WireGuard remains yellow, no internet but LAN ok

huafu · June 3, 2020, 5:36pm

Hi there,

I tried to find some solutions on existing posts here and on google related to my issue, but I couldn’t find one.

I have setup a WireGuard server on a dedicated Ubuntu 18.04 server on which I want to connect from my GL.iNet AR750 with latest snapshot for this device from GL.iNet.

When I click connect, the gray spot next to WireGuard in the UI becomes yellow after some time and remains this way. I can ping and ssh my machines in my lan, but I cannot ping anything on the internet. I’ve tried to set 8.8.8.8 onto the DNS field, disabling VPN policies, … with no luck.
After quite some time, the yellow spot remains but:

VPN client failed to connect, this may be because wrong configuration, unsupported parameters or terminated by the server

Here is the server configuration (enp0s20 is my public interface name on my Ubuntu server):

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s20 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s20 -j MASQUERADE
ListenPort = 51820
PrivateKey = xxx

[Peer]
PublicKey = xxx
AllowedIPs = 10.0.0.2/32

And here is the configuration on my GL.iNet router:

On the WireGuard server side, here is what I get with wg show:

interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  endpoint: my-glinet-router-public-ip:5740
  allowed ips: 10.0.0.2/32
  latest handshake: 53 seconds ago
  transfer: 79.94 KiB received, 3.36 KiB sent

and here is what I get on my GL.iNet router for the same command:

interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 5740

peer: xxx
  endpoint: my-ubuntu-server-public-ip:51820
  allowed ips: 0.0.0.0/0
  transfer: 92 B received, 340 B sent
  persistent keepalive: every 25 seconds

I’d be pleased if anyone could help me, or at least tell me in which direction I should drive my investigations. I’m far from being an expert in networking…

Thanks in advance

reflector · June 4, 2020, 6:53am

try and set a dns?
1.1.1.1 or 9.9.9.9

huafu · June 4, 2020, 8:10am

Thanks but I did try to add some custom DNS already without success, I do not think it’s related to DNS since the connection failed after quite some time, even tho both ends are reporting that the peer has established at least the handshake…

alzhao · June 4, 2020, 10:13am

In your server config you have the following

SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s20 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s20 -j MASQUERADE

Why you have this in Wireguard config?

ongkang · June 4, 2020, 11:04am

Could you show us output of ‘ifconfig’ both in server and client?
Have you enable forwarding in your server, also open that wireguard port in server side?

I am using wireguard server as well, and already tried successfully in gcp, aws, vultr, and some regional servers.

huafu · June 4, 2020, 11:05am

So that I can access the internet with NAT from my client(s). I actually did not try while disabling this so I tried now, badly no change.

huafu · June 4, 2020, 11:10am

Actually the forwarding is done by the lines in the config that @alzhao mentioned in his message.

For the open port or not, it’s for sure opened since the first handshake is done (I have no iptables rules except the forwarding ones on my server)

An here are the relevant part of ifconfig on server:

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.0.0.1  netmask 255.255.255.0  destination 10.0.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 8  bytes 872 (872.0 B)
        RX errors 66  dropped 37  overruns 0  frame 66
        TX packets 16  bytes 632 (632.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

…and the client:

wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.0.0.2  P-t-P:10.0.0.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:92 (92.0 B)  TX bytes:340 (340.0 B)

Thanks everybody for the help!

ongkang · June 4, 2020, 11:17am

Forwarding also need to be enabled in the Ubuntu (server). Have you done below step?

Check /etc/sysctl.conf and make sure this line is not commented
net.ipv4.ip_forward=1
(you may as well open ipv6 for ipv6 support).

If still commented then uncomment that line, then do
sudo sysctl -p

huafu · June 4, 2020, 11:24am

Yup, it’s already on:

root@genepi:/etc/wireguard# grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward=1
root@genepi:/etc/wireguard# cat /proc/sys/net/ipv4/ip_forward
1

Also even if forwarding was not ok, shouldn’t the spot become green anyway on the client? Like connected, but no internet? Now it sounds like it has done the first handshake, but nothing more…

EDIT: I also just started over the key generation and updated all keys, just to be sure it was not a copy/paste mistake at that point… again with same result :-/

EDIT 2: I am using IPV4 and not IPV6 at all

ongkang · June 4, 2020, 11:29am

Strange. How about testing this wireguard with another device (maybe your phone) to test and find where the problem is. It could be in your server side or router side

huafu · June 4, 2020, 11:56am

Ha didn’t thought about that, sounds like it is connected, but I never used it on Android before so I’m not sure. One thing I am sure is that I do not have internet on my phone, even using IPs instead of domain names I cannot go anywhere…

In the android app log I can see “Receiving keepalive packet” every so and then but nothing else. In the VPN options of android, it’s reported as “connected”…

EDIT: what I’ve also tried with no luck:

change 10.0.0.2/24 on client to /32 to match the Peer section on server
added iptables -A FORWARD -o %i -j ACCEPT to the rules (-i instead of -o)

ongkang · June 4, 2020, 3:50pm

If another device (Android) also doesn’t work then it is likely that server side has problem.
About PostUp I use below, I think it is same with yours (original one)

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE

I have question about your server. Is it cloud server or your personal PC in home? If this server is behind NAT or control panel (like in google cloud) which has its own firewall, then you also need to open necessary port as well.

About wireguard in Android, status mostly indicated connected even there are no packages received.

huafu · June 4, 2020, 5:00pm

@ongkang thanks for confirming my rules, yeah I think it has to be -i but I’m not expert with iptables
For my server, it’s not at home it’s in the cloud, but it’s basically a machine that i rent in a data-center on which I have full access and which has a public IP, all ports opened, and not a kind of VM or so.

I have many docker containers running there with services and everything works fine. When I’ll have time, I’ll try to stop all dockers, remove docker’s networks and anything that could maybe interfere with the vpn and try again…

dontpanic · September 1, 2021, 11:02am

Had same problem. But realized it was my own fault: PublicKey of [peer] should contain public key of wireguard server not public key of the peer!
PublicKey of [interface] is derived from PrivateKey internally.
Maybe this helps other people, who are confused when editing wireguard Client manually.