Wireguard configuration troubleshooting

Hardware Hub Networking
, ,
1

Hey everybody. Great to see you as usual.

I’m looking for some guidance on an issue I am having attempting to setup Wireguard on my home server. I am unsure which information is pertinent, so instead of flooding this post with potentially unnecessary information, I will provide some details on my setup and what I can and cannot do with Wireguard at present.

I am trying to access my home server with an android device from outside the network to access things like Home Assistant, Sonarr/Radarr, etc.

Currently I am stuck at only being able to access http://pi.hole/admin/ and my router at 192.168.68.1 when using the Wireguard VPN on my android device. Any attempt to browse to another in home service results in a failure to load.

I am running Wireguard with docker-compose alongside PiHole (and many other containers). This is my compose.yaml containing these two services:

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    env_file: .env
    cap_add:
      - NET_ADMIN
    environment:
      PUID: ${PUID}
      PGID: ${PGID}
      TZ: ${TZ}
      PEERS: 2
      PERSISTENTKEEPALIVE_PEERS: all
    volumes:
      - ./docker/wireguard/config:/config
    ports:
      - "51820:51820/udp"
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    env_file: .env
    network_mode: "host"
    environment:
      WEBPASSWORD: *****
      FTLCONF_LOCAL_IPV4: 192.168.68.2
      TZ: ${TZ}
      PUID: ${PUID}
      PGID: ${PGID}
    volumes:
      - ./docker/pihole/etc-pihole:/etc/pihole
      - ./docker/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    cap_add:
      - NET_ADMIN
    restart: unless-stopped

This is what’s inside my wg0.conf

[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = *****
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

[Peer]
# peer1
PublicKey = *****
PresharedKey = *****
AllowedIPs = 10.13.13.2/32
PersistentKeepalive = 25

[Peer]
# peer2
PublicKey = *****
PresharedKey = *****
AllowedIPs = 10.13.13.3/32
PersistentKeepalive = 25

I know there is plenty more information I could provide and there are plenty of things I have tried but I wouldn’t know what and what isn’t important as I’m still learning a great deal. More than happy to provide any information you require for help troubleshoot this issue :slight_smile:

Kindest regards <3

2

Apologies, I seem to have lost the ability to edit my original post.

I have gathered a thread to follow at least but I am not exactly closer to a solution.

In my attempts at troubleshooting, one of the things I tried was to allow certain ports for the specific containers I’m looking to access with ufw. For example, sudo ufw allow 8123 allows me to access Home Assistant from outside the local network with Wireguard. I assume this is suboptimal in terms of security and there is a cleaner, more blanket way to do this. Or not. Perhaps I should just set a UFW rule to allow the ports I want to be accessed by 10.13.13.1? I don’t know.

Appreciate any help :slight_smile: