Help setting up Wireguard Linux server and GL Wireguard client


#1

I have a Linux server with the WG software and I’m trying to use that as a VPN to a AR-750S and I’m confused on some of the terms and could really use some help. For example, why do I need an IP address for both ends? The only IP address I’ll really know is the FQDN of my server, I’ll be connecting to that from random IP addresses based on whatever ISP/Hotel/etc. I’m connected to.

The kernel end seems to be OK:

# wg show

interface: wg0
public key: t1rkXUvVh…=
private key: (hidden)
listening port: 51820

and I’ve opened port 51820/UDP on my router, but it seems as if the WG client (trying both an AR-750S and the Android WG client) don’t even make it thru to my server (I see nothing in the kernel logs). If someone’s done this already, I could sure use your help. Thanks!


#2

Also, if I do echo hello | nc -u <my-server> 51820 I see the packet make it thru if I watch my box’ main ethernet via tcpdump -vv -i eth0 \( udp and port 51820 \). But at no time does a UDP packet from either the 750S nor the android client ever come thru. I’ve put my server’s external FQDN:51820 in the Endpoint Host part of the Peer , which is where the “Wireguard Server” should go, right?

(This “peer” stuff really clouds the waters, IMO- I get that it’s supposed to be a two-way tunnel, but one end is the “server” that waits for a connection and the other end is the “client” that connects and I really wish they’d used that terminology.)


#3

Your client will configure the wg0 interface with the ip address associated with that peer. Just like your router assigns your device a private IP to talk to it on 192.168.8.x. Each peer gets its own assigned private IP on a private subnet associated with it’s Peer Public Key.


#4

OK … I guess I get that.

But I’m more worried about how I never see a single packet make it into my server’s eth0 interface to even be handed off to the wg0 interface on my server. I don’t get any error messages either other than “timeout” (on the 750S; the Android client pretends to be connected but nothing happens).

… and what are “Allowed IPs” on the client end? That should just normally be set to “0.0.0.0” if I’m trying to route all traffic via the VPN, right?


#5

You have to listen on the wg0 interface created by wireguard.

I suggest you sign up for a free account at AzireVPN - they offer a 1 day free trial for their regular OpenVPN, after that, they send you an email that says it expires, but the Wireguard service is still free while they are beta testing it. At their website, you can click a button and it will generate a zip file that the 750S (version 3 firmware) will configure everything for you. You can then see it work and look at how everything is configured. Then get your own setup going if you want.


#6

OK, but how does a packet get there? My setup is Comcast Cable->Google WiFi->Intel NUC

I’ve allowed port 51820/UDP to connect to my NUC’s internal-LAN IP address (on eth0). And when I watch for traffic on that neither client even attempts to generate traffic that makes even as far as my Google WiFi apparently.


#7

PM me your referral code if you have one, if you want.


#8

Did you port forward on the router? I guess the Comcast is just a modem (no firewall?) and the Google Wifi is your home AP with firewall that needs the port forwarding, and the NUC is the server that also has some sort of firewall on it?

The Allowed IP on the client should be 0.0.0.0


#9

Yeah. I’ve got Plex/SSH/OpenVPN/VNC servers all running on this same device. No firewall on the NUC (just some iptables rules to allow masquerading for the OpenVPN server, and I’ve added a tentative one for the Wireguard, if any traffic would ever get delivered there).

But yeah, I can see incoming traffic if I fake up some via nc, but none from either WG client.


#10

Sounds like the clients aren’t configured right? See if the Azire works and adjust things


#11

Yeah, maybe. I’m going to let it go for now, but I’m confused as to why it doesn’t even attempt to generate any packets. My “Endpoint Host” should be given in the form “my.full.hostname.com:51820”, right?

Here’s a screenshot from my AR-750S’ config page:

Hitting “Connect” generates no traffic on my end on port 51820. Unless that part works nothing else can.


#12

use 0.0.0.0/0 for allowed ip’s


#13

allowed ip on client should be 0.0.0.0/0 to route all traffic to wg

ping the host wireguard ip adress to generate traffic, should respond ok

you do have the peer section set up on the host right? not clear from your first post


#14

OK, it’s official; there’s issues with the Wireguard client, at least on the AR-750 running 3.005:

  • Using this page as a guide I verified my Wireguard server at home was set up properly. I plugged my configuration file into a(? the?) Wireguard Android client, and it works.

  • Plugging the very same file into the “Wireguard Client” dialog seems to accept it OK, but when I try to connect, it spins for a while then says “Timed Out”. Listening on either my eth0 or wg0 interfaces on my server show connectivity when trying to connect from the Android client, but nothing comes thru at all when trying from the AR-750’s client, which to me implies the issue could be DNS resolution; in any case it does not even attempt to ping my server (my server has an FQDN via dyn.com that has worked for years).

  • The bug is still there that if your (Wireguard, and maybe OpenVPN) connection fails, unless you purge your config files, your router’s clients get no connectivity even after a reboot

Here’s my wireguard client file:

[Interface]
Address = 192.168.12.2, fdd5:7dd4:34fa:770c::2/64
PrivateKey = <private key>
ListenPort = 21841

[Peer]
PublicKey = <public key>
Endpoint = <my server>.gotdns.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 180 # seconds

I’ll keep playing with it, removing keywords and spaces and such, but it does work with another client. I know that the AR-750 works with Azire, so maybe you’re bailing on a keyword (but I can’t see what that could be)?


#15

Manual entry seems to have fixed things. Maybe the “#” or the “Persistent Keepalive” were throwing it off? I’ll see if I can find some errors in the logs. Funnily enough, I see a red “Timed out!” error right before it decides to connect, although it’s connected in less than 2 seconds.

What’s also interesting is I had to remove the IPv6 entries (else the manual block wouldn’t validate the entries), but the Azire ones come with them.

Up and running, in either case. But that last bullet point (about the connectivity loss persisting past a reboot on a failed VPN connection) should really be looked at.


#16

It is a bug. Because it isn’t compatible with IPv6, we have filter it, but missing filter comma.

Will fix it asap, please try this.

[Interface]
Address = 192.168.12.2
PrivateKey = <private key>
ListenPort = 21841

[Peer]
PublicKey = <public key>
Endpoint = <my server>.gotdns.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 180 # seconds

#17

This creates a bug. I have multiple subnets that I need to add to “Allowed IPs”, but I’m unable to do it. I need to add “192.168.40.0/21,10.142.0.0/16”, but because you don’t allow a comma I can’t. If you don’t want to use a regular expression or more complex filtering, perhaps filter instead by looking for “:”? A : will only appear in an IPv6 address/subnet.

Is there a way to override the filter? I do not want to send all traffic through the VPN, I just need some subnets.


#18

That’s because we will force all traffic over VPN tunnel by default when you started VPN. Most users prefer this approach.

If you want to VPN routing policy, which is the same with allowed IPs. You can try VPN routing policy. Please refer to VPN policy quick guide and feedback.


#19

Thanks. It seems that there is no way to disable NAT on the VPN interface? I’m trying to do a site to site VPN connection, and I want to be able to access clients connected to the GL-AR750S.

Is it possible to disable NAT on the wireguard client?


#20

Yes, you can do that in command line.

Just need to set masq to 0 in wireguard zone of /etc/config/firewall.