WireGuard

This is an automated archive.

The original was posted on /r/wireguard by /u/Algod2 on 2023-12-29 08:15:56+00:00.

I am using cloudflare on the clinet side and pihole downstream.

2023-12-29 18:42:56.249366: [MGR] Starting WireGuard/0.5.3 (Windows 10.0.22621; amd64)

2023-12-29 18:42:56.251867: [MGR] Starting UI process for user ‘user’ for session 1

2023-12-29 19:06:44.996245: [TUN] [al-jupiter] Starting WireGuard/0.5.3 (Windows 10.0.22621; amd64)

2023-12-29 19:06:44.996746: [TUN] [al-jupiter] Watching network interfaces

2023-12-29 19:06:44.997246: [TUN] [al-jupiter] Warning: the "DNS Client" (dnscache) service is disabled; please re-enable it\ 2023-12-29 19:06:44.997746: [TUN] [al-jupiter] Resolving DNS names

2023-12-29 19:06:44.997746: [TUN] [al-jupiter] Creating network adapter\ 2023-12-29 19:06:45.070753: [TUN] [al-jupiter] Installing driver 0.10

2023-12-29 19:06:45.071220: [TUN] [al-jupiter] Extracting driver

2023-12-29 19:06:45.071755: [TUN] [al-jupiter] Installing driver

2023-12-29 19:06:45.273789: [TUN] [al-jupiter] Creating adapter

2023-12-29 19:06:45.420332: [TUN] [al-jupiter] Using WireGuardNT/0.10

2023-12-29 19:06:45.420332: [TUN] [al-jupiter] Enabling firewall rules\ 2023-12-29 19:06:45.407318: [TUN] [al-jupiter] Interface created

2023-12-29 19:06:45.423333: [TUN] [al-jupiter] Dropping privileges

2023-12-29 19:06:45.423333: [TUN] [al-jupiter] Setting interface configuration\ 2023-12-29 19:06:45.423832: [TUN] [al-jupiter] Peer 1 created

2023-12-29 19:06:45.438832: [TUN] [al-jupiter] Interface up\ 2023-12-29 19:06:45.439345: [TUN] [al-jupiter] Monitoring MTU of default v6 routes

2023-12-29 19:06:45.440833: [TUN] [al-jupiter] Setting device v6 addresses

2023-12-29 19:06:45.441359: [TUN] [al-jupiter] Sending handshake initiation to peer 1 (IP addresses)

2023-12-29 19:06:45.445854: [TUN] [al-jupiter] Monitoring MTU of default v4 routes

2023-12-29 19:06:45.446858: [TUN] [al-jupiter] Setting device v4 addresses

2023-12-29 19:06:45.448365: [TUN] [al-jupiter] Unable to configure adapter network settings: unable to set DNS: The service has not been started.

2023-12-29 19:06:45.543475: [TUN] [al-jupiter] Shutting down\ 2023-12-29 19:06:45.543975: [MGR] [al-jupiter] Tunnel service tracker finished

2023-12-29 19:06:49.349426: [MGR] [al-jupiter] Tunnel service tracker finished\

This is an automated archive.

The original was posted on /r/wireguard by /u/Algod2 on 2023-12-29 08:10:12+00:00.

I am using cloudflare as the dns provider if that is any issue and my downstream dns is pihole.

Here are the logs:

