Hey,
i specify the problem and hope, that it would be clear now.
After some tries and settings and looking logs.
I get connection to the wireguard and see the connected client.
But if I look to the connection logs of my firewall (all rules are set) I see, that the VPN client connects to the websites via ICMP not TCP 80 or 443. So all connection from the client are ICMP and are droped.
So something goes wrong within the Brume 2. Maby I set wrong IPs or something like that?
Brume 2: 10.1.1.2 (start and end at the private network: 10.1.1.3 to 10.1.1.33
Wireguard-Server: 10.1.1.2/24
connected client: 10.1.1.3
Should the LAN IP address be different to the wireguard server IP?
Should I set WG-Server to 10.0.0.1 or smth like that and leave the Brume2 on 10.1.1.2?
I can update Brume 2 (4.2.1) and install plugins, so the Brume itself has internet connection and is not somehow blocked. Just the client can not use TCP connections to websites.
That’d be your public facing IP. It should be the same as seen @ ipleak.net .
The device may reject all incoming packets by default. I’d try pinging another computer/laptop on your LAN instead. You should be able to disable any firewall on it easily… as one less thing to get in the way of troubleshooting
It’s a good way to check everything logged but yeah, it can be a bit verbose. You can filter msgs. Eg: I use the GL GUI’s DNS over HTTPS (DOH) feature. It is provided by dnscrypt-proxy2. So logread -e "dnscrypt-proxy" gives me the output I’m looking for.
Can you post your wg show output, in full? Here’s what my VPN Client on a Slate AX shows connected to Surfshark:
root@GL-AXT1800:~# wg show
interface: wgclient
public key: [redacted]=
private key: (hidden)
listening port: 32
peer: [redacted]=
endpoint: 37.19.211.7:51820
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 49 seconds ago
transfer: 1.69 GiB received, 503.36 MiB sent
persistent keepalive: every 25 seconds
(I would point out that, in WG, it is a misnomer to call it a ‘client/server’ architecture. It really is all just peer-to-peer but I agree w/ GL that it’s easier for people to understand client/server as if it was similar to OpenVPN.)
I can ping the firewall interface in the internal network, which serves as DNS
I can not copy between the VMs I use now using the terminal. I type just the things that differ in relevant way.
wg show:
interace: wgserver
fwmark: 0x80000
peer:
endpoint: IP of the client
allowed IPS: 10.0.0.3/32
latests handshake 1 hour ago (I tested it in that time).
So maybe the problem is “aloowed IPs”. The IP of the client is 10.0.0.3, but it should connect to another subnets.
#Edit: but if I look to the settings of the client, So I see allowed IPs 0.0.0.0/0. So that’s strange. 10.0.0.3/32 is set as the IP of the client. Allowed IPs is set to 0.0.0.0/0. But wg show shows 10.0.0.3/32 as allowed IPs
But if I connect with the smartphone now, I can not see “connected client” in the VPN dashboard. I just see “1 connected client (0 online)”
No, it’s not. That’d be the default setting to route on the device everything through WG.
I’d really be tempted to just strip down/delete the existing WG Server/Client setup & follow along from GL’s GUI based defaults. We know it works.
I can not copy between the VMs I use now using the terminal.
Off topic but if you use Windows, MobaXterm Home Edition is excellent for that ability (< ctrl > + < shift > + < c/v > ). It has integrated SCP/SFTP support, too. It’s freeware.
Crap; I point out I’m using currently using ‘WG Client’ on my Slate AX. I intend to setup a WG ‘Client/Server’ later today on a Flint & Certa… or I’d just post those default confs for you now.
Nice; I’ve never used it so I don’t know the limitations.
IDK as I’d just use whatever GL sets up… but perhaps it would be a good time to make a backup of your GL device before proceeding. See below.
The wg confs are @ /etc/config/wireguard & /etc/config/wireguard_server assuming a v. 4.2.1-r4 f/w. That HOW-TO describes getting it all in ‘Note’ section.
I have nothing really important on the Brume2. Just wanted to install wireguard on it, nothing else.
Yes, as it seems you use it as a client with some other WGserver. I want just to use it as a server within the network.
Why don’t we put a pin in all this for today if not the next few hours? I need to grab some lunch… & caffeine… then I’ll get to setting up a Flint & Certa as I described.
At least you’d have some ‘known good’ conf files to template from. Sound good?
the problem is, that I want to use (or use) Brume2 in the DMZ of my ipfire. So I think, I will stole a lot of time from you, but maybe still have problems within the network. And I have no idea what is “Flint & Certa”
< ahem > Excuse me; you’re interrupting my lunch. (heh!)
True but you’d be able to edit the confs to suit whatever are your subnetting specifics. I assume you’re familiar w/ the Nano editor? It’s easier to use than VI/VIM.
I will fite you. VIM is awesome… if you’re doing extreme amounts of conf editing/sysadmin/programming work & spend hours/days/week/months setting it up properly. Nano is my goto for the ‘quick & dirty’.
Now excuse me; you’re interrupting my coffee/smoke break.