Ping a Specific Port

Question

tai

Asked: 2024-09-14 01:41:06 +0800 CST2024-09-14 01:41:06 +0800 CST 2024-09-14 01:41:06 +0800 CST

Wireguard client can't access internet

772

Problem

I want to use Wireguard as a VPN to be able to access my LAN devices remotely and at the same time be able to route traffic through my local Pi-hole to block ads and be safe on untrusted networks.

Thus, I set up Wireguard with Pi-hole using Pi-hole's tutorial on Wireguard. I followed all steps quite pedantic and after setting everything up, I'm able to access the server via 10.100.0.1 on my client, but nothing else - neither any website nor local devices.

What I did so far:

create a Wireguard configuration just as stated here
create a client configuration exactly as stated here
make my client be able to tunnel all internet traffic through Wireguard as described here
alter the 99-sysctl.conf file to enable ip forwarding and enable NAT on the server as stated here

I have no idea what's missing.

Here's the contents of my conf files:

wg0.conf

Address = 10.100.0.1/24, fd08:4711::1/64
ListenPort = 47111
PrivateKey = redacted

PostUp = nft add table ip wireguard; nft add chain ip wireguard wireguard_chain {type nat hook postrouting priority srcnat\; policy accept\;}; nft add rule ip wireguard wireguard_chain counter packets 0 bytes 0 masquerade; nft add table ip6 wireguard; nft add chain ip6 wireguard wireguard_chain {type nat hook postrouting priority srcnat\; policy accept\;}; nft add rule ip6 wireguard wireguard_chain counter packets 0 bytes 0 masquerade
PostDown = nft delete table ip wireguard; nft delete table ip6 wireguard

[Peer]
PublicKey = redacted
PresharedKey = redacted
AllowedIPs = 10.100.0.2/32, fd08:4711::2/128

client.conf

[Interface]
Address = 10.100.0.2/32, fd08:4711::2/128
DNS = 10.100.0.1
PrivateKey = redacted

[Peer]
#AllowedIPs = 10.100.0.1/32, fd08:4711::1/128
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = mydoma.in:47111
PersistentKeepalive = 25
PublicKey = redacted
PresharedKey = redacted

output of ip route

default via 192.24.0.1 dev enp6s0 proto dhcp src 192.24.0.3 metric 100 
10.0.0.0/24 dev br-2747fb0d94d8 proto kernel scope link src 10.0.0.1 
10.100.0.0/24 dev wg0 proto kernel scope link src 10.100.0.1 
10.178.40.0/24 dev tun0 proto kernel scope link src 10.178.40.1 
192.17.0.0/16 dev docker0 proto kernel scope link src 192.17.0.1 linkdown 
192.18.0.0/16 dev br-cb5d7cb9fc9b proto kernel scope link src 192.18.0.1 
192.19.0.0/16 dev br-6fa7708a9945 proto kernel scope link src 192.19.0.1 
192.20.0.0/16 dev br-0003ef5216eb proto kernel scope link src 192.20.0.1 
192.21.0.0/16 dev br-5779db6c38ec proto kernel scope link src 192.21.0.1 
192.22.0.0/16 dev br-0b6ecf5437f9 proto kernel scope link src 192.22.0.1 linkdown 
192.23.0.0/16 dev br-9813798ea15d proto kernel scope link src 192.23.0.1 
192.24.0.0/24 dev enp6s0 proto kernel scope link src 192.24.0.3 metric 100 
192.25.0.0/16 dev br-bd655dfed23b proto kernel scope link src 192.25.0.1 linkdown

