# [solved] help me with wireguard connection

## 389292

I'm trying to switch to wireguard VPN protocol, I've installed wireguard and loaded its kernel module (wg and wg-quick are awailable). I'm using www.mullvad.net on the site I added my private keys and I generated the config file here https://mullvad.net/en/download/wireguard-config/, if I try to run that config with wg-quick up /etc/wireguard/mullvad-de1.conf I'm getting: 

```
[#] ip link add mullvad-de1 type wireguard

[#] wg setconf mullvad-de1 /dev/fd/63

[#] ip -4 address add 10.65.63.219/32 dev mullvad-de1

[#] ip link set mtu 1420 up dev mullvad-de1

[#] resolvconf -a mullvad-de1 -m 0 -x

[#] wg set mullvad-de1 fwmark 51820

[#] ip -4 route add 0.0.0.0/0 dev mullvad-de1 table 51820

[#] ip -4 rule add not fwmark 51820 table 51820

[#] ip -4 rule add table main suppress_prefixlength 0

[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1

[#] iptables-restore -n

iptables-restore v1.8.4 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1

Try `iptables-restore -h' or 'iptables-restore --help' for more information.

[#] resolvconf -d mullvad-de1 -f

[#] ip -4 rule delete table 51820

[#] ip -4 rule delete table main suppress_prefixlength 0

[#] ip link delete dev mullvad-de1
```

What should I do next? I din't mess with the network interface or openRC services, because I couldn't find the comprehensive guide of what to do. And why they call it easier to use, openvpn was much easier to setup for me...

--

kernel: https://termbin.com/j339Last edited by 389292 on Wed Jan 08, 2020 5:28 pm; edited 1 time in total

----------

## 389292

After enabling anything I could find in the kernel related to this (ipv6, CONFIG_NETFILTER_XT_MARK, CONFIG_NETFILTER_XT_CONNMARK, CONFIG_IP6_NF_RAW, CONFIG_IP_NF_RAW)

I get this:

```
wg-quick up mullvad-se1

[#] ip link add mullvad-se1 type wireguard

[#] wg setconf mullvad-se1 /dev/fd/63

[#] ip -4 address add 10.65.69.124/32 dev mullvad-se1

[#] ip link set mtu 1420 up dev mullvad-se1

[#] resolvconf -a mullvad-se1 -m 0 -x

[#] wg set mullvad-se1 fwmark 51820

[#] ip -4 route add 0.0.0.0/0 dev mullvad-se1 table 51820

[#] ip -4 rule add not fwmark 51820 table 51820

[#] ip -4 rule add table main suppress_prefixlength 0

[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1

[#] iptables-restore -n

iptables-restore v1.8.4 (legacy): Couldn't load match `addrtype':No such file or directory

Error occurred at line: 2

Try `iptables-restore -h' or 'iptables-restore --help' for more information.

[#] resolvconf -d mullvad-se1 -f

[#] ip -4 rule delete table 51820

[#] ip -4 rule delete table main suppress_prefixlength 0

[#] ip link delete dev mullvad-se1
```

This guy didn't had any issues and his setup was very easy, something with my particular system? I'm running unstable

https://hund0b1.gitlab.io/2019/11/20/how-i-got-started-with-wireguard-in-gentoo-linux.html

----------

## 389292

Finally, after carefully fallowing through all of these option in the kernel I have a connection running.

https://wiki.gentoo.org/wiki/User:Maffblaster/Drafts/WireGuard

https://wiki.gentoo.org/wiki/Iptables

https://wiki.gentoo.org/wiki/IPSet

I assume my problem was in iptables kernel configuration. When I couldn't find some options then I ignored them or tried to enable the closest semantically which I could find.

I won't mark it solved for now as I didn't yet setup the autorun during boot, If I got some problems with that I will ask later.

----------

## 389292

I can't get the interface up and running during boot, the proposed addition to /etc/conf.d/local.start file didn't help. How can I create the openrc service which would 'wg-quick up wg0' at boot?

