# [SOLVED] Wireguard connects but no internet access

## baak6

Hi friends.

Apologies if this isn't the right place to post this.

I recently purchased myself a little OpenBSD VPS so I could run WireGuard on it. I followed this guide to set up WireGuard: https://ianix.com/wireguard/openbsd-howto.html - very simple.

On my Gentoo machine I ran:

```

~ # emerge -av wireguard-tools

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] net-vpn/wireguard-tools-1.0.20210424::gentoo  USE="wg-quick" 0 KiB

```

I also created the /etc/wireguard folder with wg0.conf as such:

```

[Interface]

PrivateKey = <removed>

[Peer]

PublicKey = <removed>

Endpoint = <servers_ip>:51820

AllowedIPs = 0.0.0.0/0, ::/0

```

I've omitted the keys and the server IP for obvious reasons. 

Then I use wg-quick and all seems normal:

```

~ # wg-quick up wg0

[#] ip link add wg0 type wireguard

[#] wg setconf wg0 /dev/fd/63

[#] ip link set mtu 1420 up dev wg0

[#] wg set wg0 fwmark 51820

[#] ip -6 route add ::/0 dev wg0 table 51820

[#] ip -6 rule add not fwmark 51820 table 51820

[#] ip -6 rule add table main suppress_prefixlength 0

[#] ip6tables-restore -n

[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820

[#] ip -4 rule add not fwmark 51820 table 51820

[#] ip -4 rule add table main suppress_prefixlength 0

[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1

[#] iptables-restore -n

~ # ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

^C

--- 8.8.8.8 ping statistics ---

2 packets transmitted, 0 received, 100% packet loss, time 1057ms

```

Nothing seems to get through and I cannot seem to figure out why. 

Running wg show on the client machine, everything looks normal as far as I can tell:

```

~ # wg show

interface: wg0

  public key: <removed>

  private key: (hidden)

  listening port: 52833

  fwmark: 0xca6c

peer: <removed>

  endpoint: <servers_ip>:51820

  allowed ips: 0.0.0.0/0, ::/0

```

I've been stuck trying to figure this out for a while. I had this problem a month ago for the first time. I recently wiped my VPS and started from scratch but no change. I have a feeling the issue is on the client (Gentoo) side since it's a fresh OpenBSD box with a very simple WireGuard setup. But I have no evidence for this.

I do use a custom kernel and I wondered if I was missing something compiled into the kernel perhaps, but I've enabled everything the ebuild asks for and restarted to use that kernel.

Does anyone have any ideas? Please let me know if there's any further information I can provide to help solve this.

Many thanks in advance.Last edited by baak6 on Thu Jun 03, 2021 9:50 pm; edited 1 time in total

----------

## wwdev16

Firewall on either the VPS or Gentoo system?

Does the VPS have a [Peer] section for your Gentoo box? Your /etc/wireguard/wg0.conf doesn't

specify ListenPort so it is probably the default and the VPS needs to use the Gentoo port in its [Peer] section.

I would just pick the same port for both systems, e.g. 51820

I don't use wg-quick since Gentoo provides support for wireguard. You might try

```
/etc/conf.d/net

wireguard_wg0="/etc/wireguard/wg0.conf"

config_wg0="<private-address>/<cidr-bit-count>"
```

Create a symlink: /etc/init.d/net.wg0 -> /etc/init.d/net.lo

Then start the net.wg0 service

You need to matchup the ports/keys for the tunnel end points:

```
VPS wireguard conf:

[Interface]

PrivateKey = <vps-private-key>

ListenPort = 51820

[Peer]

PublicKey = <gentoo-public-key>

EndPoint = <gentoo-public-ip>:51820

Gentoo side /etc/wireguard/wg0.conf:

[Interface]

PrivateKey = <gentoo-private-key>

ListenPort = 51820

[Peer]

PublicKey = <VPS-public-key>

EndPoint = <VPS-public-ip>:51820
```

Note that the wireguard interfaces (wg0) must have assigned addresses. These addresses 

are not the public addresses of either system. For example you could use 10.0.0.45 for wg0 on the VPS

and 10.0.0.46 for wg0 on the gentoo box and use AllowedIps = 10.0.0.0/24 on both systems. Then from Gentoo

you ping 10.0.0.45 and on the VPS you ping 10.0.0.46 to reach the peer. The address asignments for

the wg0 interfaces are not done in the wireguard config files, but by the OS net config facilities.

Get the private-address communication working before trying to get routing and nat on the wg0 interfaces working.

----------

## baak6

Thanks for the response.

The Gentoo system doesn't have any firewall or iptables rules, only what is added by WireGuard.

