Cannot access Internet after connecting to WireGuard VPN

I’m setting up a wireguard vpn on my Fedora server and connecting to it on my Fedora laptop client.

But I cannot ping the server address (10.0.0.1) from the client firstly. If I ping the client address (10.0.0.2) from the server firstly, then vice versa, it wil be successful. Additionally, the client cannot access the Internet. It cannot ping an Internet IP or domain name (like 162.14.77.208 or www.bing.com).

Since I want all my client traffic go through the vpn, is there any way to fix this? Thanks in advance.

Server-side config:

[Interface]
Address = 10.0.0.1/24, fd16:16:16::1/64
ListenPort = 51820
PrivateKey = <server privkey>
PostUp     = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
PostDown   = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade

[Peer]
PublicKey = <client pubkey>
AllowedIPs = 10.0.0.2/32, fd16:16:16::2/128
Endpoint = 192.168.1.2:51820

Client-side config:

[Interface]
Address = 10.0.0.2/24, fd16:16:16::2/64
LIstenPort = 51820
PrivateKey = <client privkey>

[Peer]
PublicKey = <server pubkey>
Endpoint = 192.168.1.124:51820
AllowedIPs = 0.0.0.0/0, ::/0

Server-side other info:

# before manually pinging the client
root@fedora:/etc/wireguard# wg
interface: wg0
  public key: ...
  private key: (hidden)
  listening port: 51820

peer: ...
  endpoint: 192.168.1.2:51820
  allowed ips: 10.0.0.2/32, fd16:16:16::2/128

# after manually pinging the client
# handshake is established now
root@fedora:/etc/wireguard# wg
interface: wg0
  public key: ...
  private key: (hidden)
  listening port: 51820

peer: ...
  endpoint: 192.168.1.2:51820
  allowed ips: 10.0.0.2/32, fd16:16:16::2/128
  latest handshake: 5 seconds ago
  transfer: 308 B received, 220 B sent



root@fedora:/etc/wireguard# firewall-cmd --list-all-zones
FedoraServer (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: wg0 wlp1s0
  sources: 
  services: dhcpv6-client ssh
  ports: 2022/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

FedoraWorkstation
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client samba-client ssh
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

block
  target: %%REJECT%%
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

dmz
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

drop
  target: DROP
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

external
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

home
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

internal
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

nm-shared
  target: ACCEPT
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcp dns ssh
  ports: 
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule priority="32767" reject

public
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns ssh
  ports: 5001/tcp 51820/udp
  protocols: 
  forward: yes
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

trusted
  target: ACCEPT
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

work
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Client-side other info

# handshake established normally
# no need to ping server manually
[root@pairface wireguard]# wg
interface: wg0
  public key: ...
  private key: (hidden)
  listening port: 51820
  fwmark: 0xca6c

peer: ...
  endpoint: 192.168.1.124:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 10 seconds ago
  transfer: 124 B received, 6.19 KiB sent

Added firewall, firewalld, ipv4, ipv6, vpn, wireguard

You need to modify the active zone, i.e. FedoraServer, not public.
It is best to make the changes permanent to avoid problems on reload.

Thanks. I changed to --permanent --zone=FedoraServer and now the client can ping the server right on connection now.

But it still cannot access the Internet. I tried disabling other proxy settings and unset related env vars and it doesn’t work.

Server-side sysctl config if needed (I have used this from the beginning, but forgot to mention):

root@fedora:/home/pairman# cat /etc/sysctl.d/999-local.conf 
fs.file-max=1048576
fs.inotify.max_user_instances=1048576
fs.inotify.max_user_watches=1048576
fs.nr_open=1048576
net.core.default_qdisc=fq
net.core.netdev_max_backlog=1048576
net.core.rmem_max=16777216
net.core.somaxconn=65535
net.core.wmem_max=16777216
net.ipv4.ip_forward=1
net.ipv4.ip_local_port_range=1024 65535
net.ipv4.tcp_fin_timeout=5
net.ipv4.tcp_max_orphans=1048576
net.ipv4.tcp_max_syn_backlog=20480
net.ipv4.tcp_max_tw_buckets=400000
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_slow_start_after_idle=0
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_syn_retries=2
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_wmem=4096 65535 16777216
net.ipv6.conf.all.forwarding=1
net.ipv6.ip6frag_high_thresh=16777216
net.ipv6.ip6frag_low_thresh=12582912
net.ipv6.ip6frag_time=60
net.ipv6.neigh.default.gc_interval=60
net.ipv6.neigh.default.gc_stale_time=120
net.ipv6.neigh.default.gc_thresh1=1024
net.ipv6.neigh.default.gc_thresh2=2048
net.ipv6.neigh.default.gc_thresh3=4096
net.ipv6.route.gc_interval=60
net.ipv6.route.gc_thresh=4096
net.ipv6.xfrm6_gc_thresh=65536
net.netfilter.nf_conntrack_max=1048576
net.nf_conntrack_max=1048576
vm.max_map_count=1048576
vm.min_free_kbytes=65535
vm.overcommit_memory=1
vm.swappiness=0
vm.vfs_cache_pressure=50

It is recommended to assign interfaces to different zones and then create a forwarding:
NAT router with 2 interfaces, how to do with firewalld and Centos 9 Stream - #5 by vgaetera

Thanks. I assigned interface wg to internal and have created nat policy.

But my client still cannot access Internet.

internal-fserver (active)
  priority: -1
  target: ACCEPT
  ingress-zones: internal
  egress-zones: FedoraServer
  services: 
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

root@fedora:/home/pairman# firewall-cmd --get-active-zones
FedoraServer (default)
  interfaces: wlp1s0
internal
  interfaces: wg0
root@fedora:/home/pairman# firewall-cmd --zone=FedoraServer --query-masquerade
yes
root@fedora:/home/pairman# ip route
default via 192.168.1.1 dev wlp1s0 proto dhcp src 192.168.1.124 metric 600 
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1 
192.168.1.0/24 dev wlp1s0 proto kernel scope link src 192.168.1.124 metric 600 
sudo firewall-cmd --permanent --policy=internal-fserver \
    --add-rich-rule="rule family=ipv6 masquerade"
sudo firewall-cmd --reload

If the issue persists, check traceroute from the client to some host on the Internet by IPv4 and IPv6 separately.

1 Like

Thanks so much! I can finally access the Internet. I didn’t know this affects v4 ping before though.

1 Like