2023-12-29 18:42:56.249366: [MGR] Starting WireGuard/0.5.3 (Windows 10.0.22621; amd64) 2023-12-29 18:42:56.251867: [MGR] Starting UI process for user ‘alexj@Jupiter’ for session 1 2023-12-29 19:06:44.996245: [TUN] [al-jupiter] Starting WireGuard/0.5.3 (Windows 10.0.22621; amd64) 2023-12-29 19:06:44.996746: [TUN] [al-jupiter] Watching network interfaces 2023-12-29 19:06:44.997246: [TUN] [al-jupiter] Warning: the "DNS Client" (dnscache) service is disabled; please re-enable it 2023-12-29 19:06:44.997746: [TUN] [al-jupiter] Resolving DNS names 2023-12-29 19:06:44.997746: [TUN] [al-jupiter] Creating network adapter 2023-12-29 19:06:45.070753: [TUN] [al-jupiter] Installing driver 0.10 2023-12-29 19:06:45.071220: [TUN] [al-jupiter] Extracting driver 2023-12-29 19:06:45.071755: [TUN] [al-jupiter] Installing driver 2023-12-29 19:06:45.273789: [TUN] [al-jupiter] Creating adapter 2023-12-29 19:06:45.420332: [TUN] [al-jupiter] Using WireGuardNT/0.10 2023-12-29 19:06:45.420332: [TUN] [al-jupiter] Enabling firewall rules 2023-12-29 19:06:45.407318: [TUN] [al-jupiter] Interface created 2023-12-29 19:06:45.423333: [TUN] [al-jupiter] Dropping privileges 2023-12-29 19:06:45.423333: [TUN] [al-jupiter] Setting interface configuration 2023-12-29 19:06:45.423832: [TUN] [al-jupiter] Peer 1 created 2023-12-29 19:06:45.438832: [TUN] [al-jupiter] Interface up 2023-12-29 19:06:45.439345: [TUN] [al-jupiter] Monitoring MTU of default v6 routes 2023-12-29 19:06:45.440833: [TUN] [al-jupiter] Setting device v6 addresses 2023-12-29 19:06:45.441359: [TUN] [al-jupiter] Sending handshake initiation to peer 1 (149.28.232.147:51820) 2023-12-29 19:06:45.445854: [TUN] [al-jupiter] Monitoring MTU of default v4 routes 2023-12-29 19:06:45.446858: [TUN] [al-jupiter] Setting device v4 addresses 2023-12-29 19:06:45.448365: [TUN] [al-jupiter] Unable to configure adapter network settings: unable to set DNS: The service has not been started. 2023-12-29 19:06:45.543475: [TUN] [al-jupiter] Shutting down 2023-12-29 19:06:45.543975: [MGR] [al-jupiter] Tunnel service tracker finished 2023-12-29 19:06:49.349426: [MGR] [al-jupiter] Tunnel service tracker finished

This is an automated archive.

The original was posted on /r/wireguard by /u/Algod2 on 2023-12-29 04:51:49+00:00.

I’m using pivpn the wireguard version on a vultr server. I cannot scp the config file to my windows 11 computer. I set up secured ssh using private/public key pairs and use pihole as my dns. Are any of these things issues?

This is an automated archive.

The original was posted on /r/wireguard by /u/jbeez on 2023-12-28 20:13:34+00:00.

Is it possible for me to "pull" the value from /etc/wireguard/private.key in my /etc/wireguard/wg0.conf file?

The conf file starts like this,

[Interface]
PrivateKey = 

TIA

This is an automated archive.

The original was posted on /r/wireguard by /u/GetInHereStalker on 2023-12-28 16:29:56+00:00.

Planning to connect via a laptop at a public wifi such as a hospital and then activating the WG client to connect me to the self-hosted virtual network (office ISP-provided router points/port forwards to just that self-hosted linux machine running WireGuard server) in another city so that I can xRDP (laptop is running Linux) into the computer that is also connected to that virtual network. Is this safe?

This is an automated archive.

The original was posted on /r/wireguard by /u/GetInHereStalker on 2023-12-28 16:29:56+00:00.

Planning to connect via a laptop at a public wifi such as a hospital and then activating the WG client to connect me to the self-hosted virtual network (office ISP-provided router points/port forwards to just that self-hosted linux machine running WireGuard server) in another city so that I can xRDP (laptop is running Linux) into the computer that is also connected to that virtual network. Is this safe?

This is an automated archive.

The original was posted on /r/wireguard by /u/NoPassion00 on 2023-12-28 12:22:27+00:00.

After spending days trying every setup I could find here, I think I will give up because can't access the local network of one of the peers.