The OpenBSD server has a very basic pf.conf to make WireGuard work, plus the default config.

```

#       $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $

#

# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

block return    # block stateless traffic

pass            # establish keep-state

# Port build user does not need network

block return out log proto {tcp udp} user _pbuild

pass in on wg0

pass in inet proto udp from any to any port 51820

pass out on egress inet from (wg0:network) nat-to (em0:0)

```

All the configs I shared previously were from the Gentoo client. Here's the WireGuard config wg0.conf for the OpenBSD host:

```

[Interface]

PrivateKey = <sever_private_key>

ListenPort = 51820

[Peer]

PublicKey = <client_public_key>

AllowedIPs = 10.0.0.0/24

```

I've also updated the Gentoo client to include the ListenPort as you suggested.

```

[Interface]

PrivateKey = <client_private_key>

ListenPort = 51820

[Peer]

PublicKey = <server_public_key>

Endpoint = <server_ip>:51820

AllowedIPs = 0.0.0.0/0, ::/0

```

Switching to use netifrc is a great idea, I've done as you suggested:

```

~ # ls -l /etc/init.d/net.wg0

lrwxrwxrwx 1 root root 18 May 26 13:25 /etc/init.d/net.wg0 -> /etc/init.d/net.lo

~ # cat /etc/conf.d/net

config_wg0="10.0.0.2/32"

wireguard_wg0="/etc/wireguard/wg0.conf"

```

That seems to do what it is supposed to when I start Wireguard:

```

 ~ # /etc/init.d/net.wg0 start

 * Bringing up interface wg0

 *   Creating WireGuard interface wg0 ...                                                                                                                                   [ ok ]

 *   Configuring WireGuard interface wg0 ...                                                                                                                                [ ok ]

 *   10.0.0.2/32 ...                                                                                                                                                        [ ok ]

~ # ifconfig wg0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420

        inet 10.0.0.2  netmask 255.255.255.255  destination 10.0.0.2

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

This doesn't make me lose internet access (presumably since I'm not NATing as you suggested) but I still cannot ping the server's IP, 10.0.0.1.

This is the wg0 interface on the server by the way:

```

# ifconfig wg0

wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420

        index 5 priority 0 llprio 3

        wgport 51820

        wgpubkey <server_public_key)

        wgpeer <client_public_key>

                tx: 0, rx: 0

                wgaip 10.0.0.0/24

        groups: wg

        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255

```

It makes sense to try to just get the connection to the server working correctly. But I seem to not even be able to get there which is odd. Any ideas?

----------

## wwdev16

Maybe a simple thing, your cidr prefix is 32 for the wg0 interface on the gentoo box. You might want to try /24

so that the VPS private address 10.0.0.1 will be accepted on wg0.

It looks like you may have nat enabled on wg0 on the VPS. I think it would be easier to debug if that

were turned off for now.

Your ifconfig results say the wg0 interfaces are up. So from the VPS you should be able to ping 10.0.0.1

and from the Gentoo side 10.0.0.2.

If setting the cidr prefix and disabling nat fixed the issues, then pinging the peer private address should also work.

If not, on the gentoo box I would start a tcpdump for the public interface in a separate window and then

ping 10.0.0.1 (vps private addr). There should be some outbound traffic on the public interface if the ping packet is

getting sent along by wireguard.

If you have a second local gentoo box, you could also experiment in a simplified environment. Just define a second vpn

that uses wg1 for the wireguard interfaces on the local boxes, use address from 10.10.0.0/24 on the wg1 interfaces, 

and make sure that firewalls aren't going to block local packets. It would be easier to watch both ends of the tunnel.

----------

## wwdev16

The command wg show wg0 displays info about the wg0 interface.

If the output doesn't include a latest handshake line there is probably

an issue with the keys or the AllowedIps.

----------

## baak6

Many thanks for the help again friend.

Changing /etc/conf.d/net to have /24 instead of /32 did the trick!

```

config_wg0="10.0.0.2/24"

```

It makes sense actually, thinking about it, since it's for the network interface.

I can ping the VPS (10.0.0.1) from my Gentoo box (10.0.0.2) and the other way around now, great success.

How do I go about making sure all my traffic is routed to the VPS via WireGuard now using netifrc? Assuming that my VPS is correctly set up to NAT the wg0 interface to the internet. Do I just have to add a route default via the VPS IP to netifrc? Or do I need to use IP tables for this? I'd prefer to keep using netifrc instead of going back to wg-quick really.

----------

## baak6

I ended up switching away from netifrc for this and switched to using wg-quick. The main issue I was having with it originally was that the interface didn't have an IP configured. I added Address = 10.0.0.2/24 under the [Interface] section on the client and removed the ListenAddress as it wasn't needed. Then bringing up wg0 via wg-quick made everything work.

----------

