WireGuard

This is an automated archive.

The original was posted on /r/wireguard by /u/HumanCaptain45 on 2023-12-23 00:04:25+00:00.

This is an automated archive.

The original was posted on /r/wireguard by /u/kevors on 2023-12-22 22:01:16+00:00.

I've got two servers: remote (@R) and home (@H). They are connected over wireguard. Both have forwarding/masquerading enabled. @H's traffic goes through @R.

The default route on my desktop (@D) points to @H, so traffic from @D goes through @H and then @R.

While using @D I've noticed some sites does not work while others do. For example, google works, but there is no response from duckduckgo. But on @H both work. For example, on @H:

$ curl -v http://duckduckgo.com
*   Trying 40.114.177.156:80...
* Connected to duckduckgo.com (40.114.177.156) port 80 (#0)
> GET / HTTP/1.1
> Host: duckduckgo.com
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Fri, 22 Dec 2023 21:52:36 GMT
< Content-Type: text/html
< Content-Length: 162
..

But on @D:

$ curl -v http://duckduckgo.com
*   Trying 40.114.177.156:80...
* Connected to duckduckgo.com (40.114.177.156) port 80 (#0)
> GET / HTTP/1.1
> Host: duckduckgo.com
> User-Agent: curl/7.81.0
> Accept: */*
> 

by that curl just keeps waiting for response, nothing comes back.

I've solved the problem lowering mtu on @D from the default 1500 to 1420, like the wg interface on @H has.

I wonder what happens in the background that with mtu 1500 on @D but 1420 on @H google works but duckduckgo does not?

This is an automated archive.

The original was posted on /r/wireguard by /u/chaplin2 on 2023-12-22 18:20:01+00:00.

There are mesh VPNs that use WireGuard for the tunnel part. Like, some people say that Tailscale is just a wrapper around WireGuard. In any case, I’m wondering if the WireGuard developers endorse the security of the some of these mesh VPNs, particularly the Tailscale.

I see the author of the WireGuard on an advisory board of the Tailscale!

This is an automated archive.

The original was posted on /r/wireguard by /u/devilishTL on 2023-12-22 15:43:11+00:00.

So, i want to only put one internal IP (the server on which wireguard runs) through the tunnel so it is just a VPN for the one internal IP and not the whole internet traffic going through it. Would i change it in here (WG_ALLOWED_IPS)? I am asking because i have seen that I have to do this here but also that i have to do it in the client config. What exactly is it now?

This is an automated archive.

The original was posted on /r/wireguard by /u/devilishTL on 2023-12-22 15:43:11+00:00.

So, i want to only put one internal IP (the server on which wireguard runs) through the tunnel so it is just a VPN for the one internal IP and not the whole internet traffic going through it. Would i change it in here (WG_ALLOWED_IPS)? I am asking because i have seen that I have to do this here but also that i have to do it in the client config. What exactly is it now?

This is an automated archive.

The original was posted on /r/wireguard by /u/abolinjast on 2023-12-22 07:57:06+00:00.

I've set up a wireguard tunnel on an Ubuntu server, and have imported the config on a windows machine, i was getting connected and not recieving anything, i figured the preshared key miggt be the problem, so i removed preshared key from my client config and the server as well, now it's getting connected but my ip doesn't change and traffic is kinda not even going through the tunnel, please help, what miggt be the problem?

This is an automated archive.

The original was posted on /r/wireguard by /u/DesktopFolder on 2023-12-22 00:00:52+00:00.

Edit: Immediately fixed this, as one generally does right after giving in and posting about an issue. The issue I had [poor explanation, probably] was that my WireGuard server instance was running within a docker container, so when I had initially tried to bind SSHD to 10.13.13.1, I had been using the wrong IP (and it didn't work...) because 10.13.13.1 didn't exist, rather I needed to bind SSHD to 172.17.0.1 (docker0)... finally, SSH success!

Been trying to get SSH to my WG server working recently and have failed despite reading as many Reddit/StackOverflow posts as I could on this issue, hoping someone here can shed some light at least on a misconception or...something.

tl;dr: With WireGuard 'remote server' configured to [Interface] Address = 10.13.13.1: ping -s 4000 10.13.13.1 while connected to WG VPN, over cellular data -> success, ssh [email protected] -> immediate Connection refused, ssh [email protected] -> success (192.168.0.23 is the local IP of the server running wireguard in docker, and sshd)

TraceRoute shows that 192.168.0.23 goes through my router, then presumably back to the server, whereas 10.13.13.1 just directly goes to the server.

