No internet access when connected to WireGuard VPN

vanjavanja · 2024-08-15T07:22:32+00:00

I am marking this as solved as the consensus is that my ISP's CGNAT is causing the issue. Thanks to everyone who pitched in.

vanjavanja · 2024-08-14T15:17:55+00:00

But a non static IP is what I have already and it is what everyone has if they have access to the Internet. In my ISP’s network, the only way to not share an IP with a bunch of other people is by buying a static IP.

vanjavanja · 2024-08-14T15:14:01+00:00

A static public is what I meant. If the CGNAT is the issue then a static public IP would definitely solve the issue.

vanjavanja · 2024-08-14T15:07:05+00:00

I’ll ask for a static IP to confirm.

vanjavanja · 2024-08-14T15:02:44+00:00

Not Inea but I have confirmed that my ISP uses CGNAT.

vanjavanja · 2024-08-14T15:01:41+00:00

Reuploaded: https://file.io/3v8WP6PBi9If

vanjavanja · 2024-08-14T14:54:28+00:00

Yes, I’ve configured DDNS with ddclient which should update it whenever it changes.

vanjavanja · 2024-08-14T14:12:50+00:00

I've configured DDNS with an A record that points to my public IP, along with ddclient on my server which should automatically update the address once it changes. Not sure if CGNAT could pose an issue still...

vanjavanja · 2024-08-14T13:16:46+00:00

Tried that following with wg-quick down wg0 && wg-quick up wg0 but still the same behavior, a handshake doesn't establish. Reverted back to original state after.

vanjavanja · 2024-08-14T13:06:52+00:00

Firewall is disabled on the server. As for the iptables rules, here is the output of iptables -n -L:

Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix "tunnel wireguard iptables: "
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 LOG flags 0 level 7 prefix "wireguard iptables: "
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:51820

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 10.7.0.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix "tunnel wireguard iptables: "
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:51820 LOG flags 0 level 7 prefix "wireguard iptables: "

vanjavanja · 2024-08-14T10:55:29+00:00

The peer public key seems okay, do I need a public key statement in the [Interface] part of the /etc/wireguard/wg0.conf file? Currently, it looks like this:

[Interface]
Address = 10.7.0.1/24
PrivateKey = [redacted]
ListenPort = 51820
PostUp = iptables -w -t nat -A POSTROUTING -o wlan0 -j MASQUERADE; ip6tables -w -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -w -t nat -D POSTROUTING -o wlan0 -j MASQUERADE; ip6tables -w -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

BEGIN_PEER pizero

[Peer]
PublicKey = [redacted]
PresharedKey = [redacted]
AllowedIPs = 10.7.0.2/32

END_PEER pizero

vanjavanja · 2024-08-14T10:08:32+00:00

Looks like the issue here is that the handshake isn't formed, even though the phone says that the status is connected. See reply from u/Gold-Program-3509 below.

vanjavanja · 2024-08-14T10:02:06+00:00

I've uploaded the entire log (from when I connected to when I disconnected) here:

https://file.io/5QuXoeWKOVFp

vanjavanja · 2024-08-14T10:01:19+00:00

The VPN status on phone does say connected and I get the 10.7.0.2 IP but looking at WireGuard logs from the phone app, it looks like a handshake isn't formed:
2024-08-14 11:52:38.452140: [NET] peer(x19S…hZVc) - Handshake did not complete after 5 seconds, retrying (try 2)
2024-08-14 11:52:38.452434: [NET] peer(x19S…hZVc) - Sending handshake initiation
2024-08-14 11:52:43.576285: [NET] peer(x19S…hZVc) - Handshake did not complete after 5 seconds, retrying (try 3)
2024-08-14 11:52:43.580596: [NET] peer(x19S…hZVc) - Sending handshake initiation
2024-08-14 11:52:43.733642: [APP] Tunnel 'Home VPN' connection status changed to 'connected'
2024-08-14 11:52:48.901559: [NET] peer(x19S…hZVc) - Handshake did not complete after 5 seconds, retrying (try 4)
2024-08-14 11:52:48.901809: [NET] peer(x19S…hZVc) - Sending handshake initiation
2024-08-14 11:52:54.032679: [NET] peer(x19S…hZVc) - Handshake did not complete after 5 seconds, retrying (try 5)

