with WireGuard connected. When turning off the tunnel Google Maps works again. Again, allowed ip's is set to 10.11.0.0/16

so I do not really understand why Google Maps would not work. I can not imagine the traffic to Google Maps is routed through my local subnet.

As I said before, the strangest part is that I do not run into these issues on my Android phone or my Linux laptop. Seeing as those are set up correctly I am not sure what I am doing wrong.

So in conclusion I have these three questions.

1. What should I do to correctly resolve local DNS records?
2. Is there a way to split tunnel apps on iOS so that I can route all internet traffic from my wife's phone over WireGuard except a couple predefined apps?
3. What should I do so that Google Maps functions while connected to the WireGuard tunnel? (Even while only routing local subnet over WireGuard)

My apologies if this has been answered before, I could not find it. Thanks in advance!

This is an automated archive.

The original was posted on /r/wireguard by /u/batmanv04 on 2024-01-21 11:36:46+00:00.

---

Hi all experts,

Here is my situation:

1x Contabo VPS (Server A)

1x Oracle VPS (Server B)

(Both running Ubuntu 22.04 LTS)

Both running docker with Wireguard with 'Server A' being the server and 'Server B' being the client.

I have managed to deploy both the server and the client and confirm that a connection between the two has been established using 'curl ifconfig.me'.

Now, what I would like to do is selectively route some of my other containers on 'Server A' through this Wireguard tunnel and expose them publicly on the other end using the public IP of 'Server B 'and eventually sub domains using Nginx Proxy Manager also in a docker container on 'Server B'

Essentially, hide the host IP Address of certain docker containers on 'Server A' and only exposing the IP address of 'Server B'

My networking knowledge is somewhat limited, I've tried researching and then using GPT, however ended up having to reset my Oracle server after losing all access to is.

Any guidance would be greatly appreciated.

This is an automated archive.

The original was posted on /r/wireguard by /u/Teggers_Today on 2024-01-21 10:21:24+00:00.

---

Im following this guide but not using Mallvad

I can connect to the server with wireguard tools from the host - all traffic goes through - no problems.

I can connect to the server via the wireguard container - all docker traffic goes through - no problems.

I can connect my phone to the server - all traffic goes through - no problems.

I'm sure i have to do something like this on the ubuntu host:

sudo ip route del default

sudo ip route add 192.53.172.117 via 192.168.0.1

sudo ip route add default via 172.20.0.50

Then set host sysctl.conf to:

net.ipv4.ip_forward=1

I understand that this has to be repeated after each host reboot (unless i set up a service) - all cool

My .conf:

[Interface]

Address = 10.252.1.1/32

PrivateKey = xxxxxxxxxxxxx

DNS = 1.1.1.1

PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE

PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE

MTU = 1450

[Peer]

PublicKey = xxxxxxxxxxxxxxxxxxxx

PresharedKey = xxxxxxxxxxxxxxxxxx

AllowedIPs = 0.0.0.0/0

Endpoint = 192.53.172.117:51820

PersistentKeepalive = 15

Ive even tried disabling UFW and fixing the host /etc/resolv.conf with sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf.

Someone please tell me the secret sauce - i cant believe that connecting the ubuntu host to a wireguard container is this hard?!

This is an automated archive.

The original was posted on /r/wireguard by /u/justinwgrote on 2024-01-21 05:07:25+00:00.

---

SOLVED: Apparently newer versions of debian have the intel connection manager, which will detect interfaces and try to switch automatically. That's what was happening here, which is worthless in a server, why is it there in a server?!?

Anyways, dumped that stupid package and its fixed.

Fresh Wireguard install. Using wg-quick to run a PIA generated config, tried multiple different nodes.

Everything is fine for the first 40 seconds, then exactly at 40 seconds, things just stop flowing. PIA tries to re-initiate as you can see a couple times at the end. I have no idea why it stops responding. Other computers on this net connect to PIA just fine (albeit via windows PIA client). Trying to figure out what's going on here. I thought maybe keepalives but that doesn't seem to be the case.

EDIT: After checking a bit, it works on my raw host, but not in my docker container as it used to, that's where the timeout is, even if it is bridge mode and not NAT mode.