More details:

• Initially tested SSH over mobile data to check if I would be able to SSH into my server while on vacation, worked fine (lol)
• Later found that when not on mobile data, but rather on a remote LAN, SSH hangs indefinitely (which is suggested to be a subnet conflict by posts I've read on similar issues) - I can theoretically change my home network subnet but that feels like I'd be fixing the wrong thing, even if it technically would work, as I would still not really understand the core issue.
• I assume 10.13.13.1 isn't technically the IP of the box I'm trying to get to, but it does respond fine to pings while I'm connected to the VPN, so I don't really understand why I can't also SSH
• sshd on the server logs that it is listening on 0.0.0.0 and :: port 22
• SSH from my phone on data works with the destination address 192.168.0.23 and then with identical configuration but the virtual (?) IP of the wireguard server, 10.13.13.1, fails with connection refused (with no other configuration changes on the client or server), so I am assuming this cannot be a client configuration issue
• Router does not appear to have any particular configuration that would matter here

I also tried SSHing to the server's internal domain and its IPv6 address, just in case, neither of which worked (perhaps unsurprisingly, lol)

Unfortunately, I do not really have a good enough grasp of linux networking at a high level to really know where to go from here, as it seems to me that a lot of different internal routing issues could be at fault?

Image of my server configuration, autogenerated by a WireGuard docker image:

This is an automated archive.

The original was posted on /r/wireguard by /u/peterskurt on 2023-12-21 17:05:45+00:00.

Please read this article and tell me if this is bad news for Wireguard.

This is an automated archive.

The original was posted on /r/wireguard by /u/peterskurt on 2023-12-21 17:05:45+00:00.

Please read this article and tell me if this is bad news for Wireguard.

This is an automated archive.

The original was posted on /r/wireguard by /u/gajar_ka_halva on 2023-12-21 10:55:35+00:00.

Hi,

I've installed Wireguard but i've not been able to get it to work properly so i'm hoping for a bit of guidance here.

My set up:

Asus RT-AC68U - port forwarded to 192.168.1.150 (Ubuntu 22.04 with Wireguard installed on it along with a few other containers running things like Adguard etc)

The problem I have is that I cannot access the internet or any of the devices on my network apart from the host that runs Wireguard itself. I can't access my NAS which is on 192.168.1.204 and the GUI for my router which is on 192.168.1.2.

There is no firewall on the ubuntu server and i'm a bit stumped as to why it is not working but I feel like the issue is on the ubuntu server but i've no idea where to start looking. The ubuntu server itself has no issues connecting to other devices on the network and has access to the internet.

I used for the install

My config

Client:

[Interface] 
Address = 10.7.0.2/24 
DNS = 94.140.14.14, 94.140.15.15 
PrivateKey = .......

[Peer]
PublicKey = wafgshdjy3456
PresharedKey = wergfdsgte
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = wanip:51820
PersistentKeepalive = 25

Server:

[Interface]
Address = 10.7.0.1/24
PrivateKey = asdfghdwerty
ListenPort = 51820
PostUp = nft add table ip wireguard; nft add chain ip wireguard wireguard_chain {type nat hook postrouting priority srcnat\; policy accept\;}; nft add rule ip wireguard wireguard_chain counter packets 0 bytes 0 masquerade; nft add table ip6 wireguard; nft add chain ip6 wireguard wireguard_chain {type nat hook postrouting priority srcnat\; policy accept\;}; nft add rule ip6 wireguard wireguard_chain counter packets 0 bytes 0 masquerade
PostDown = nft delete table ip wireguard; nft delete table ip6 wireguard

# BEGIN_PEER test
[Peer]
PublicKey = asdfggg3456
PresharedKey = asdfghg2435
AllowedIPs = 10.7.0.2/32
# END_PEER test

Maybe also worth adding that I also have a openvpn server running on the router itself which works fine when I connect to it.

This is an automated archive.

The original was posted on /r/wireguard by /u/Independent_Usual507 on 2023-12-21 04:21:15+00:00.

