I’ve used wireguard for a pretty long time on my server and the phone as a client. I’ve had the same configuration for at least 4-5 years and never had issues. Last week I moved to using pihole in a container with a macvlan interface, so it has a different IP address than my physical server. Then I went and changed the DNS server IP on the wireguard config on the phone. When I reconnected I see I can’t connect to any local IP address like I used to and I can’t figure out why.
The local LAN is 10.11.12.0/24, the VPN is on 10.11.13.0/24.
Here’s the server wireguard config:
[Interface]
Address = 10.11.13.1
ListenPort = 11194
PrivateKey = ...
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE
[Peer]
# Galaxy S20+
PublicKey = U59JZqVbk2eFxTb7tteyu0WHlMTZsk68E7CF7v2AX2U=
AllowedIPs = 10.11.13.5/32
[Peer]
# narwhal - T480 job
PublicKey = Ja9OL13IoZA17GJq0/LbwizB9s2dRQLHHgW2C4TcFyY=
AllowedIPs = 10.11.13.7/32
And here’s the phone’s wireguard config:
Address = 10.11.13.5/24
DNS = 10.11.12.55
PrivateKey = ....
[Peer]
AllowedIPs = 10.11.0.0/16
Endpoint = my_dyndns_hostname:11194
PublicKey = 6aF1cJhH9oeQWr9LYOpH3wk+lN4k9/tSiAqV6LkUQ1Y=
I am able to connect and can ping 10.11.12.77, the IP address of the server, but nothing else. I have two RPis running as mpd servers and I used to be able to connect to them too, but not anymore. Their IP addresses are 10.11.12.105 and .106.
Also, before the dns change I was able (of course!) to use the local DNS I set up on the pihole, but now I’m not able to connect to the new DNS (.55) so I can’t get any local address to resolve.
I’m looking for some hints on what I’m doing wrong. Please help.
Coming back to this: it was a case of “did you turn it off and then back on?” I did some server upgrades a day before setting up wireguard and it’s possible there were some changes that needed a reboot. I just rebooted today and everything works as expected.
You only need the masquerade rule.
iptables -t nat -A POSTROUTING -s 10.11.13.0/24 -o enp3s0 -j MASQUERADE
didn’t help, unfortunatelly.
Did you enable forwarding via sysctl?
sysctl net.ipv4.ip_forward
This should report
1
Yes. That was one of the first checks I did.
Try changing your NAT rule to
“iptables -t nat -A POSTROUTING -s 10.11.13.0/24 -o eth1 -j MASQUERADE”
Also try changing your AllowedIPs to 10.11.13.0/24
The other issue may be the ability of the host/server to reach the IP address of the pihole macvlan interface. Have a look at this page, it’s helped me out before -> https://adventurenotvacation.com/2020/12/01/docker-macvlan-and-debian/
Try changing your NAT rule to
“iptables -t nat -A POSTROUTING -s 10.11.13.0/24 -o eth1 -j MASQUERADE”
Also try changing your AllowedIPs to 10.11.13.0/24
In fact I don’t need to access anything on 10.11.12.13.0/24 - that’s the peer to peer wireguard network. I want to be able to connect to any host on 10.11.12.0/24. Adding this network to AllowedIPs I’m now able to connect to .77 (which is my server) and to .1 (the router), but not on any other hosts in the house.
The other issue may be the ability of the host/server to reach the IP address of the pihole macvlan interface. Have a look at this page, it’s helped me out before -> https://adventurenotvacation.com/2020/12/01/docker-macvlan-and-debian/
This is done. I followed the instructions here: https://wiki.omv-extras.org/doku.php?id=omv6:omv6_plugins:docker_compose#how_to_create_a_vlan_with_ip_on_the_same_lan_as_the_host which are the same thing as the article you linked.
… I’m still looking into things.
- Can you show the diff with your previous WG config?
- Is
10.11.12.0/24
also onenp3s0
?
I am able to connect and can ping 10.11.12.77, the IP address of the server, but nothing else
Including the wider internet, if you set your phone’s
AllowedIPs
to 0.0.0.0/0? This makes me think it’s a problem with the NAT, not so much wireguard. Also make sure ipv4 forwarding is enabled:sysctl -w net.ipv4.conf.default.forwarding=1 sysctl -w net.ipv4.conf.enp3s0.forwarding=1
Reading this article might help! I know this is not what you asked, but otherwise, my approach to accessing devices on my LAN is to also include them in the WG VPN - so that they all have an IP address on the VPN subnet (in your case
10.11.13.0/24
). Bonus points for excluding your LAN guests from your selfhosted subnet.Can you show the diff with your previous WG config?
I didn’t have a previous WG config. This is really the problem: I didn’t change anything. It just stopped working. My phone connects to the server and I can ping it, and I’m also able to use the web interface on the server, but I can’t connect to any other host on the network.
This makes me think it’s a problem with the NAT
This is my assumption too. Still looking into it.