Trouble setting up Wireguard

poperigby · November 3, 2023, 4:57am

I’m trying to setup wireguard. The problem is, I can’t connect to any remote IPs if my Wireguard NetworkManager profile is active. ping 8.8.8.8 fails. Pinging my server’s local IP does work though.

Server

/etc/wireguard/wg0.conf:

[Interface]
Address    = 192.168.2.1/24, fd00:7::1/48
PrivateKey = <SERVER_PRIVATE_KEY>
PostUp     = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
PostDown   = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade
ListenPort = 51820
DNS        = 1.1.1.1,8.8.8.8

[Peer]
PublicKey    = <CLIENT_PUBLIC_KEY>
PresharedKey = <PRESHARED_KEY>
AllowedIPs   = 192.168.0.1/24

This is the output of systemctl status wg-quick@wg0.service:

● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (exited) since Thu 2023-11-02 21:19:48 PDT; 8min ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 56215 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 56215 (code=exited, status=0/SUCCESS)
        CPU: 199ms

Nov 02 21:19:48 haddock wg-quick[56227]: Warning: AllowedIP has nonzero host part: 192.168.0.1/24
Nov 02 21:19:48 haddock wg-quick[56215]: [#] ip -4 address add 192.168.2.1/24 dev wg0
Nov 02 21:19:48 haddock wg-quick[56215]: [#] ip -6 address add fd00:7::1/48 dev wg0
Nov 02 21:19:48 haddock wg-quick[56215]: [#] ip link set mtu 1420 up dev wg0
Nov 02 21:19:48 haddock wg-quick[56238]: [#] resolvconf -a wg0 -m 0 -x
Nov 02 21:19:48 haddock wg-quick[56215]: [#] ip -4 route add 192.168.0.0/24 dev wg0
Nov 02 21:19:48 haddock wg-quick[56215]: [#] firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
Nov 02 21:19:48 haddock wg-quick[56255]: success
Nov 02 21:19:48 haddock wg-quick[56257]: success
Nov 02 21:19:48 haddock systemd[1]: Finished wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0.

I have this in /etc/sysctl.d/wireguard-packet-forwarding.conf:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Output of ip route:

default via 192.168.1.1 dev enp37s0 proto dhcp src 192.168.1.184 metric 100
192.168.0.0/24 dev wg0 scope link
192.168.1.0/24 dev enp37s0 proto kernel scope link src 192.168.1.184 metric 100
192.168.2.0/24 dev wg0 proto kernel scope link src 192.168.2.1

Client

I have this for my NetworkManager profile configuration:

connection.id:                          wg0
connection.uuid:                        1ddef818-1b7a-4ab3-9658-e87dc9e24662
connection.stable-id:                   --
connection.type:                        wireguard
connection.interface-name:              wg0
connection.autoconnect:                 no
connection.autoconnect-priority:        0
connection.autoconnect-retries:         -1 (default)
connection.multi-connect:               0 (default)
connection.auth-retries:                -1
connection.timestamp:                   1698985289
connection.read-only:                   no
connection.permissions:                 --
connection.zone:                        --
connection.master:                      --
connection.slave-type:                  --
connection.autoconnect-slaves:          -1 (default)
connection.secondaries:                 --
connection.gateway-ping-timeout:        0
connection.metered:                     unknown
connection.lldp:                        default
connection.mdns:                        -1 (default)
connection.llmnr:                       -1 (default)
connection.dns-over-tls:                -1 (default)
connection.mptcp-flags:                 0x0 (default)
connection.wait-device-timeout:         -1
connection.wait-activation-delay:       -1
ipv4.method:                            manual
ipv4.dns:                               1.1.1.1
ipv4.dns-search:                        --
ipv4.dns-options:                       --
ipv4.dns-priority:                      0
ipv4.addresses:                         192.168.2.2/32
ipv4.gateway:                           --
ipv4.routes:                            --
ipv4.route-metric:                      -1
ipv4.route-table:                       0 (unspec)
ipv4.routing-rules:                     --
ipv4.replace-local-rule:                -1 (default)
ipv4.ignore-auto-routes:                no
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    --
ipv4.dhcp-iaid:                         --
ipv4.dhcp-timeout:                      0 (default)
ipv4.dhcp-send-hostname:                yes
ipv4.dhcp-hostname:                     --
ipv4.dhcp-fqdn:                         --
ipv4.dhcp-hostname-flags:               0x0 (none)
ipv4.never-default:                     no
ipv4.may-fail:                          yes
ipv4.required-timeout:                  -1 (default)
ipv4.dad-timeout:                       -1 (default)
ipv4.dhcp-vendor-class-identifier:      --
ipv4.link-local:                        0 (default)
ipv4.dhcp-reject-servers:               --
ipv4.auto-route-ext-gw:                 -1 (default)
ipv6.method:                            manual
ipv6.dns:                               --
ipv6.dns-search:                        --
ipv6.dns-options:                       --
ipv6.dns-priority:                      0
ipv6.addresses:                         fd00:7::2/48
ipv6.gateway:                           --
ipv6.routes:                            --
ipv6.route-metric:                      -1
ipv6.route-table:                       0 (unspec)
ipv6.routing-rules:                     --
ipv6.replace-local-rule:                -1 (default)
ipv6.ignore-auto-routes:                no
ipv6.ignore-auto-dns:                   no
ipv6.never-default:                     no
ipv6.may-fail:                          yes
ipv6.required-timeout:                  -1 (default)
ipv6.ip6-privacy:                       -1 (unknown)
ipv6.addr-gen-mode:                     default
ipv6.ra-timeout:                        0 (default)
ipv6.mtu:                               auto
ipv6.dhcp-duid:                         --
ipv6.dhcp-iaid:                         --
ipv6.dhcp-timeout:                      0 (default)
ipv6.dhcp-send-hostname:                yes
ipv6.dhcp-hostname:                     --
ipv6.dhcp-hostname-flags:               0x0 (none)
ipv6.auto-route-ext-gw:                 -1 (default)
ipv6.token:                             --
wireguard.private-key:                  <hidden>
wireguard.private-key-flags:            0 (none)
wireguard.listen-port:                  0
wireguard.fwmark:                       0x0
wireguard.peer-routes:                  yes
wireguard.mtu:                          0
wireguard.ip4-auto-default-route:       -1 (default)
wireguard.ip6-auto-default-route:       -1 (default)
proxy.method:                           none
proxy.browser-only:                     no
proxy.pac-url:                          --
proxy.pac-script:                       --

