Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wireguard not working #18

Closed
UncleJ4ck opened this issue Jun 5, 2023 · 5 comments
Closed

wireguard not working #18

UncleJ4ck opened this issue Jun 5, 2023 · 5 comments

Comments

@UncleJ4ck
Copy link

UncleJ4ck commented Jun 5, 2023
edited by hwdsl2

im trying to setup a wireguard vpn on a ubuntu server

uname -a

Linux suricata 5.15.0-73-generic #80-Ubuntu SMP Mon May 15 15:18:26 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/os-release

PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

i installed the vpn server using default options except for the dns i used my current dns resolvers

the wg0.conf in my server:

# Do not alter the commented lines
# They are used by wireguard-install
# ENDPOINT 163.114.159.100

[Interface]
Address = 10.7.0.1/24
PrivateKey = *****
ListenPort = 51820

# BEGIN_PEER wg0
[Peer]
PublicKey = *****
PresharedKey = *****
AllowedIPs = 10.7.0.2/32
# END_PEER wg0
  • sudo iptables -nvL; sudo iptables -nvL -t nat
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       10.7.0.0/24          0.0.0.0/0
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  127  7304 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
    0     0 SNAT       all  --  *      *       10.7.0.0/24         !10.7.0.0/24          to:163.114.159.100

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0

the internet is working the interface is up when i move the client conf to the client machine, i don't have any internet access + i can't access the vpn server ip i tried to ping it back it doesn't work + nothing is working

  • cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.7.0.2/24
DNS = 163.114.159.11, 163.114.159.12
PrivateKey = *****

[Peer]
PublicKey = *****
PresharedKey = *****
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 163.114.159.100:51820
PersistentKeepalive = 25

root@test-VirtualBox:~# sudo iptables -nvL; sudo iptables -nvL -t nat
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

and even when i try to enable and start the service using systemctl it fails:

× wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; disabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2023-06-05 03:33:07 CEST; 42s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 14796 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=1/FAILURE)
   Main PID: 14796 (code=exited, status=1/FAILURE)
        CPU: 15ms

juin 05 03:33:07 test-VirtualBox systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
juin 05 03:33:07 test-VirtualBox wg-quick[14796]: wg-quick: `wg0' already exists
juin 05 03:33:07 test-VirtualBox systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=1/>
juin 05 03:33:07 test-VirtualBox systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
juin 05 03:33:07 test-VirtualBox systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.

from the server i try to ping my client:

ubuntu@suricata:~/wireguard-install$ ping 10.7.0.2
PING 10.7.0.2 (10.7.0.2) 56(84) bytes of data.
From 10.7.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.7.0.1 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.7.0.1 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.7.0.1 icmp_seq=4 Destination Host Unreachable
ping: sendmsg: Destination address required
^C
--- 10.7.0.2 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3072ms

and from the client, it timeouts and it fails
@hwdsl2
Copy link
Owner

hwdsl2 commented Jun 5, 2023

@UncleJ4ck Hello! Thanks for providing the details in this issue. First, please uninstall and reinstall WireGuard on your server to generate new keys. I've redacted some keys from your post which shouldn't be posted publicly.

First, check whether you can connect to this WireGuard server using a different client, such as Windows, macOS, Android or iOS. I suspect that the issue is most likely with the WireGuard configuration on your Linux client (in VirtualBox). This step can confirm whether the server itself works correctly. If the server is fine, feel free to close this issue and instead look into configuring your WireGuard client on Linux.

In addition, I noticed that the two DNS servers you specified are in the same subnet as the WireGuard server. Although unlikely, WireGuard clients might not be able to connect to those servers, you can try using a different public DNS server and see if that works.

Your server seems to have Docker installed, and although unlikely, this could interfere with the IPTables rules for WireGuard. When you have a client successfully connected, the IPTables output should have a positive number (instead of 0) on this line:

    0     0 SNAT       all  --  *      *       10.7.0.0/24         !10.7.0.0/24          to:163.114.159.100

@UncleJ4ck
Copy link
Author

I tried a different dns server (google public dns server) but it didn't work it's the same, i tried it on a windows machine it's not working, can you please provide instructions on using the .conf in the client machine for Linux, because it's not working.

Thank you

@hwdsl2
Copy link
Owner

hwdsl2 commented Jun 5, 2023

@UncleJ4ck Unfortunately I don't have the instructions for configuring WireGuard clients on Linux. You'll need to look into that yourself.

If it also doesn't work on Windows, it is possible that Docker on your server interferes with the IPTables rules for WireGuard. I would suggest that you set up WireGuard on a new server without Docker installed. The script was tested and confirmed working with Ubuntu 22.04, it is most likely not an issue with the script.

If you have additional information feel free to reply here.

@hwdsl2 hwdsl2 closed this as completed Jun 5, 2023
@UncleJ4ck
Copy link
Author

i tried to install it in a vm debian without docker and it's not working i tried it with an android phone and it's the same i can't ping the server back and the internet connection get caught

@hwdsl2
Copy link
Owner

hwdsl2 commented Jun 7, 2023

@UncleJ4ck I tested the script on a new Ubuntu 22.04 cloud server, and was able to successfully connect using a WireGuard client. So the issue is most likely not with the script.

Maybe the issue is with your VM's network configuration, or it could be the network connection between your WireGuard client and server is unstable (e.g. blocked by GFW). I would suggest that you instead set up the WireGuard server on a cloud server provider, such as DigitalOcean or OVH.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hwdsl2 @UncleJ4ck