1

Summary:

I have created a Wireguard VPN server on an AWS EC2 instance. From the VPN client I can connect to the VPN correctly and ping the VPN server. When attempting to access the internet from the client I am unable to get any responses from external servers.

Full technical details:

I have created an Ubuntu 20.04 EC2 instance on amazon EC2 with a public elastic IP. The Security Group associated with the instance allows for the following Inbound Rules (and a blanket 0.0.0.0/0 outbound rules):

Custom TCP  TCP 41194   0.0.0.0/0       Wireguard listen port
SSH         TCP 22      <my_known_ip>   SSH
Custom UDP  UDP 41194   0.0.0.0/0       Wireguard listen port

The Wireguard configuration is then as follows on the server:

[Interface]
Address = 192.168.2.1
PrivateKey = <priv_key>
ListenPort = 41194
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# NAME OF CLIENT
PublicKey = <pub_key>
AllowedIPs = 192.168.2.3/32

On the server I then also configure the OS's firewall using the following commands(done as root user):

ufw allow from 192.168.2.0/24
ufw allow 41194/any
ufw allow 22/any
ufw enable

I also enable the server to forward IPv4 traffic by updating /etc/sysctl.conf to have the following set:

net.ipv4.ip_forward = 1

And ensure the above takes affect using sysctl -p

Once this is done I start the Wireguard service on the server (wg-quick up wg0).

On the client I then use the following configuration to connect to the VPN server:

[Interface]
PrivateKey = <priv_key_of_client>
ListenPort = 21841
Address = 192.168.2.3/32
DNS = 192.168.2.1

[Peer]
PublicKey = <pub_key_of_server>
AllowedIPs = 192.168.2.1/24, 0.0.0.0/0, ::/0
Endpoint = <public_ip_of_ec2_instance>:41194

And once starting the VPN on the client, it connects successfully and from the client I can successfully ping the VPN server (ping 192.168.2.1). But from the client I can not access any other external server (ie no internet access).

The following debugging steps are all performed on the VPN server itself:

I ensured that on the wirguard server itself I can access the internet (curl -L google.com returns correctly).

Watching the network traffic on the Wireguard interface using tcpdump -n -i wg0 I see that all the connections attempted by the client (ip 192.168.2.3) do not ever get a return from the third party server. ie the following SYN [S] request is seen to be sent out but no corresponding [S.] is seen to come back. eg:

09:04:36.133008 IP 192.168.2.3.57624 >  172.217.170.4.80: Flags [S], seq 1394306065, win 65535, options [mss 1380,nop,wscale 6,nop,nop,TS val 1126938286 ecr 0,sackOK,eol], length 0

The same can be seen when performing a tcpdump on the default ens5 interface that the wireguard server uses. So the request from the client is being seen by the wireguard server on wg0, this request is then forwarded onto ens5 and out to the 3rd party server (google.com) but no corresponding reply can be seen to any of the SYN packets that are sent out.

Keagan Jarvis
  • 21
  • 3

1 Answers1

1

I figured out my own issues. My ufw was not setup correctly to do the NAT'ing correctly.

So I added the following to /etc/ufw/before.rules:

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 192.168.2.0/24 -o ens5 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT

Then restarted ufw with ufw disable and ufw enable and internet now works correctly from the VPN client.

Keagan Jarvis
  • 21
  • 3