4mo ago

[Solved] Can't connect to host after enabling WireGuard tunnel

I installed WireGuard on my host and set this configuration /etc/wireguard/wg0.conf:

 undefined

    
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = [REDACTED]
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE


[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.3/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.4/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.5/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.6/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.7/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.8/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.9/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.10/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.11/32

Nmap scan when wg0 is down:

 undefined

    
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-16 03:26 CDT
Host is up (0.050s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT    STATE    SERVICE
22/tcp  open     ssh
179/tcp filtered bgp

Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds

Nmap scan when wg0 is up:

 undefined

    
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-16 03:27 CDT
All 1000 scanned ports are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 201.43 seconds

I also cannot connect to host via ssh. How to fix this issue?

Upd. Fixed my changing server WireGuard IP to 10.0.1.1. 10.0.0.1 was already taken

19 comments

Because the default route is changing. You have ALL traffic being routed over Wireguard here. How would you expect that to allow the interface routing to work for the local network if you're telling this to punt all traffic to this specific connection?
- You have ALL traffic being routed over Wireguard here.
  Please correct me if I'm wrong, but isn't it the other way around? All Wireguard traffic is forwarded to the local interface.
  
  AllowdIPs defines the traffic to be routed. These are single IPs, not subnets.
  Edit: discussion talking about this same problem to illustrate: https://forum.gl-inet.com/t/split-tunnel-via-vpn-policy-or-via-wireguard-allowedips-config/31318
- I removed all PostUp rules and cleared iptables but still the same problem
  
  Well, I mean...I can't give you an entire tutorial on how Wireguard works here, but you have it way wrong.
  If you're not sure of the concepts and what you're trying to do, I don't know how to answer any questions for you. If you're not familiar with what split-tunneling, subnet routing, and routing tables...you need to get way familiar before you start messing with this.
  Your rules aren't the problem. You're only allowing a single IP at a time across many connections here. Learn to read your routing tables and debug from there.

What does your client config look like? What IP are you connecting to for nmap/ssh?
- I didn't connect any client yet.
  
  Ah - I see.
  I can never remember how all the iptables stuff works but here is what I have in my configuration which is basically attempting the same thing:
  undefined
  
  PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
  Mine's a little different and works for me.

I think the problem might be your PostUp/PostDown lines have an in-interface (-i) but are missing an out-interface (-o) for the forwarding. Try this:
undefined

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

19 comments