Here is the setup:

• VPS: Debian 12 + Docker - running wg-easy in a container with 10.10.0.0/24 as Wireguard network pool

• Unraid (10.10.0.2): self-hosted under CGNAT, connected to EdgeMAX router (192.168.1.0/24 pool), downloaded config from wg-easy, imported to Unraid, it connects just fine and can access the WG network and internet through the tunnel

• iPhone (10.10.0.3): mobile connection, imported config from wg-easy, everything works fine

The issue is that I can't access the local network (192.168.1.x) from outside, let's say iPhone, I added 192.168.1.0/24 to the AllowedIPs, but it doesn't work. Tried a lot of various configurations and setups on Unraid, but it's impossible to make it work.

Any idea?

This is an automated archive.

The original was posted on /r/wireguard by /u/gk1924 on 2023-12-28 10:02:37+00:00.

Here is my code on android studio in order to connect in vpn when i press a button. But when its enabled I cant connect to internet. Has anyone any idea whats wrong?

This is an automated archive.

The original was posted on /r/wireguard by /u/Cultural-Water-2172 on 2023-12-28 09:21:18+00:00.

Objective: Use a cloud server as a Wireguard server and as a Nordvpn exit node.

Problem: some traffic (curl) is being redirected via Nordvpn, but not http traffic

I referenced this thread to setup my config:

Keep in mind that my linux/routing experience is zero. So I have been doing a lot of trial and error..

What I ended up with:

If I on my windows client I connect via wireguard to my oracle cloud server and run "curl ifconfig.me" on windows DOS --> I get the nordvpn ip, so it works!

But: if I try to navigate on windows to whatismyip.org -> I get my oracle server ip.

This has something to do with routing obviously, but I couldn't figure it out. The oracle wg server wg0.conf is:

[Interface]
# Server Oracle
SaveConfig = false
Address = 172.16.0.0/32

ListenPort = 51820
MTU = 1350
PrivateKey = x 
# public = x 

# Same as nordvpn (nordlynx)
FwMark = 0xe1f1

PostUp = iptables -I FORWARD -o enp0s6  -j REJECT
PostUp = iptables -I FORWARD -i %i -j ACCEPT
PostUp = iptables -I FORWARD -o %i -j ACCEPT
PostUp = iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

###If I enable this, I can connect but all the packets will be refused:
#PostUp = iptables -I FORWARD -j REJECT

    #NAT
    PreUp  = iptables -t nat -I POSTROUTING -o enp0s6 -j MASQUERADE
    PreUp  = iptables -t nat -I POSTROUTING -o nordlynx -j MASQUERADE

PostDown = iptables -D FORWARD -o enp0s6  -j REJECT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown  = iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#PostDown  = iptables -D FORWARD -j REJECT

    #NAT
    PostDown = iptables -t nat -D POSTROUTING -o enp0s6 -j MASQUERADE
    PostDown = iptables -t nat -D POSTROUTING -o nordlynx -j MASQUERADE

[Peer]
#pc 
PublicKey    = x
PresharedKey = x
AllowedIPs   = 172.16.0.1/32

Nordlynx.conf (nordvpn) wg configuration:Retrieved using sudo wg showconf nordlynx

[Interface]
ListenPort = 59590
FwMark = 0xe1f1
MTU = 1350
PrivateKey = x

[Peer]
PublicKey = x
AllowedIPs = 0.0.0.0/0
Endpoint = xxxxx:51820
PersistentKeepalive = 25

Note that I have a pihole binded to wg0 (dns 10.0.0.7)If I use 10.0.0.7 or 1.1.1.1 on my windows client to navigate (thus bypassing the pihole) the output ip is still the oracle server ip (not nordvpn)

This is an automated archive.

The original was posted on /r/wireguard by /u/YesImKian on 2023-12-28 07:54:31+00:00.

This is an automated archive.

The original was posted on /r/wireguard by /u/bgk0018 on 2023-12-28 05:12:09+00:00.

