yesterday I started configuring Wireguard VPN and I have some problems which I couldn’t find any solutions on the internet. Does anyone have any idea what could be wrong? Basically I scanned QR code on my android app, it connects to VPN (I think so since I get the VPN icon next to network on my android device), but I don’t see any of my home devices neither any of the public webpages.
First off, Wireguard doesn’t work like most VPNs because it doesn’t have a connection in the common sense. Over-simplifying it Wireguard just forwards traffic to a given IP address. Therefore as long as the Wireguard interface is enabled the key icon will be displayed by Android because it is forwarding traffic as specified, but that traffic may not be going to the intended location.
I have found on Android passing IPv6 traffic through Wireguard does not work well. I generally do not include “::0/0” in the AllowedIPs.
Check out @PhaseLockedLoop’s Wireguard guide here, where you’ll find significantly more information that should help point you in the right directions.
At user config, you may want to have: Endpoint = ip:51820 (the port that you have set in your wireguard “server”).
Unfortunately, wireguard works in a quirky way. If you enable wireguard, it will show that it is enabled, however that doesn’t mean you have an established and working tunnel. For that, you need to see traffic going in an out of your tunnel. You can verify by adding to your User config: PersistentKeepalive = 21
With persistent keepalive, you should see both traffic out and traffic in. If you only see out, but not in, your tunnel isn’t working.
Also, I suggest you remove the MTU (you don’t need it) and the DNS. I found that DNS only worked in the Windows client for some odd reason, had issues with it in Fedora and Void Linux. Your DNS queries will be sent over the VPN anyway.
I also suggest you go to PLL’s Wireguard guide and follow it step by step, including setting the sysctl.conf forwarding stuff.
I do have endpoint ip and the port set up already I just forgot to mention it in the config.
I removed the lines and added the line you suggested but the issue is still the same…
I have setup my DNS as 1.1.1.1 on the phone and tried to ping that same DNS with tcpdump command on raspberry but there was 0 packets recieved and 0 lines output on raspberry pi…
Perhaps tcpdump port 51820 on the physical interface / pi, that wireguard is listening on, see if there’s any activity from your phone over 51820 at all, either when connecting or trying pings.
Something’s getting lost somewhere, you’ll need to divide and conquer to figure out where things are getting dropped and in which direction.
Once you can establish where, it’ll be easier to figure out why and how to fix.
Every ICMP/ping from your phone should result in some jiberish-y (encrypted) UDP packet going into your Pi. Sounds like something is off with routing tables on your phone - if pings from your phone are not going over wireguard.
On your phone, having allowed ips for your peer set to 0.0.0.0/0 should be adding a default route.
I wonder if there’s some connectivity manager thing that’s preventing pings from working, e.g. if it can’t reach the DNS properly, or some such thing.