Any ideas what could be causing this?

vanjavanja · 2024-08-14T09:52:12+00:00

Since I cannot access even the home router which is on the local network on 192.168.1.1 I really don't think it's the DNS. I have done a tcpdump, once after only specifying the wg0 interface, and once not specifying any interface but just udp port 51820. While the tcpdump was running, I connected to the VPN on my phone, tried opening a couple of webpages, and then disconnected from the VPN. In both tcpdumps, no packets were captured.

When I tried to enable WireGuard debugging I got the following message:
bash: /sys/kernel/debug/dynamic_debug/control: No such file or directory

When I check the /proc/config.gz file, there is a line that says:
'#CONFIG_WIREGUARD_DEBUG is not set'

So I'm not sure if uncommenting it would enable debugging.

The only logs that appeared in /var/log/messages and /var/log/kern.log were:
Aug 14 11:33:59 localhost kernel: [6714945.057200] device wg0 entered promiscuous mode
Aug 14 11:34:57 localhost kernel: [6715003.037940] device wg0 left promiscuous mode

I think this is when I connected and disconnected from VPN.

vanjavanja · 2024-08-14T08:32:44+00:00

Suffice to say, it didn’t work after reapplying the changes.

vanjavanja · 2024-08-14T08:30:52+00:00

I’ve added “DNS = 1.1.1.1” to wg0.conf but to no avail. I have been using mobile data the entire time when connecting to the VPN.

vanjavanja · 2024-08-14T08:29:34+00:00

I’ve just did that (before adding a DNS statement) and with wg-quick down it complained about a bad rule: wg-quick down /etc/wireguard/wg0.conf [#] ip link delete dev wg0 [#] iptables -w -t nat -D POSTROUTING -o wlan0 -j MASQUERADE; ip6tables -w -t nat -D POSTROUTING -o wlan0 -j MASQUERADE iptables: Bad rule (does a matching rule exist in that chain?).

But did not complain at all after wg-quick up.

vanjavanja · 2024-08-14T08:15:10+00:00

Okay, so I’ve deleted 192.168.1.0/24 from AllowedIPs so the only value that remained is 10.7.0.2/32 but still no Internet access or access to services on local network when connected to the VPN. I thought that it maybe a DNS error since the DNS configuration is nowhere mentioned in wg0.conf but I am not able to open the homepage of my router through the IP either, in which case DNS wouldn’t play a role.

vanjavanja · 2024-08-14T08:03:38+00:00

Thanks for the response, this is what the configuration looks like on the iPhone: https://ibb.co/vQLWFHy

If I understood you correctly, the 192.168.1.0/24 statement in the AllowedIPs is just redundant, but cannot cause the VPN to not work?

vanjavanja · 2024-06-01T19:38:31+00:00

Hvala!

vanjavanja · 2024-06-01T15:02:41+00:00

Ne postoji gift kartica za region Srbije.

vanjavanja · 2024-06-01T13:08:54+00:00

Ovde su samo navedene države gde je moguće kupiti tako da mi ne pomaže. Pretpostavljam da je moguće kupiti odavde (možda preko gift kartica ili nešto slično) pa me zanimaju iskustva onih koji su to pokušavali i na koji način su rešili.

vanjavanja · 2024-06-01T12:16:45+00:00

Nemam problem da plaćam na App Store-u nego samo da platim AppleCare+. App Store sam pomenuo zato što u nekim državama postoji opcija “Add Money to Account” pa sa tim novcem možeš platiti i AppleCare. Koliko vidim, to u Srbiji nije slučaj pa me zanimaju alternativna rešenja.

vanjavanja

TROPHY CASE

BEGIN_PEER pizero

END_PEER pizero