7

My goal is to create a VPN so

  1. Clients have static IP addresses.
  2. Clients are able to communicate with each other and the server,
  3. Clients can reach global Internet through the VPN.
  4. Also, I'd like to setup DNS and private domain names (working with NginX).

Here is config of the server:

[Interface]
Address = 10.0.0.1/24
ListenPort = 5555
PrivateKey = xxxxx

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0

And client's config:

[Interface]
PrivateKey = xxxxx
ListenPort = 5555
Address = 10.0.0.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <server ip>:5555

But when I'm trying to load server's config wg setconf wg0 /etc/wireguard/wg0.conf I get this error:

Line unrecognized: `Address=10.0.0.1/24'
Configuration parsing error

Thus I commented this line. But it probably makes WG choose random IP addresses for the server and clients.

To make WireGuard work, I also ran these commands:

ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.0.1/24
ip link set up dev wg0

After all, wg commands provides the following output:

interface: wg0
  public key: xxxxx
  private key: (hidden)
  listening port: 5555

peer: xxxxx
  endpoint: <my IP address>:6228
  allowed ips: 0.0.0.0/0
  latest handshake: 2 minutes, 11 seconds ago
  transfer: 26.02 KiB received, 248 B sent

From the client (which is MacOS with WireGuard GUI) I'm able to connect, but:

  • I get no Internet connection. I even can't ping the server by global IP address, though I can with the private one, 10.0.0.1.
  • I'm able to get connected to VPN even if I change the port in client's config. I think it means that it doesn't really get connected.

So, how can I achieve my goals? And what's wrong with my configs??

PS. Neither iptables nor firewalls are installed on the server, so it can't be a problem. Also, I have specified net.ipv4.ip_forward=1 & net.ipv6.conf.all.forwarding=1 in the /etc/sysctl.conf.
Software versions. OS is Ubuntu 18.04.4 LTS, Kernel: 4.15.0-20-generic, WG: wireguard-tools v1.0.20200206.

Update

I removed Address from server's config, and set AllowedIPs = 10.0.0.2/24 in the client's one, I finally got connected to the server's NginX from client by private IP, and able to reach the Internet (coz traffic goes outside VPN).

But if I set AllowedIPs = 0.0.0.0/0 on the client, I have no Internet access, though still can reach server by VPN's IP address 10.0.0.1. I tried solving it with ifconfig wg0 broadcast/multicast, but had no success. Now the command ip address show wg0 provides the following output:

4: wg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.10.10.1/24 scope global wg0
       valid_lft forever preferred_lft forever
    inet 10.10.10.1 peer 10.10.10.2/32 scope global wg0
       valid_lft forever preferred_lft forever

In addition, I cannot access one client from another, I think it's the same problem. How can I fix WireGuard configs or server network settings to solve the problem?

AivanF.
  • 233
  • 1
  • 3
  • 10

3 Answers3

4

Use wg-quick instead of wg with the config file and it would work ;-). You wrote you are using directly wg command which uses a different configuration file format, resulting in the error:

Line unrecognized: `Address=10.0.0.1/24,fd86:ea04:1115::1/64'
Configuration parsing error

What you can also check:

Split the Address line to have correct config on the server:

[Interface]
Address = 10.0.0.1/24
Address = fd86:ea04:1115::1/64
ListenPort = 5555
PrivateKey = xxxxx

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0

on client side there should be also Endpoint to know where to connect and also the netmask would match (be the same) with server side so in this case /24:

[Interface]
PrivateKey = xxxxx
ListenPort = 5555
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <remote>:<ip>

You can try with both Address on one line but for sure the mask /24 should be the same on both sides.