----------

## Hund

 *etnull wrote:*   

> I can't get the interface up and running during boot, the proposed addition to /etc/conf.d/local.start file didn't help. How can I create the openrc service which would 'wg-quick up wg0' at boot?

 

I added the command to `/etc/conf.d/local.start`.

----------

## szatox

I added a postup function in /etc/conf.d/net

However, it's a regular interface created with iproute, so creating a set of variables used by net.wg service file shouldn't be very hard (without wg-quick in this case)

----------

## 389292

 *szatox wrote:*   

> I added a postup function in /etc/conf.d/net
> 
> However, it's a regular interface created with iproute, so creating a set of variables used by net.wg service file shouldn't be very hard (without wg-quick in this case)

 

I tried to use netifrc config, added wireguard_wg0="/etc/wireguard/wg0.conf", and did the symlinc for a new interface, but it can't parse the config file properly, unrecognized "Address" or something like that.

Adding to "/etc/conf.d/local.start" didn't work, I don't know why

```
Runlevel: default

 net.enp6s0                                                             [  started  ]

 sysklogd                                                               [  started  ]

 ntpd                                                                   [  started  ]

 cronie                                                                 [  started  ]

 netmount                                                               [  started  ]

 local                                                                  [  started  ]

Runlevel: boot

 osclock                                                                [  started  ]

 modules                                                                [  started  ]

 fsck                                                                   [  started  ]

 root                                                                   [  started  ]

 mtab                                                                   [  started  ]

 swap                                                                   [  started  ]

 localmount                                                             [  started  ]

 opentmpfiles-setup                                                     [  started  ]

 hostname                                                               [  started  ]

 sysctl                                                                 [  started  ]

 bootmisc                                                               [  started  ]

 alsasound                                                              [  started  ]

 termencoding                                                           [  started  ]

 keymaps                                                                [  started  ]

 save-keymaps                                                           [  started  ]

 urandom                                                                [  started  ]

 procfs                                                                 [  started  ]

 binfmt                                                                 [  started  ]

 loopback                                                               [  started  ]

 consolefont                                                            [  started  ]

 save-termencoding                                                      [  started  ]
```

----------

## 389292

nano /etc/conf.d/net

```
config_enp6s0="dhcp"

dns_domain_lo="localdomain"

wireguard_wg0="/etc/wireguard/wg0.conf"
```

ln -s /etc/init.d/net.lo /etc/init.d/net.wg0

rc-update add net.wg0 default

rc-service net.wg0 start

```
 * Bringing up interface wg0

 *   Creating WireGuard interface wg0 ...                                                                                                          [ ok ]

 *   Configuring WireGuard interface wg0 ...

Line unrecognized: `Address=10.65.73.115/32'

Configuration parsing error                                                                                                                        [ !! ]

 * ERROR: net.wg0 failed to start

```

------

What local.start is? Is it some service? Should I make some symlincs for openrc? It doesn't work by just making this file with the correct line in it.

------

Hund, I don't know what version of gentoo you have, but apparently it's now just local and not local.start, putting it there helped me with autoconnect on boot.

----------

## 389292

Now the last thing which I need to solve and the most difficult one for me is routing. I have another local machine and after connecting both of them to a wireguard tunnel I lost my access to that machine via ssh. I usually just did ssh name@192.168.1.* but now I think iptables blocking me to do that, is anyone knows how to edit the iptables rule to let the local connection in and out? I think I need to combine this:

```
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
```

With this:

```
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
```

But the arguments are very cryptic to me, I don't know what to exclude and where to put the rest of it, any help please?

----------

## szatox

```

# cat /etc/conf.d/net

# begin anonimized part

config_eth0= <ipv4>/24 <ipv6>/64

routes_eth0=<default via ipv4> <default via ipv6>

dns_servers_eth0=dns server list

# end anonimized part

# interesting part:

postup () {

wg-quick up wg

return 0

}

predown () {

wg-quick down wg

return 0

}

```

This is what I did to start wireguard with my network.