Hey folks, I'm working on getting my VPS hooked up to my home network through a WireGuard (WG) server I set up on my LAN. ~~It's kind of working – devices on my LAN can ping the VPS using its WG client local IP. But here's the snag: the VPS WG client can't ping any of my LAN devices, no matter if I use IP addresses or FQDNs.~~ I don't get any pings from VPN network to VPS or VPS to VPN LAN network

I've already added a route to the WG interface, and when I run ip route, it shows that LAN IPs are taking the WG interface route. But for some reason, I'm still stuck with the pinging issue.

I could really use some help here. As a token of my gratitude, I'm up for giving Plex access to anyone who can help me figure this out.

Oh, and by the way, my LAN is on the 10.0.0.0/24 subnet. I've heard that's not the best practice for home networks, and I'm starting to see why. I've got several static IPs set up in my home lab/network, so changing this might be a big task. I'm wondering if this subnet choice is part of the issue or if that's a project for another day."

This is an automated archive.

The original was posted on /r/wireguard by /u/wyrdandwonderful on 2023-12-20 20:03:51+00:00.

My Wireguard server is hosted on my TrueNAS Core NAS.

If I use my client conf on my PC which is on the same LAN as the NAS, it connects without issue.

If I then use that same conf on my phone, using my 5G connection, it refuses to connect.

I have set the static port mapping on my router to 51820 and the IP of my NAS (static)

I have also included the IP of my NAS as the exposed host on the router

My understanding is that it works on my LAN since it isn't going outside the router in order to connect.

My conf contains the WAN IP of my router.

I am unsure as to what I should do next - I have not discounted that my conf may be the issue, as I cannot see why my router would be blocking a UDP connection to my NAS.

Any help would be very much appreciated! Let me know if you require any specific information

This is an automated archive.

The original was posted on /r/wireguard by /u/L0wLatency on 2023-12-20 19:27:34+00:00.

When I restart my PC the tunnel is not reconnected because :

"unable to resolve one or more DNS hostname endpoints"

shutting down...

When I open the manager and click activate there is no issue resolving the (D)DNS and it connects no problem.

I tried delayed start of the service but this does not seem to be the issue...

Anyone know why this is, what the workaround is?

thanks

Steven

This is an automated archive.

The original was posted on /r/wireguard by /u/Tharunx on 2023-12-20 15:45:08+00:00.

I live in a country where certain websites are blocked. There are more censorship rules that our government is trying to put (this is very bad).

i am trying to setup wireguard split tunnel following these simple instruction here on a Server in another country (australia)- they do not block any websites that we want access to.

I have successfully followed instructions and had setup wireGuard split-tunnel. But censorship still exists. I cannot access the websites that are blocked at all. What am i doing wrong?

Edit: iam giving access to this tunnel to my friends and family. We don't want ISPs snooping on us. Sharing our data. I will also share the instructions to other people and try to spread this information

This is an automated archive.

The original was posted on /r/wireguard by /u/Tharunx on 2023-12-20 15:45:08+00:00.

I live in a country where certain websites are blocked. There are more censorship rules that our government is trying to put (this is very bad).

i am trying to setup wireguard split tunnel following these simple instruction here on a Server in another country (australia)- they do not block any websites that we want access to.

I have successfully followed instructions and had setup wireGuard split-tunnel. But censorship still exists. I cannot access the websites that are blocked at all. What am i doing wrong?

Edit: iam giving access to this tunnel to my friends and family. We don't want ISPs snooping on us. Sharing our data. I will also share the instructions to other people and try to spread this information

This is an automated archive.

The original was posted on /r/wireguard by /u/abuaz on 2023-12-20 11:42:18+00:00.

Hello Everyone,

I've configured a new WireGuard Client on my UDR Pro but encountered an issue when trying to ping local IP addresses on the VPN host.

I've set up a traffic route to direct all internet traffic from my device over the VPN interface. The VPN connects as intended, and I can confirm that public internet traffic is correctly routed.

Interestingly, using another router (gl-iNet) with the same WireGuard config, I could successfully ping local devices on the VPN host.

Any ideas if this is a bug or a setup issue?

This is an automated archive.

The original was posted on /r/wireguard by /u/noot-noot99 on 2023-12-20 09:43:05+00:00.

I would like to know if the speed of wireguard should be better than openvpn on the same hardware. In my experience openvpn is still the better choice for bandwidth. But reading that wireguard is so much better and faster confuses me on this.

