r/WireGuard

•

1 yr. ago

Establishing a WireGuard VPN Connection to my Remote Linux VPS with a Wireguard Server running

Hey,

I have read a lot, but I am running into serious trouble figuring out or troubleshooting, what I am doing wrong.

What I am trying to achieve:

I have a Router (running OpenWrt) at Home, which is connected to a Modem that has Internet Access. On that Router, I want to establish a WireGuard VPN Connection to my WireGuard Server on my Linux Ubuntu VPS and route every traffic through the VPN connection.

What I did:

Installed WireGuard on my Linux Ubuntu VPS
Generated a private and public Key, saved them into /etc/wireguard/private.key & public.key
Created a wg0.conf File which is as follows:

[Interface]
Address = 10.8.0.1/24 
SaveConfig = true 
PostUp = ufw route allow in on wg0 out on ens3 
PostUp = iptables -t nat -I POSTROUTING -o ens3 -j MASQUERADE 
PreDown = ufw route delete allow in on wg0 out on ens3 
PreDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE 
ListenPort = 51820 
PrivateKey = </etc/wireguard/private.key from WireGuardServer Value>

Created & Started the WireGuard Service using systemctl start wg-quick (systemctl start [email protected]

Status:

 [email protected] - WireGuard via wg-quick(8) for wg0
 Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
 Active: active (exited) since Fri 2024-02-09 13:00:42 UTC; 57s ago
   Docs: man:wg-quick(8)
         man:wg(8)
         https://www.wireguard.com/
         https://www.wireguard.com/quickstart/
         https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
         https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 27029 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 27029 (code=exited, status=0/SUCCESS) CPU: 277ms
Feb 09 13:00:41 ubuntu systemd[1]: Starting WireGuard via wg-quick(8) for wg0... Feb 09 13:00:41 ubuntu wg-quick[27029]: [#] ip link add wg0 type wireguard Feb 09 13:00:41 ubuntu wg-quick[27029]: [#] wg setconf wg0 /dev/fd/63 Feb 09 13:00:41 ubuntu wg-quick[27029]: [#] ip -4 address add 10.8.0.1/24 dev wg0 Feb 09 13:00:41 ubuntu wg-quick[27029]: [#] ip link set mtu 1420 up dev wg0 Feb 09 13:00:42 ubuntu wg-quick[27029]: [#] ufw route allow in on wg0 out on ens3 Feb 09 13:00:42 ubuntu wg-quick[27059]: Rule added Feb 09 13:00:42 ubuntu wg-quick[27059]: Rule added (v6) Feb 09 13:00:42 ubuntu wg-quick[27029]: [#] iptables -t nat -I POSTROUTING -o ens3 -j MASQUERA>Feb 09 13:00:42 ubuntu systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

My Network interface on that VPS is called "eth3".

Now, when I come to my OpenWrt Router, here is where I am getting confused. Here is what I did:

Installed wireguard-tools, kmod-wireguard, luci-app-wireguard, luci-i18n-wireguard-en, luci-proto-wireguard packages on the Router
Created a WireGuard Interface
Generated a Private/Public Key Pair for the Interface
Added 10.8.0.2/24 as IP address
Under "Peers" created a new Peer (if I understand correctly, I should enter the Information of my VPS (which is running the WireGuard VPN Server) because that's the peer?)
Entered the Public Key of my WireGuard VPN Server under "Public Key"
Entered 10.8.0.0/24 under "Allowed IPs"
Entered the result of "ip route list table main default" of my WireGuard Server as the "Endpoint Host" (which is different from the Public IP of my VPS. My public VPS's IP is XXX.XX.209.79, while it outputs XXX.XX.208.1 in the ip route list table main default command for my ens3 network interface
Entered the Port, that it is in wg0.conf of the WireGuard Server (51820) into "Endpoint Port"
Set Persistent Keep Alive to 25
Ticket "Route Allowed IPs" (Apparently creates routes for Allowed IPs for this peer