On my phone, I'm unable to reach my services hosted on my home network via Wireguard. Interestingly enough, I do see the DNS queries hitting Adguard Home from my phone over the VPN which is hosted in the same network, but the service web portal (for illustration lets use the adguard portal) I'm trying to reach hangs indefinitely on my phone and I receive an 'address not found response'.

I run all of this in portainer. I have separate docker compose files for adguard home and wireguard but they have a common docker network they share.

All services run on the same host (192.168.68.113)

Configuration is here

This is an automated archive.

The original was posted on /r/wireguard by /u/HeBigBusiness on 2023-12-28 04:21:17+00:00.

Edit: sorry title is stupid. I am really tired. Should read:: “Stop outgoing traffic from the VPN server from going through the tunnel.”

My configuration on the server is this:

Interface name: wg0

[Interface] PrivateKey= Address=10.0.0.1/24 ListenPort=51820

[Peer] PublicKey= AllowedIPs=10.0.0.2/32

I can ssh from the client to the server via the tunnel, but once I try to use my package manager or other web on the server, I get errors. It seems all outgoing traffic on the server is trying to use wg0, which I don’t really want it to do.

For instance, here’s when I run on the server: ping google.com

PING google.com (142.250.190.78) 56(84) bytes of data. From 10.0.0.1 (10.0.0.1) icmp_seq=1 Destination Host Unreachable. ping sendmsg: Required key not available.

Meanwhile when I do: ping -I eth3 google.com (Ethernet interface) I get successful acknowledgments from ping. So I’m not sure if this is a DNS leakage issue? I’ve also made sure to drop the metric on my ip route for eth3 and raise it for wg0, eth3 is also the default route, so I’m not sure what to do to fix this.

This is an automated archive.

The original was posted on /r/wireguard by /u/Key_Sheepherder_8799 on 2023-12-27 21:22:25+00:00.

This is an automated archive.

The original was posted on /r/wireguard by /u/Key_Sheepherder_8799 on 2023-12-27 21:22:25+00:00.

This is an automated archive.

The original was posted on /r/wireguard by /u/bPonya on 2023-12-27 20:02:15+00:00.

I rent a server in another country and use it as a vpn with wireguard. It works no problem over wi-fi, but with an ethernet cable over pppoe connection the handshake happens, but no traffic flows.

I don't know much about computer networks so I have no idea what's going on...

This is an automated archive.

The original was posted on /r/wireguard by /u/Hocus55 on 2023-12-27 18:06:56+00:00.

Hi, I have table with update. How update wireguard on portainer? I try recreate ant pull image, but update not done.

This is an automated archive.

The original was posted on /r/wireguard by /u/Lu5ck on 2023-12-27 13:34:13+00:00.

Wireguard uses listening UDP port so I am wondering...

Does the traffic that supposedly go through WG0 and WG1 interfaces also get recorded in eth0 due to the UDP port?

This is an automated archive.

The original was posted on /r/wireguard by /u/Ok-Bison-8174 on 2023-12-27 11:28:06+00:00.

Hello,

I have a private network at home with several servers:

• 192.168.1.2 <= the host running wireguard (192.168.2.1), let's call it A.
• 192.168.1.1 <= let's call it H1
• 192.168.1.4 <= let's call it H2
• etc.

I have a MacBook (Sonoma), that also runs wireguard (192.168.2.2), let's call it B.

So basically:

B ---- internet ---- A ---- LAN ---- H1, H2

I would like to have a wireguard network that is 192.168.2 and that can talk to any host in the private network 192.168.1.

Here is A's configuration:

[Interface]
PrivateKey = xxx=
ListenPort = 51871
Address = 192.168.2.1/32

[Peer]
PublicKey = xxx=
PresharedKey = xxx=
AllowedIPs = 192.168.0.0/16

And here is B's configuration:

[Interface]
PrivateKey = xxx=
Address = 192.168.2.2/32

[Peer]
PublicKey = xxx=
PresharedKey = xxx=
AllowedIPs = 192.168.0.0/16
Endpoint = myremoteip:51871

When I connect my MacBook (B) to my server (A), B can reach A (on both 192.168.1.1 and 192.168.2.1), no problem.