I’ve tried this on 2 pieces of hardware. A raspberry pi 4 and an 2015 MacBook air connected to LAN. 700mbit is available roughly. I’m only getting 15mbit throughput using wireguard. While openvpn can go to 40-50mbit.

This is an automated archive.

The original was posted on /r/wireguard by /u/that_one_guy63 on 2023-12-20 05:25:00+00:00.

Whenever I'm trying to connect to my self-hosted Wireguard server on my Mac if it doesn't recieve data within the first few seconds it will never connect unless I deactivate and activate. I end up having to activate and deactivate a few times before it's able to connect. When I'm closer to the server it's better, but the further away the worse it gets. That seems to make sense that it gets harder to connect further away, but then I pull out my Android phone and Wireguard connects immediately (works every time, no matter how far away I am). Why is the Mac client not this seamless?

Is anyone else experiencing this?

I'm on MacOS 13.3.1 (Ventura), M1 Macbook Pro.

This is an automated archive.

The original was posted on /r/wireguard by /u/Standard-Summer-4748 on 2023-12-20 01:27:37+00:00.

Any Wireguard wizards can help me improve my tunneling experience?

I'm using SSH's -R feature to bind a local port (ex:443) to a remote VPS, which is then handled by an nginx reverse proxy on said VPS. My ssh looks like this ssh -R 8000:localhost:443 user@vps-IP

How could I achieve the same thing, so that port 8000 is bound to the VPS but using just Wireguard instead?

SSH is usable but TCP over TCP is killing performance

This is an automated archive.

The original was posted on /r/wireguard by /u/imenmyself1234 on 2023-12-20 00:48:21+00:00.

Looking for fastest wireguard router (800mbps+) with VPN fusion capability.

This is an automated archive.

The original was posted on /r/wireguard by /u/RayGunner on 2023-12-19 22:23:55+00:00.

Looking for opinions as I've never dealt with anything like this before.

I am bringing on a remote worker. I have setup a 2nd computer in my office that they are going to remote into to do the work. Security is very important as there will be sensitive client information on the computer.

I posed the question in sysadmin, and to the person I use for IT support. From the feedback I've received, if I am going to go with a physical desktop instead of virtual machine, and if security is a priority for me, its to use Wireguard for the VPN to remote in.

My question is about the Wireguard deployment itself for the remote worker. Is it a hard time consuming task? My IT guy is saying its a PITA and takes a significant amount of time to setup.

The reason I am asking, is because it will not always be the same person at the same computer remoting into the system. If the setup on the remote workers computer cant be managed easily, I am going to need to re-think my setup.

Thanks!

This is an automated archive.

The original was posted on /r/wireguard by /u/devilishTL on 2023-12-19 20:29:54+00:00.

So, i want to setup Wireguard on Truenas to connect to the pc via wireguard from outside my network. But i can't really find any good documentation for what values/adresses i need to put in the different boxes.

These are the values i would need. These currently are the standard values

This is an automated archive.

The original was posted on /r/wireguard by /u/Kindly_Ad_342 on 2023-12-19 16:54:03+00:00.

Is it consider as enterprise ready ? Can we find firewall runnning it ?

This is an automated archive.

The original was posted on /r/wireguard by /u/Capital_Ad4025 on 2023-12-19 16:03:22+00:00.

Mullvad VPN supports UDP over TCP for the Wireguard protocol. However, are there any up-to-date Wireguard servers (or forks of it) that I can self-host which supports UDP over TCP; and has user friendly Android and Windows clients?

I came across tunsafe but the project seems dead. And I also had issues with the Android client.

I also checked past posts on this subreddit and came across Phantum. But it doesn't seem to have any user friendly app on Android.

This is an automated archive.

The original was posted on /r/wireguard by /u/GetInHereStalker on 2023-12-19 00:33:19+00:00.

Was using wireguard on a minipc as a gateway between the internet and my PC that I was accessing via RDP. Everything was working fine, but then I needed to move the network to a different building. Roughly what I did:

1. Figured out what local wireguard lan ip was and copied port forwarding settings exactly from old router to new one (office moved), obviously changing just the IP of the local device which was obviously a bit different on the new network. Original port, fwd to port, protocol (UDP) I copied from the old settings that worked.
2. I AM able to SSH in if I port forward directly to that IP on port 22 (TCP), but that's not what we want. Just doing this to eliminate other possibilities.
3. On my home machine from which I remote in, I changed the WG tunnel to the new IP obviously.

Did I miss anything?