My goal is to create a VPN so
- Clients have static IP addresses.
- Clients are able to communicate with each other and the server,
- Clients can reach global Internet through the VPN.
- Also, I'd like to setup DNS and private domain names (working with NginX).
Here is config of the server:
[Interface]
Address = 10.0.0.1/24
ListenPort = 5555
PrivateKey = xxxxx
[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0
And client's config:
[Interface]
PrivateKey = xxxxx
ListenPort = 5555
Address = 10.0.0.2/32
DNS = 8.8.8.8
[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <server ip>:5555
But when I'm trying to load server's config wg setconf wg0 /etc/wireguard/wg0.conf I get this error:
Line unrecognized: `Address=10.0.0.1/24'
Configuration parsing error
Thus I commented this line. But it probably makes WG choose random IP addresses for the server and clients.
To make WireGuard work, I also ran these commands:
ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.0.1/24
ip link set up dev wg0
After all, wg commands provides the following output:
interface: wg0
public key: xxxxx
private key: (hidden)
listening port: 5555
peer: xxxxx
endpoint: <my IP address>:6228
allowed ips: 0.0.0.0/0
latest handshake: 2 minutes, 11 seconds ago
transfer: 26.02 KiB received, 248 B sent
From the client (which is MacOS with WireGuard GUI) I'm able to connect, but:
- I get no Internet connection. I even can't ping the server by global IP address, though I can with the private one,
10.0.0.1. - I'm able to get connected to VPN even if I change the port in client's config. I think it means that it doesn't really get connected.
So, how can I achieve my goals? And what's wrong with my configs??
PS. Neither iptables nor firewalls are installed on the server, so it can't be a problem. Also, I have specified net.ipv4.ip_forward=1 & net.ipv6.conf.all.forwarding=1 in the /etc/sysctl.conf.
Software versions. OS is Ubuntu 18.04.4 LTS, Kernel: 4.15.0-20-generic, WG: wireguard-tools v1.0.20200206.
Update
I removed Address from server's config, and set AllowedIPs = 10.0.0.2/24 in the client's one, I finally got connected to the server's NginX from client by private IP, and able to reach the Internet (coz traffic goes outside VPN).
But if I set AllowedIPs = 0.0.0.0/0 on the client, I have no Internet access, though still can reach server by VPN's IP address 10.0.0.1. I tried solving it with ifconfig wg0 broadcast/multicast, but had no success. Now the command ip address show wg0 provides the following output:
4: wg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.10.10.1/24 scope global wg0
valid_lft forever preferred_lft forever
inet 10.10.10.1 peer 10.10.10.2/32 scope global wg0
valid_lft forever preferred_lft forever
In addition, I cannot access one client from another, I think it's the same problem. How can I fix WireGuard configs or server network settings to solve the problem?
Use
wg-quickinstead ofwgwith the config file and it would work ;-). You wrote you are using directlywgcommand which uses a different configuration file format, resulting in the error:What you can also check:
Split the Address line to have correct config on the server:
on client side there should be also Endpoint to know where to connect and also the netmask would match (be the same) with server side so in this case /24:
You can try with both Address on one line but for sure the mask /24 should be the same on both sides.
Well, in several of days, nights, and killed servers, I solved all the problems myself
:)Firstly, I'd like to mention that
wgandwg-quickutilities treats config files differently. So, mywg setconf wg0 /etc/wireguard/wg0.confdidn't work the expected way, and I guess it uses old config format. Now I usewg-quickthroughsystemctl.Secondly, my addition of
net.ipv4.ip_forward=1to the file/etc/sysctl.confdidn't work even though I calledsystemctl daemon-reload ; systemctl restart systemd-networkd. I had to link config with the kernel usingsysctl -p /etc/sysctl.confcommand. This allows peers to communicate with each other and reach the Internet through VPN.It's good to mention that for all the
Addressnotes it's better to use subnet mask of 32 bits, which means an exact IP, not a range.In addition, I've set up custom DNS with BIND9 to create own domain in the network. And NginX with sender's IP address checking to restrict access to VPN's clients only.
For now, my configs are as follows.
Server
Client
Ok solved the wireguard "Line unrecognized Address=" with
wg show wg0NOT using wg-quick.Just removed/commented the line in config
Address = x.x.x.xin /etc/wireguard/wg0.confMy setup on Debian/ubuntu.