But I would like B to be able to connect to H1 and H2 (like from B being able to ssh 192.168.1.4).

I understood it requires ip forwarding via sysctl and iptables stuff, but I don't really understand any of it, and the things I copy pasted didn't really work...

Could someone please assist me? Thank you very much.

And happy holidays!

This is an automated archive.

The original was posted on /r/wireguard by /u/Ok-Bison-8174 on 2023-12-27 11:28:06+00:00.

Hello,

I have a private network at home with several servers:

• 192.168.1.2 <= the host running wireguard (192.168.2.1), let's call it A.
• 192.168.1.1 <= let's call it H1
• 192.168.1.4 <= let's call it H2
• etc.

I have a MacBook (Sonoma), that also runs wireguard (192.168.2.2), let's call it B.

So basically:

B ---- internet ---- A ---- LAN ---- H1, H2

I would like to have a wireguard network that is 192.168.2 and that can talk to any host in the private network 192.168.1.

Here is A's configuration:

[Interface]
PrivateKey = xxx=
ListenPort = 51871
Address = 192.168.2.1/32

[Peer]
PublicKey = xxx=
PresharedKey = xxx=
AllowedIPs = 192.168.0.0/16

And here is B's configuration:

[Interface]
PrivateKey = xxx=
Address = 192.168.2.2/32

[Peer]
PublicKey = xxx=
PresharedKey = xxx=
AllowedIPs = 192.168.0.0/16
Endpoint = myremoteip:51871

When I connect my MacBook (B) to my server (A), B can reach A (on both 192.168.1.1 and 192.168.2.1), no problem.

But I would like B to be able to connect to H1 and H2 (like from B being able to ssh 192.168.1.4).

I understood it requires ip forwarding via sysctl and iptables stuff, but I don't really understand any of it, and the things I copy pasted didn't really work...

Could someone please assist me? Thank you very much.

And happy holidays!

This is an automated archive.

The original was posted on /r/wireguard by /u/mailliwal on 2023-12-27 04:06:31+00:00.

Hi,

Below is content of my "wg0.conf".

[Interface]

ListenPort = 12345

PrivateKey = PRIVATE_KEY

PostUp = /etc/wireguard/postup.sh

PostDown = /etc/wireguard/postdown.sh

[Peer]

PublicKey = PUBLICKEY

AllowedIPs = 10.123.0.2/32

When I execute

wg setconf wg0 /etc/wireguard/wg0.conf

An error showed

Line unrecognized: 'PostUp=/etc/wireguard/postup.sh'

Configuration parsing error

If I remove "Post = xxx", then it's no error.

May I know it's correct way to execute postup & postdown ?

Thanks

This is an automated archive.

The original was posted on /r/wireguard by /u/zedestroyer69 on 2023-12-27 00:57:37+00:00.

I've managed to install wireguard on my firestick 4m max and copied one of the servers conf files to the firestick, but it doesn't show up when trying to add a tunnel.I've managed to install wireguard on my firestick 4m max and copied one of the servers conf files to the firestick, but it doesn't show up when trying to add a tunnel.

What should be the problem? Maybe I missing a shortcut to change the folder it's looking for the file since it only shows the recent files, but I'm not being able to change anything.

This is an automated archive.

The original was posted on /r/wireguard by /u/DaikiIchiro on 2023-12-26 20:18:57+00:00.

Hey Guys,

I am currently setting up a lab environment on a Hyper-v base.

One VM is running Opnsense with wireguard activated. What I would like to achieve is to set up an s2s-vpn from my router (Fritz!Box) to this virtual machine, so that I have direct access to the lab network (to simulate quasi real life conditions).

However, I can't get it set up. Is that actually possible or am I reaching a dead end?

