Hey,
i specify the problem and hope, that it would be clear now.
After some tries and settings and looking logs.
I get connection to the wireguard and see the connected client.
But if I look to the connection logs of my firewall (all rules are set) I see, that the VPN client connects to the websites via ICMP not TCP 80 or 443. So all connection from the client are ICMP and are droped.
So something goes wrong within the Brume 2. Maby I set wrong IPs or something like that?
Brume 2: 10.1.1.2 (start and end at the private network: 10.1.1.3 to 10.1.1.33
Wireguard-Server: 10.1.1.2/24
connected client: 10.1.1.3
Should the LAN IP address be different to the wireguard server IP?
Should I set WG-Server to 10.0.0.1 or smth like that and leave the Brume2 on 10.1.1.2?
I can update Brume 2 (4.2.1) and install plugins, so the Brume itself has internet connection and is not somehow blocked. Just the client can not use TCP connections to websites.
Thatâd be your public facing IP. It should be the same as seen @ ipleak.net .
The device may reject all incoming packets by default. Iâd try pinging another computer/laptop on your LAN instead. You should be able to disable any firewall on it easily⌠as one less thing to get in the way of troubleshooting
Itâs a good way to check everything logged but yeah, it can be a bit verbose. You can filter msgs. Eg: I use the GL GUIâs DNS over HTTPS (DOH) feature. It is provided by dnscrypt-proxy2. So logread -e "dnscrypt-proxy" gives me the output Iâm looking for.
Can you post your wg show output, in full? Hereâs what my VPN Client on a Slate AX shows connected to Surfshark:
root@GL-AXT1800:~# wg show
interface: wgclient
public key: [redacted]=
private key: (hidden)
listening port: 32
peer: [redacted]=
endpoint: 37.19.211.7:51820
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 49 seconds ago
transfer: 1.69 GiB received, 503.36 MiB sent
persistent keepalive: every 25 seconds
(I would point out that, in WG, it is a misnomer to call it a âclient/serverâ architecture. It really is all just peer-to-peer but I agree w/ GL that itâs easier for people to understand client/server as if it was similar to OpenVPN.)
I can ping the firewall interface in the internal network, which serves as DNS
I can not copy between the VMs I use now using the terminal. I type just the things that differ in relevant way.
wg show:
interace: wgserver
fwmark: 0x80000
peer:
endpoint: IP of the client
allowed IPS: 10.0.0.3/32
latests handshake 1 hour ago (I tested it in that time).
So maybe the problem is âaloowed IPsâ. The IP of the client is 10.0.0.3, but it should connect to another subnets.
#Edit: but if I look to the settings of the client, So I see allowed IPs 0.0.0.0/0. So thatâs strange. 10.0.0.3/32 is set as the IP of the client. Allowed IPs is set to 0.0.0.0/0. But wg show shows 10.0.0.3/32 as allowed IPs
But if I connect with the smartphone now, I can not see âconnected clientâ in the VPN dashboard. I just see â1 connected client (0 online)â
No, itâs not. Thatâd be the default setting to route on the device everything through WG.
Iâd really be tempted to just strip down/delete the existing WG Server/Client setup & follow along from GLâs GUI based defaults. We know it works.
I can not copy between the VMs I use now using the terminal.
Off topic but if you use Windows, MobaXterm Home Edition is excellent for that ability (< ctrl > + < shift > + < c/v > ). It has integrated SCP/SFTP support, too. Itâs freeware.
Crap; I point out Iâm using currently using âWG Clientâ on my Slate AX. I intend to setup a WG âClient/Serverâ later today on a Flint & Certa⌠or Iâd just post those default confs for you now.
Nice; Iâve never used it so I donât know the limitations.
IDK as Iâd just use whatever GL sets up⌠but perhaps it would be a good time to make a backup of your GL device before proceeding. See below.
The wg confs are @ /etc/config/wireguard & /etc/config/wireguard_server assuming a v. 4.2.1-r4 f/w. That HOW-TO describes getting it all in âNoteâ section.
I have nothing really important on the Brume2. Just wanted to install wireguard on it, nothing else.
Yes, as it seems you use it as a client with some other WGserver. I want just to use it as a server within the network.
Why donât we put a pin in all this for today if not the next few hours? I need to grab some lunch⌠& caffeine⌠then Iâll get to setting up a Flint & Certa as I described.
At least youâd have some âknown goodâ conf files to template from. Sound good?
the problem is, that I want to use (or use) Brume2 in the DMZ of my ipfire. So I think, I will stole a lot of time from you, but maybe still have problems within the network. And I have no idea what is âFlint & Certaâ
< ahem > Excuse me; youâre interrupting my lunch. (heh!)
True but youâd be able to edit the confs to suit whatever are your subnetting specifics. I assume youâre familiar w/ the Nano editor? Itâs easier to use than VI/VIM.
I will fite you. VIM is awesome⌠if youâre doing extreme amounts of conf editing/sysadmin/programming work & spend hours/days/week/months setting it up properly. Nano is my goto for the âquick & dirtyâ.
Now excuse me; youâre interrupting my coffee/smoke break.