AivanF.

Asked: 2020-03-12 16:53:58 +0800 CST

Cannot setup WireGuard VPN

My goal is to create a VPN so

Clients have static IP addresses.
Clients are able to communicate with each other and the server,
Clients can reach global Internet through the VPN.
Also, I'd like to setup DNS and private domain names (working with NginX).

Here is config of the server:

[Interface]
Address = 10.0.0.1/24
ListenPort = 5555
PrivateKey = xxxxx

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0

And client's config:

[Interface]
PrivateKey = xxxxx
ListenPort = 5555
Address = 10.0.0.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <server ip>:5555

But when I'm trying to load server's config wg setconf wg0 /etc/wireguard/wg0.conf I get this error:

Line unrecognized: `Address=10.0.0.1/24'
Configuration parsing error

Thus I commented this line. But it probably makes WG choose random IP addresses for the server and clients.

To make WireGuard work, I also ran these commands:

ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.0.1/24
ip link set up dev wg0

After all, wg commands provides the following output:

interface: wg0
  public key: xxxxx
  private key: (hidden)
  listening port: 5555

peer: xxxxx
  endpoint: <my IP address>:6228
  allowed ips: 0.0.0.0/0
  latest handshake: 2 minutes, 11 seconds ago
  transfer: 26.02 KiB received, 248 B sent

From the client (which is MacOS with WireGuard GUI) I'm able to connect, but:

I get no Internet connection. I even can't ping the server by global IP address, though I can with the private one, 10.0.0.1.
I'm able to get connected to VPN even if I change the port in client's config. I think it means that it doesn't really get connected.

So, how can I achieve my goals? And what's wrong with my configs??

_{PS. Neither iptables nor firewalls are installed on the server, so it can't be a problem. Also, I have specified net.ipv4.ip_forward=1 & net.ipv6.conf.all.forwarding=1 in the /etc/sysctl.conf.

Software versions. OS is Ubuntu 18.04.4 LTS, Kernel: 4.15.0-20-generic, WG: wireguard-tools v1.0.20200206.}

Update

I removed Address from server's config, and set AllowedIPs = 10.0.0.2/24 in the client's one, I finally got connected to the server's NginX from client by private IP, and able to reach the Internet (coz traffic goes outside VPN).

But if I set AllowedIPs = 0.0.0.0/0 on the client, I have no Internet access, though still can reach server by VPN's IP address 10.0.0.1. I tried solving it with ifconfig wg0 broadcast/multicast, but had no success. Now the command ip address show wg0 provides the following output:

4: wg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.10.10.1/24 scope global wg0
       valid_lft forever preferred_lft forever
    inet 10.10.10.1 peer 10.10.10.2/32 scope global wg0
       valid_lft forever preferred_lft forever

In addition, I cannot access one client from another, I think it's the same problem. How can I fix WireGuard configs or server network settings to solve the problem?

AivanF.

Asked: 2019-09-05 22:55:56 +0800 CST

NginX SSL doesn't work with Python requests, but works with browsers

I have a tiny web server with Python (v3.6), Flask (v1.1.1) & NginX (v1.16.1). I have got and set an SSL certificate from sslforfree.com. Everything works fine when I visit pages using any browser, but I cannot access it using Python scripts and requests lib:

import requests
print(requests.get('https://www.some-project.com'))

Traceback (most recent call last):
  File "/anaconda3/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 441, in wrap_socket
    cnx.do_handshake()
  File "/anaconda3/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1907, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/anaconda3/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1639, in _raise_ssl_error
    _raise_current_error()
  File "/anaconda3/lib/python3.6/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/anaconda3/lib/python3.6/site-packages/urllib3/connectionpool.py", line 601, in urlopen
    chunked=chunked)
  File "/anaconda3/lib/python3.6/site-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/anaconda3/lib/python3.6/site-packages/urllib3/connectionpool.py", line 850, in _validate_conn
    conn.connect()
  File "/anaconda3/lib/python3.6/site-packages/urllib3/connection.py", line 326, in connect
    ssl_context=context)
  File "/anaconda3/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 329, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/anaconda3/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 448, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/anaconda3/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/anaconda3/lib/python3.6/site-packages/urllib3/connectionpool.py", line 639, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/anaconda3/lib/python3.6/site-packages/urllib3/util/retry.py", line 388, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='www.some-project.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/aivanf/Desktop/some-project/py-API/test.py", line 55, in <module>
    main()
  File "/Users/aivanf/Desktop/some-project/py-API/test.py", line 49, in main
    print(requests.get(MAIN_URL))
  File "/anaconda3/lib/python3.6/site-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/anaconda3/lib/python3.6/site-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/anaconda3/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/anaconda3/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/anaconda3/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='www.some-project.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

I tried to do the same from different computers, to update OpenSSL, root certificates, but nothing helped... What's the problem? Why all the browsers works fine with the website, but Python does not? How to solve it?

Also, accessing https://sslforfree.com itself works well, though it's certificates is very similar to mine. So, I guess the problem is with my NginX config:

Here is my NginX config:

ssl_certificate /var/www/ssl/ca.crt;
ssl_certificate_key /var/www/ssl/private.key;

# Redirect @ to www
server {
    listen 80 default_server;
    listen 443 ssl default_server;
    server_name  some-project.com;
    rewrite ^ https://www.some-project.com$request_uri?;
}

# Redirect www HTTP to HTTPS
server {
    listen 80;
    server_name  www.some-project.com;
    rewrite ^ https://www.some-project.com$request_uri? permanent;
}

server {
    listen 443 ssl;
    server_name  www.some-project.com;

    include /etc/nginx/vhosts-includes/*.conf;

    # Static Content
    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /var/www/some-project/;
    }

    location / {
        default_type "text/html";
        alias /var/www/some-project/static/;
    }
}

server {
    listen 443 ssl;
    server_name  api.some-project.com;

    # Reverse Proxy
    location / {
        proxy_pass http://localhost:5926;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-Ip $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Cannot setup WireGuard VPN

Update

NginX SSL doesn't work with Python requests, but works with browsers

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

AivanF.'s questions

Update