Output of ip route:

default via 192.168.1.1 dev wlp170s0 proto dhcp src 192.168.1.13 metric 600
192.168.1.0/24 dev wlp170s0 proto kernel scope link src 192.168.1.13 metric 600

I tried disabling firewalld

vgaetera · November 3, 2023, 9:24am

Try connecting and check the output:

sudo wg show

poperigby · November 3, 2023, 3:41pm

Sure.

Server:

interface: wg0
  public key: E8P0gHX0wJpBorjKK7i2mdWI9S7ZcW7XZt5ebf+Ve3I=
  private key: (hidden)
  listening port: 51820

peer: 4nP2TLM5fOwWIbnKXRTIwtCAP6MS9vQkWgR7pH650zY=
  preshared key: (hidden)
  endpoint: 192.168.1.1:45341
  allowed ips: 192.168.0.0/24
  latest handshake: 23 seconds ago
  transfer: 2.29 KiB received, 3.01 KiB sent

Client:

interface: wg0
  public key: 4nP2TLM5fOwWIbnKXRTIwtCAP6MS9vQkWgR7pH650zY=
  private key: (hidden)
  listening port: 45341
  fwmark: 0xcc3d

peer: E8P0gHX0wJpBorjKK7i2mdWI9S7ZcW7XZt5ebf+Ve3I=
  preshared key: (hidden)
  endpoint: 71.212.123.135:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 17 seconds ago
  transfer: 124 B received, 46.64 KiB sent
  persistent keepalive: every 30 seconds

barryascott · November 3, 2023, 4:33pm

What command output that info on wg0? Its not wg show.

poperigby · November 3, 2023, 6:01pm

I typed sudo wg show on both my client and server, and this is exactly what it output.

barryascott · November 3, 2023, 6:20pm

Interesting I do not see anything like that on my f38 system with wireguard.

What I get is this (I replace the keys with ).

$ wg show
interface: wg0
  public key: <key>
  private key: (hidden)
  listening port: 51820

peer: <key>
  allowed ips: 172.16.4.2/32

peer: <key>
  allowed ips: 172.16.4.3/32

peer: <key>
  allowed ips: 172.16.4.4/32

peer: <key>
  allowed ips: 172.16.4.5/32

peer: <key>
  allowed ips: 172.16.4.6/32

And this is the RPM that wg comes from.

$ rpm -qf /usr/bin/wg
wireguard-tools-1.0.20210914-4.fc38.x86_64

Do you have wg from somewhere else?

poperigby · November 3, 2023, 6:27pm

Is that your server or client? I just installed wireguard-tools and that’s what I got wg from. I’m on Fedora 38 as well.

vgaetera · November 3, 2023, 6:29pm

Change it like this:

AllowedIPs = 192.168.2.2/32

barryascott · November 3, 2023, 8:01pm

It was on my server.

Reading the man page I wonder if the difference is that wg show only shows properties that have been setup in config.

poperigby · November 3, 2023, 8:57pm

That fixed it it, thanks! Do you know why that fixed it?

vgaetera · November 3, 2023, 9:37pm

The AllowedIPs must cover the Address of the respective peer or the network behind it.
This is necessary for WireGuard cryptokey routing to work correctly.