Kind regards

Daiki

This is an automated archive.

The original was posted on /r/wireguard by /u/realcryptopenguin on 2023-12-26 15:37:54+00:00.

Hey everyone! I'm in Egypt for few weeks, but for my big surprise. both VPN and connection to cloud mongodb instance (I'm developing api for a project) doesn't work anymore. I've dived deep, and it seems Egyptian government uses something like dpi (deep pocket inspection) to ban VPNs.

As I understood, and please help me here if you know, there's bulletproof way using ssl (encryption that normally used for https) that can't be analyzed using DPI, or at least much costly so.

Is there a way to config wireguard to use this SSL thing? For the current setup I used "curl -O " on vps that made it extremely simple to setup.

This is an automated archive.

The original was posted on /r/wireguard by /u/realcryptopenguin on 2023-12-26 15:37:54+00:00.

Hey everyone! I'm in Egypt for few weeks, but for my big surprise. both VPN and connection to cloud mongodb instance (I'm developing api for a project) doesn't work anymore. I've dived deep, and it seems Egyptian government uses something like dpi (deep pocket inspection) to ban VPNs.

As I understood, and please help me here if you know, there's bulletproof way using ssl (encryption that normally used for https) that can't be analyzed using DPI, or at least much costly so.

Is there a way to config wireguard to use this SSL thing? For the current setup I used "curl -O " on vps that made it extremely simple to setup.

This is an automated archive.

The original was posted on /r/wireguard by /u/central_marrow on 2023-12-26 10:25:50+00:00.

I've been struggling to make any progress debugging this.

This is my first time setting up a WireGuard tunnel and not getting very far. My use case: I have a pfSense router running at home, and I want to VPN back into my network when away from home.

My server config, on the pfSense box (keys and IPs redacted)

[Interface]
ListenPort = 51820
PrivateKey = ....

[Peer]
PublicKey = ....
AllowedIPs = fd69:xxxx:xxxx::/64

And on the client - macOS Sonoma:

[Interface]
PrivateKey = ....
Address = fd69:xxxx:xxxx::xxxx:xxxx:xxxx/64

[Peer]
PublicKey = ....
AllowedIPs = fd69:xxxx:xxxx::/64, 2a02:xxxx:xxxx::/64
Endpoint = xxx.xxx.xxx.xxxx:51820

Currently I'm only interested in tunnelling v6 over v4 and I don't care about tunnelling the v4.

If I bring the tunnel up via the GUI:

• The GUI shows the tunnel as Active
• A tunnel interface is added (currently utun4) with the IP address ending f423 assigned to it
• Routes to fd69:xxxx:xxxx::/64 and 2a02:xxxx:xxxx::/64 are duly added to the routing table

But, nothing works. By that I mean:

• I can't ping6 or TCP connect to a known-up host on the 2a02 network
• I can't ping6 the pfSense box's fd69::x:x::1 address
• I can't even ping6 my own local fd69...f423 address

I've used Wireshark to investigate what's going on and discovered the following:

• Capturing on the tunnel interface:
  • Traffic across the tunnel appears to be going into a black hole, the outward pings show up in the capture but there are no responses
• Capturing on the primary interface:
  • There are no UDP packets at all on the configured 51820 port
• Capturing on the pfSense side (with tcpdump):
  • No incoming traffic at all on 51820

My local firewall on macOS is inactive.

The pfSense firewall is allowing UDP on 51820 on the WAN interface.

I've opened the log console in macOS and in the launchd.log I see several entries that look like this:

2023-12-26 10:09:10.651460 (system) : denied lookup: name = com.apple.airportd, flags = 0x8, requestor = WireGuard[5193], error = 159: Sandbox restriction

I am not sure what this sandbox restriction refers to and how to lift that restriction. I installed Wireguard through the app store and it didn't ask me to grant any additional permissions on install.

I tried uninstalling and reinstalling from the app store. No change.

Halp! any ideas before I abandon Wireguard and set up OpenVPN instead?