Issue with setting up Wireguard VPN

yesterday I started configuring Wireguard VPN and I have some problems which I couldn’t find any solutions on the internet. Does anyone have any idea what could be wrong? Basically I scanned QR code on my android app, it connects to VPN (I think so since I get the VPN icon next to network on my android device), but I don’t see any of my home devices neither any of the public webpages.

I will post my config files here:

Server config:

[Interface]

PrivateKey = key
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE
ListenPort = 51820

begin user###

[Peer]
PublicKey = key
PresharedKey = key
AllowedIPs = 10.6.0.2/32

end user###

User config:

[Interface]
PrivateKey = privatekey
Address = 10.6.0.2/24
MTU = 1420
DNS = 10.6.0.1

[Peer]

PublicKey = publickey
PresharedKey = key
Endpoint = ip
AllowedIPs = 0.0.0.0/0, ::0/0

First off, Wireguard doesn’t work like most VPNs because it doesn’t have a connection in the common sense. Over-simplifying it Wireguard just forwards traffic to a given IP address. Therefore as long as the Wireguard interface is enabled the key icon will be displayed by Android because it is forwarding traffic as specified, but that traffic may not be going to the intended location.

I have found on Android passing IPv6 traffic through Wireguard does not work well. I generally do not include “::0/0” in the AllowedIPs.

Check out @PhaseLockedLoop’s Wireguard guide here, where you’ll find significantly more information that should help point you in the right directions.

1 Like

At user config, you may want to have:
Endpoint = ip:51820 (the port that you have set in your wireguard “server”).

Unfortunately, wireguard works in a quirky way. If you enable wireguard, it will show that it is enabled, however that doesn’t mean you have an established and working tunnel. For that, you need to see traffic going in an out of your tunnel. You can verify by adding to your User config:
PersistentKeepalive = 21
With persistent keepalive, you should see both traffic out and traffic in. If you only see out, but not in, your tunnel isn’t working.

Also, I suggest you remove the MTU (you don’t need it) and the DNS. I found that DNS only worked in the Windows client for some odd reason, had issues with it in Fedora and Void Linux. Your DNS queries will be sent over the VPN anyway.

I also suggest you go to PLL’s Wireguard guide and follow it step by step, including setting the sysctl.conf forwarding stuff.

2 Likes

Don’t forget port forwarding :wink:

DNS = 10.6.0.1

Where’s 10.6.0.1?

Can you ping 1.1.1.1 from your phone? Can you try setting 1.1.1.1 as DNS?

While trying to ping 1.1.1.1 can you try simultaneously looking at tcpdump -ni wg0 icmp on the server and perhaps also tcpdump -ni wlan0 host 1.1.1.1

Perhaps you need to enable IPv4 forwarding on the server.

1 Like

maybe firewall rule missing which allows traffic from wg to lan or wan?

Hello,
i did that it does not change anything…

I do have endpoint ip and the port set up already I just forgot to mention it in the config.
I removed the lines and added the line you suggested but the issue is still the same…

I did portforward in the router settings for the port 51820

I have setup my DNS as 1.1.1.1 on the phone and tried to ping that same DNS with tcpdump command on raspberry but there was 0 packets recieved and 0 lines output on raspberry pi…

Perhaps tcpdump port 51820 on the physical interface / pi, that wireguard is listening on, see if there’s any activity from your phone over 51820 at all, either when connecting or trying pings.

Something’s getting lost somewhere, you’ll need to divide and conquer to figure out where things are getting dropped and in which direction.

Once you can establish where, it’ll be easier to figure out why and how to fix.

Listening on port 51820 also didn’t recieve any packages so we see that the problem is in the user(phone) configuration?

Yeah, strange.

Every ICMP/ping from your phone should result in some jiberish-y (encrypted) UDP packet going into your Pi. Sounds like something is off with routing tables on your phone - if pings from your phone are not going over wireguard.

On your phone, having allowed ips for your peer set to 0.0.0.0/0 should be adding a default route.

I wonder if there’s some connectivity manager thing that’s preventing pings from working, e.g. if it can’t reach the DNS properly, or some such thing.

Do you suggest anything?