Firewall:

Created a FW Zone called "vpnblu1", with following settings:

Input: reject
Output: accept
Forward: reject
Masquerading: true
MSS clamping: true
Covered Networks: <the interface I earlier created>
Allow forward to destination zones: NULL
Allow forward from source zones: lan

Edited my lan -> wan Forwarding:

Changed from

Allow forward to destination zones: wan
Allow forward from source zones: NULL

Allow forward to destination zones: vpnblu1, wan

Allow forward from source zones: wan

Wireguard Server:

Edited wg0.conf, by adding following lines to the bottom:

[Peer]
PublicKey = <publicKey of the OpenWrt Interface> AllowedIPs = 10.8.0.2/32

Now, whenever I try to connect to anything, it is not using the WireGuard VPN, but just normally routes through my original IP. Why does this happen and what am I doing wrong? I don't even know what exactly to troubleshoot.

The WireGuard Server apparently runs, but how can I check, if i can actually reach it from the outside?
How can I know if my Firewall Zones are configured properly?
How can I know, if my VPN Interface is setup correctly?
How can I know, if I forgot something in the wg0.conf? Some other people had more Rows under the "Peer" section, for example the "Endpoint" Key. What value should I enter here (on the WireGuard Server side), the Public IP of my internet connection?

Thanks for any help in advance

Sort by:

Best

Open comment sort options

Best

Top

New

Controversial

Old

Q&A

[deleted]

•

1y ago

Have you considered Wireguard via raspberry pi instead of on the router? Dead easy

xSyndicate58

•

1y ago

Short Addition: I updated the "Endpoint" within the "Peer" Tab of my OpenWrt Router Interface to the public IP of my Linux VPS, and also updated the wg0.conf File on the Linux VPS, by adding

Endpoint = <public IP of the Linux VPS>:51820

at the End of the File, which then resulted in the WireGuard Status of my OpenWrt Router followingly:

Public Key
<redacted>
Endpoint
<redacted>:51820
Allowed IPs
10.8.0.0/24
Persistent Keepalive
25s
Latest Handshake
Fri, 09 Feb 2024 13:36:02 GMT (29s ago)
Data Received
460 B
Data Transmitted
1.54 KiB

So there definitely was a connection now, but no data is being transmitted. Everything still routes through my original IP.

Max_Rower

•

1y ago

Can you ping both tunnel IPs from both sides? What does "route -n" output on the OpenWrt router?

Establishing a WireGuard VPN Connection to my Remote Linux VPS with a Wireguard Server running

No internet access when connected to WireGuard VPN

How do I disable all wireguard connections on linux

Establishing a WireGuard VPN Connection to my Remote Linux VPS with a Wireguard Server running

How do I connect to my wireguard server from Linux Mint?

Securing a server with wireguard

Connecting to WireGuard Server from Ubuntu

wireguard setup guide

How to connect using a Linux client?

Are you connected to wireguard 24/7?

How do you use a WireGuard .conf file on Linux Mint?

Only tunnel one application through WireGuard VPN? Not everything

Linux GUI?

WireGuard inhibiting access to Docker containers

Linux Client

Setting up wireguard vpn on Linux

Is it possible to host wireguard VPN behind CGNAT?

How to use Wireguard in the CLI?

Wireguard is running in a docker container on a VM in Proxmox. I'm able to connect to Wireguard on my phone using the QR code, but can't load webpages / internal IP addresses / etc. Issue with Port Forwarding in Proxmox?

[Tutorial] Getting a WireGuard Server setup so the VPN client is treated as a local network client

WireGuard setup for public static IPv6

Wireguard script to setup a VPN server

TUI for setting up WireGuard server on Linux

Linux: How to easily/reliably allow Endpoint to route with AllowedIPs = 0.0.0.0/0?

How secure is wireguard for a small business when peoples computers might get hacked and the config file stolen?

I can't setup Wireguard VPN

Top Posts