I suppose I could add some filters based on the interface (check out /etc/init.d/net.lo script for variable names), but since I only have 1 NIC to configure, I didn't bother to do that.

Return 0 ensures my post-up never reports failures. If it fails, I'd rather not be notified than be notified in some absurd way. You figure out whether or not this is appropriate for you.

Regarding "local" service, try this:

```
 # cat /etc/local.d/README
```

Obviously, there is no point in doing it _both_ ways at the same time.

I don't know whether there is a dedicated module for configuring wireguard. If not, variable "config_" may be a good place to hold parameters to "ip" which create and configure the interface.

Finally, wireguard config file used with wg-quick contains AllowedIPs which acts as both, ACL and a routing hint (like in wg-quick will define those entries in routing table AND will make wg interface accept traffic incoming from those IPs). So this may be a 3rd way to configure wireguard interface.

Now, regarding iptables, I think you are overengineering it with marking and stuff. It would be easier if you just described your current setup and your goal.

Posting your iptables-save could also help and should be safe to do if you are on a private network. Don't post it with public IP addresses visible

----------

## 389292

I don't have any iptables rules. These ones are part of the config of the provider, it blocks any communication outside of the tunnel (so called killswitch), if VPN itself goes down, no traffic would flow until I down the connection manually.

```
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
```

I need to modify it to not block the local network so that I can connect to my other machine on the same network.

----------

## szatox

Look at the provided rules. You block _outgoing_ traffic with them, not _incoming_ one.

Your allow_ssh rule is syntactically correct, but you added it to a wrong chain so it doesn't work.

Also, your postup _inserts_ a reject rule which makes it more important than anything else in the output chain. This is not necessarily wrong but it will prevent you from accessing your local network and whatever ACCEPT rule later in chain will never be tried.

Either change this command to append reject rule or make it send traffic to another chain where you can accept traffic to your local network before rejecting the rest. Or add another filter to the same rule along the lines of 

```
! -d lan_ip/netmask
```

 so traffic going to your local network will not match (and won't be rejected)

----------

## 389292

After consulting with service's support and also poking around myself, I came up with these rules:

```
PostUp = iptables -P INPUT DROP && iptables -P FORWARD DROP && iptables -P OUTPUT DROP && iptables -A OUTPUT -o enp6s0 ! -d 193.138.218.74 -p tcp --dport 53 -j DROP && iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT && iptables -A INPUT -i enp6s0 -d 192.168.1.0/24 -j ACCEPT && iptables -A OUTPUT -o enp6s0 -d 192.168.1.0/24 -j ACCEPT && iptables -A OUTPUT -o enp6s0 -p udp -m multiport --dports 53,51820 -d 185.204.1.203/32 -j ACCEPT && iptables -A OUTPUT -o enp6s0 -p tcp -m multiport --dports 53 -d 185.204.1.203/32 -j ACCEPT && iptables -A OUTPUT -o wg0 -j ACCEPT && iptables -A INPUT -i lo -j ACCEPT && iptables -A OUTPUT -o lo -j ACCEPT

PreDown = iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -P OUTPUT ACCEPT && iptables -D OUTPUT -o enp6s0 ! -d 193.138.218.74 -p tcp --dport 53 -j DROP && iptables -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT && iptables -D INPUT -i enp6s0 -d 192.168.1.0/24 -j ACCEPT && iptables -D OUTPUT -o enp6s0 -d 192.168.1.0/24 -j ACCEPT && iptables -D OUTPUT -o enp6s0 -p udp -m multiport --dports 53,51820 -d 185.204.1.203/32 -j ACCEPT && iptables -D OUTPUT -o enp6s0 -p tcp -m multiport --dports 53 -d 185.204.1.203/32 -j ACCEPT && iptables -D OUTPUT -o wg0 -j ACCEPT && iptables -D INPUT -i lo -j ACCEPT && iptables -D OUTPUT -o lo -j ACCEPT
```

It leaves local network accessible, and in theory should still act as a killswith, I couldn't test the killswith myself yet, because I can't kill not my own wireguard server. Note network interface and IPs should be changed according to your setup.

