0

I have a cloud server with Ubuntu 22.04 and wireguard server installed and a MacOS device with the WireGuard app installed. The app shows an active connection but neither is the IP address changed nor do I see an active connection on the server. My configuration files look as this:

/etc/wireguard/wg0.conf 
[Interface]
Address = 10.8.0.1/24, cce7:c18e:3cd5::2/64

ListenPort = 41194
SaveConfig = true
PostUp = ufw route allow in on wg0 out on ens192
PostUp = iptables -t nat -I POSTROUTING -o ens192 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o ens192 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on ens192
PreDown = iptables -t nat -D POSTROUTING -o ens192 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o ens192 -j MASQUERADE


PrivateKey = <server_private_key>

My peer configuration looks like this:

[Interface]
PrivateKey = <peer_private_key>
Address = 10.8.0.2/24, cce7:c18e:3cd5::2/64

[Peer]
PublicKey = <server_public_key>
AllowedIPs = 10.8.0.0/24, cce7:c18e:3cd5::/64
Endpoint = dunno.com:41194

Firewall has open UDP port 41194 and the rules from the wg0 configuration are also in place:

41194/udp                  ALLOW       Anywhere   
41194/udp (v6)             ALLOW       Anywhere (v6)            
Anywhere on ens192         ALLOW FWD   Anywhere on wg0        
Anywhere (v6) on ens192    ALLOW FWD   Anywhere (v6) on wg0

WireGuard server is running:

● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
 Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
 Active: active (exited) since Sat 2023-12-16 11:22:50 UTC; 8s ago
   Docs: man:wg-quick(8)
         man:wg(8)
         https://www.wireguard.com/
         https://www.wireguard.com/quickstart/
         https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
         https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 5925 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 5925 (code=exited, status=0/SUCCESS)
    CPU: 239ms

Dec 16 11:22:50 localhost wg-quick[5925]: [#] wg setconf wg0 /dev/fd/63
Dec 16 11:22:50 localhost wg-quick[5925]: [#] ip -4 address add 10.8.0.1/24 dev wg0
Dec 16 11:22:50 localhost wg-quick[5925]: [#] ip -6 address add cce7:c18e:3cd5::2/64 dev wg0
Dec 16 11:22:50 localhost wg-quick[5925]: [#] ip link set mtu 1420 up dev wg0
Dec 16 11:22:50 localhost wg-quick[5925]: [#] ufw route allow in on wg0 out on ens192
Dec 16 11:22:50 localhost wg-quick[5956]: Rule added
Dec 16 11:22:50 localhost wg-quick[5956]: Rule added (v6)
Dec 16 11:22:50 localhost wg-quick[5925]: [#] iptables -t nat -I POSTROUTING -o ens192 -j MASQUERADE
Dec 16 11:22:50 localhost wg-quick[5925]: [#] ip6tables -t nat -I POSTROUTING -o ens192 -j MASQUERADE
Dec 16 11:22:50 localhost systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

I can active the peer connection and the app shows a green light but when calling pages like https://whatismyipaddress.com/ I still see my local IP. Also, wg on ther server does not show any active connection:

#wg show wg0
interface: wg0
public key: <public_server_key>
private key: (hidden)
listening port: 41194

What am I doing wrong?

EDIT

After reading @Michalng's comment (thanks for that!) I understood that the AllowedIPs define the URLs that are called on my peer and should be routed through the WG server. So I changed that setting to ::/0, 0.0.0.0.0/0 as suggested and I now see that data is passed through the connection to the server. And, as mentioned, I do get the DNS error. So I added the IP of my openWRT Router to the config of the peer:

[Interface]
....
DNS = 192.168.200.1

When calling nslookup google.com this works fine on my peer's terminal but in the browser I cannot open the same page - it just loads endlessly.

I am using the WireGuard app on MacOS and this says Data sent: X MBbut running wg show all on the server only shows the wg0 interface.

So, a tiny bit seems to be missing. What is it?

AntonSack
  • 111

1 Answers1

2

Your WireGuard setup is not complete. The Ubuntu host is missing the peer configuration for the macOS host.

To set up WireGuard between two hosts, you need:

  • on Host A
    • Host A’s private key
    • Host A’s listen port
    • Host B’s public key
    • Host B’s IP address(es) and/or subnet(s) (“allowed IPs”)
  • on Host B
    • Host B’s private key
    • Host B’s listen port
    • Host A’s public key
    • Host A’s IP address(es) and/or subnet(s)

All of these must be exchanged beforehand. To establish an association between the two hosts, at least one of them must be able to reach the other’s UDP listen port. This setup stuff could be considered a pain, that’s why Tailscale exists.

You must add a peer entry on your Ubuntu host with the macOS host’s public key. You do not need to add an endpoint though. If all is well, both sides will list the other as a peer. Seeing as you’re using wg-quick, it could look like this:

[Peer]
PublicKey = R6gGtDkUJCfVYXpRrem1TxlLYGzT/PrfZNp5Cp669Ro=
AllowedIPs = 10.8.0.2/32, cce7:c18e:3cd5::2/128

(The prefix length on AllowedIPs must be chosen appropriately: A “road-warrior” peer would typically have /32 (or _/128). This information is used by WireGuard to route traffic to peers. On the peer, the interface would still be configured with the “real” prefix length.)

And then, after having successfully exchanged traffic, you will also see something similar to this in wg, on the Ubuntu host:

peer: R6gGtDkUJCfVYXpRrem1TxlLYGzT/PrfZNp5Cp669Ro=
  endpoint: 203.0.113.54:51820
  allowed ips: 10.8.0.2/32, cce7:c18e:3cd5::2/128
  latest handshake: 38 seconds ago
  transfer: 46.34 MiB received, 995.54 MiB sent

If the host that is initiating the association (macOS host in your case) is behind NAT, you might want to enable keepalive packets there.

user219095
  • 65,551