wireguard client log output

--------- beginning of main
09-17 15:55:49.839 27728 27791 I WireGuard/GoBackend: Bringing tunnel wireguard_vpn UP
09-17 15:55:49.840 27728 27791 D WireGuard/GoBackend: Requesting to start VpnService
09-17 15:55:49.935 27728 27791 D WireGuard/GoBackend: Go backend 2163620
09-17 15:55:49.937 27728 27791 D WireGuard/GoBackend/wireguard_vpn: Attaching to interface tun0
09-17 15:55:49.941 27728 27791 D WireGuard/GoBackend/wireguard_vpn: UAPI: Updating private key
09-17 15:55:49.942 27728 27791 D WireGuard/GoBackend/wireguard_vpn: UAPI: Removing all peers
09-17 15:55:49.942 27728 31398 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 3 - started
09-17 15:55:49.942 27728 27803 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 6 - started
09-17 15:55:49.942 27728 27797 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 1 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 3 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 3 - started
09-17 15:55:49.942 27728 27803 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 4 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 2 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 1 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 5 - started
09-17 15:55:49.942 27728 27803 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 5 - started
09-17 15:55:49.942 27728 31398 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 4 - started
09-17 15:55:49.942 27728 31398 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 6 - started
09-17 15:55:49.942 27728 31398 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 8 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 5 - started
09-17 15:55:49.942 27728 27803 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 6 - started
09-17 15:55:49.942 27728 27959 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 1 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 7 - started
09-17 15:55:49.942 27728 27803 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 8 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 7 - started
09-17 15:55:49.942 27728 27797 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 2 - started
09-17 15:55:49.942 27728 27803 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 8 - started
09-17 15:55:49.942 27728 27959 D WireGuard/GoBackend/wireguard_vpn: Routine: TUN reader - started
09-17 15:55:49.942 27728 31398 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 7 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: event worker - started
09-17 15:55:49.943 27728 27957 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 2 - started
09-17 15:55:49.943 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - UAPI: Created
09-17 15:55:49.943 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - UAPI: Adding allowedip
09-17 15:55:49.943 27728 27955 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 4 - started
09-17 15:55:49.944 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - UAPI: Adding allowedip
09-17 15:55:49.944 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - UAPI: Updating endpoint
09-17 15:55:49.944 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - UAPI: Updating persistent keepalive interval
09-17 15:55:49.944 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - UAPI: Updating preshared key
09-17 15:55:49.947 27728 27791 D WireGuard/GoBackend/wireguard_vpn: UDP bind has been updated
09-17 15:55:49.947 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - Starting
09-17 15:55:49.947 27728 27955 D WireGuard/GoBackend/wireguard_vpn: Routine: receive incoming v6 - started
09-17 15:55:49.947 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - Sending keepalive packet
09-17 15:55:49.947 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - Sending handshake initiation
09-17 15:55:49.947 27728 31398 D WireGuard/GoBackend/wireguard_vpn: Routine: receive incoming v4 - started
09-17 15:55:49.947 27728 27803 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - Routine: sequential sender - started
09-17 15:55:49.947 27728 27957 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - Routine: sequential receiver - started
09-17 15:55:49.948 27728 27791 D WireGuard/GoBackend/wireguard_vpn: Interface state was Down, requested Up, now Up
09-17 15:55:49.948 27728 27791 D WireGuard/GoBackend/wireguard_vpn: Device started
09-17 15:55:49.968 27728 27957 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - Received handshake response

System Information

Server

Xubuntu 24.04.1 LTS
64GB RAM
Pi-hole installed via install script (non-dockerized)
Wireguard installed via install script (non-dockerized)
UFW enabled, udp allow 47111/udp done

Router

FRITZ!Box with port forwarding for 47111/UDP enabled

Client

GrapheneOS / Android 14
Wireguard F-Droid
config parsed via QR code

If someone would provide me with hints of any type, I'd be very grateful.

Thanks a lot in advance.

1 Answers

Voted

tai · Answer 1 · 2024-09-17T22:06:48+08:00

Best Answer

tai

2024-09-17T22:06:48+08:002024-09-17T22:06:48+08:00

ChatGPT was quite helpful here.

Some ufw adjustments had to be done besides allowing 47111/udp:

sudo ufw allow in on wg0
sudo ufw allow out on wg0
sudo ufw route allow in on wg0 out on enp6s0
sudo ufw route allow in on enp6s0 out on wg0

Afterwards, the problem was gone. Maybe this helps someone.

0

Wireguard client can't access internet

Problem

System Information

Server

Router

Client

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?