I’ve been trying to setup Wireguard up on my server. (Running Ubuntu Server 20.10). I’ve followed the tutorial and can connect to wireguard but I have intermittent/very slow internet when connected. My guess would be I’ve got something wrong in the routing somewhere but I can’t see what. Any help would be appreciated.
I’ve followed the below steps from a tutorial (https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/).
Generate Public/Private keys
Umask 077
wg genkey | tee server_private_key | wg pubkey > server_public_key
wg genkey | tee client_private_key | wg pubkey > client_public_key
Create wg0.conf
[Interface]
Address = 10.200.200.1/24
SaveConfig = true
PrivateKey = <insert server_private_key>
ListenPort = 51820
[Peer]
PublicKey = <insert client_public_key>
AllowedIPs = 10.200.200.2/32
Create wg0-client.conf
[Interface]
Address = 10.200.200.2/32
PrivateKey = <insert client_private_key>
DNS = 10.200.200.1
[Peer]
PublicKey = <insert server_public_key>
Endpoint = <insert vpn_server_address>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21
Enabled IPv4 forwarding in sysctl.conf net.ipv4.ip_forward=1
Added the following firewall rules using IPTables:
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 51820 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.200.200.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -s 10.200.200.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o enp2s0 -j MASQUERADE
There is a further section in the tutorial about setting up a DNS server however I’m already running PiHole on my server so I skipped that part. The last thing I did was to start the Wireguard server which I did with the below:
chown -v root:root /etc/wireguard/wg0.conf
chmod -v 600 /etc/wireguard/wg0.conf
wg-quick up wg0
systemctl enable [email protected]
I’ve then installed wg0-client.conf on my client device (an android phone).
Output of wg show :
interface: wg0
public key: *******
private key: (hidden)
listening port: 51820
peer: ********
endpoint: ********
allowed ips: 10.200.200.2/32
latest handshake: 18 seconds ago
transfer: 191.59 KiB received, 1.88 MiB sent
So far everything has worked I’ve got Wireguard running on the server and my phone can connect to it. I can see the transfer/recieved figures going up on each device but this is where it fails.
Initially I couldn’t connect to the internet or any of my internal devices when connected to Wireguard. Initially I put this down to UFW which is what I use to manage my firewall normally and I know from other topics can cause issues with firewalls. But turning UFW off didn’t affect anything I was still unable to access the internet or my network if connected to Wireguard. After some searching and experimenting I found I can access internal devices on my network if I added ::/0 to the wg0-client.conf
[Interface]
Address = 10.200.200.2/32
PrivateKey = <insert client_private_key>
DNS = 10.200.200.1
[Peer]
PublicKey = <insert server_public_key>
Endpoint = <insert vpn_server_address>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 21
But I was still without internet when connected. I’ve then tried various way of routing or allowing traffic through the firewall with both IPtables and UFW. Including adding the below to the wg0.conf file:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
Ensuring that traffic was allowed on port 51820 through UFW (when I didn’t disable it for testing) with:
ufw allow 51820
Other UFW configurations I’ve added/tried:
ufw allow any from wg0
ufw allow in on wg0
ufw allow from 10.200.200.2
ufw allow to 10.200.200.0/24
ufw route allow in on wg0 out on enp2s0
I’ve also tested with UFW completely disabled and been through all the rules in IPTables and removed them one by one from my nat table and the rules I added when following the tutorial (See below for nat table).
Chain PREROUTING (policy ACCEPT 2282 packets, 178K bytes)
num pkts bytes target prot opt in out source destination
1 3998 271K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 2003 packets, 158K bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1699 packets, 114K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 81 packets, 5172 bytes)
num pkts bytes target prot opt in out source destination
1 136 8244 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
2 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
3 0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:8080
4 1802 122K MASQUERADE all -- * enp2s0 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8050 to:172.17.0.2:80
3 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8010 to:172.17.0.3:8080
After testing I’ve been able to get intermittent internet access when connected to wireguard but its very slow and not permenant. I also can’t get images to load on websites and some sites won’t even load (such as speedtest.net). Intially things started to improve after adding the postup/down lines to wg0.conf but I would only get an internet connection when connected to my wifi network. If I connected to wireguard via mobile data I would be able to access the server and other machines on the network but not the internet (with UFW on and off). Adding in the routing rules to UFW has got me the slow and intermittent internet access I have now when connected to wireguard, but as above its very slow and no images will load. I think my problem is going to lie in UFW somewhere but I can’t work out where and like I say even with it completely disabled I see no change in the behaviour.
One couple of other things of note arethat when connected to wireguard I can see the DNS requests in PiHole and it shows them as green and being allowed but obviously it isn’t getting back to my device. Also I have OpenVPN running on a seperate raspberry pi which works. I can connect to it and access both the internet and my network remotely.
Any help in getting wireguard working would be greatly appreciated as I can’t see whats wrong with my config it matches other tutorials I’ve looked at since.
I’ve also tried altering the port forward on my router from UDP only to both TCP and UDP and disabling the routers firewall with no luck