---

the killswitch also works, here is the test proposed by the support

```
Block:

iptables -I OUTPUT -d 185.204.1.203 -j DROP && iptables -I FORWARD -d 185.204.1.203 -j DROP

Unblock:

iptables -I OUTPUT -d 185.204.1.203 -j ACCEPT && iptables -I FORWARD -d 185.204.1.203 -j ACCEPT
```

Last edited by 389292 on Wed Jan 08, 2020 7:41 pm; edited 1 time in total

----------

## szatox

Actually, you can test that killswitch.

It's not meant to protect you from server failure. It is meant to protect you from YOUR failure.

And you can test it by simply removing the wireguard interface with ip link del, which - as a side effect - will mess up your routing table, likely promoting a so-far-secondary route to a preferred one.

----------

## 389292

 *szatox wrote:*   

> Actually, you can test that killswitch.
> 
> It's not meant to protect you from server failure. It is meant to protect you from YOUR failure.
> 
> And you can test it by simply removing the wireguard interface with ip link del, which - as a side effect - will mess up your routing table, likely promoting a so-far-secondary route to a preferred one.

 

Did that also, the traffic stops.

----------

## 389292

lol, this isn't all, my arch machine can't connect using these settings, I assume the issue in ipv6 which I don't use on gentoo...

---

After hours of searching I finally figured out how to enable ssh and local connections like web router interface, it was much, much easier than what I've being doing:

```
PostUp = iptables -I OUTPUT ! -d 192.168.1.0/24 ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

PreDown = iptables -D OUTPUT ! -d 192.168.1.0/24 ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
```

! -d 192.168.1.0/24 will exclude the local IP range from the filter, it's also an official rule, which means I won't fk something up by writing my own from scratch.

Can't believe I spent so much time on such easy thing.. I should finish some networking course, it takes me forever comparing to anything else IT related...

----------

## gengreen

Using mullvad and wireguard, I small suggestion regarding wg-quick

wg-quick should fallback to  /etc/resolv.conf if resolvconf / openresolv and other similar thing are not installed

Example (patch made for my need)

```
--- a/src/wg-quick/linux.bash

+++ b/src/wg-quick/linux.bash

@@ -139,24 +139,43 @@

 }

 

 resolvconf_iface_prefix() {

+   if [[ -f /sbin/resolvconf ]]; then

+

    [[ -f /etc/resolvconf/interface-order ]] || return 0

    local iface

    while read -r iface; do

       [[ $iface =~ ^([A-Za-z0-9-]+)\*$ ]] || continue

       echo "${BASH_REMATCH[1]}." && return 0

    done < /etc/resolvconf/interface-order

+

+   fi

 }

 

 HAVE_SET_DNS=0

 set_dns() {

    [[ ${#DNS[@]} -gt 0 ]] || return 0

+

+   if [[ -f /sbin/resolvconf ]]; then

    printf 'nameserver %s\n' "${DNS[@]}" | cmd resolvconf -a "$(resolvconf_iface_prefix)$INTERFACE" -m 0 -x

+   echo "[!] DNS has been set with resolvconf \n"

+   

+   else

+   printf 'nameserver %s\n' "${DNS[@]}" > /etc/resolv.conf

+   echo "[!] resolvconf is not installed, fallback to /etc/resolv.conf \n"

+   fi

+

    HAVE_SET_DNS=1

 }

 

 unset_dns() {

    [[ ${#DNS[@]} -gt 0 ]] || return 0

+   

+   if [[ -f /sbin/resolvconf ]]; then

    cmd resolvconf -d "$(resolvconf_iface_prefix)$INTERFACE" -f

+   

+   else

+   printf 'nameserver 127.0.0.1\n' > /etc/resolv.conf

+   fi

 }

 

 add_route() {

 
```

It make sense for system that do not use dhcp / network-manage and  manually add the dns entry to /etc/resolv.conf and avoid the dependency virtual/resolvconf

----------