Dagelf
  • 589
  • 4
  • 14
Kamil J
  • 1,587
  • 1
  • 4
  • 10
  • About the first one: I get the same error even without IPv6 `Line unrecognized: `Address=10.0.0.1/24'` – AivanF. Mar 12 '20 at 08:41
  • And I probably missed the last line of the client's config... of course I have specified correct Endpoint. I should update the Q, thanks for notion. – AivanF. Mar 12 '20 at 08:43
  • 2
    Hmmm, I see... **wg** expect a little bit different configuration input. Use **wg-quick** instead of **wg** with this configuration file... That should work. I have updated the answer. – Kamil J Mar 12 '20 at 09:49
  • Look, if I remove `Address` from server's config, and set `AllowedIPs = 10.0.0.2/24` on the client, I can connect server's NginX from client by private IP, and able to reach the Internet (coz traffic goes outside VPN). But if I set `AllowedIPs = 0.0.0.0/0` on the client, I have no Internet access, though still can reach server by VPN's IP address 10.0.0.1. I guess that's because of some network settings on the server. I did `ifconfig wg0 broadcast/multicast`, however it doesn't change the situation. What then can I do? – AivanF. Mar 12 '20 at 13:31
  • In case you place there some network it is passed to default routing table. In case of 0.0.0.0/0 it is set to custom routing table. In case you send data there it is accepted but the default routing table may be a little bit different than you think.... In case of ``wg-quick up `` you can keep the Address option - for wg-quick it is valid one. The differece is that ``wg setconf...`` handle only stuff related to wireguard tunnel and IP address is not crucial in first phase as it can be IPv4, IPv6, IPv4+IPv6. AllowIP is on wg level. ``wg-quick`` handle ``wg`` and also this IP settings. – Kamil J Mar 12 '20 at 14:27
  • Thanks for yourr reply :) I tried this approach, but after `wg-quick down wg0` and `sudo wg-quick up /etc/wireguard/wg0.conf` I cannot reach server again without executing `ip address add dev wg0 10.10.10.1/24` on it. It's weird. Also, I still cannot make clients communicate with each other :( I've added some more info to the Q, please, have a look. – AivanF. Mar 12 '20 at 21:49
  • Maybe we could chat in some realtime messenger with more details? I can write you on Telegram, WhatsUp, Facebook, anything else. – AivanF. Mar 13 '20 at 09:40
  • In the client config, there were **/32** netmask... In case you didn't correct it it may be an issue ;-). There have to be also /24. Let me know if it was the case or something still remain. – Kamil J Mar 13 '20 at 10:04
4

Well, in several of days, nights, and killed servers, I solved all the problems myself :)

  • Firstly, I'd like to mention that wg and wg-quick utilities treats config files differently. So, my wg setconf wg0 /etc/wireguard/wg0.conf didn't work the expected way, and I guess it uses old config format. Now I use wg-quick through systemctl.

  • Secondly, my addition of net.ipv4.ip_forward=1 to the file /etc/sysctl.conf didn't work even though I called systemctl daemon-reload ; systemctl restart systemd-networkd. I had to link config with the kernel using sysctl -p /etc/sysctl.conf command. This allows peers to communicate with each other and reach the Internet through VPN.

  • It's good to mention that for all the Address notes it's better to use subnet mask of 32 bits, which means an exact IP, not a range.

  • In addition, I've set up custom DNS with BIND9 to create own domain in the network. And NginX with sender's IP address checking to restrict access to VPN's clients only.

For now, my configs are as follows.

Server

[Interface]
Address = 10.0.0.1/32
ListenPort = 5555
PrivateKey = ___some_private_key___

# The following is needed only if you have `ufw` installed
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = ___some_public_key___
AllowedIPs = 10.0.0.1/32

Client

[Interface]
PrivateKey = ___some_private_key___
ListenPort = 5555
Address = 10.0.0.1/32

[Peer]
PublicKey = ___some_public_key___
AllowedIPs = 10.0.0.0/24
Endpoint = ___some_ip_address__:5555
AivanF.
  • 233
  • 1
  • 3
  • 10
  • how are you updating the client now? wg set command? if i update the conf file in /etc/wireguard/wg0.conf which is the best option to update instead of restarting when setconf/synconf is throwing the address error? – Macindows Aug 05 '20 at 15:42
  • @Macindows This is quite a good question! Sorry, I don't know, TBH, I haven't worked with WG for many months. Try write a new post, I'll vote for it. – AivanF. Aug 05 '20 at 18:30
2

Ok solved the wireguard "Line unrecognized Address=" with wg show wg0 NOT using wg-quick.

Just removed/commented the line in config Address = x.x.x.x in /etc/wireguard/wg0.conf

My setup on Debian/ubuntu.

  1. the wg0 interface is configured in /etc/network/interfaces
auto wg0
iface wg0 inet static
address 192.168.1.1/24
pre-up ip link add wg0 type wireguard
pre-up wg setconf wg0 /etc/wireguard/wg0.conf
post-down ip link del wg0
Pieter
  • 678
  • 6
  • 10