6

I have a server running Ubuntu 20.04 and wireguard 1.0.20200513-1~20.04.2. I installed the wireguard app on my phone (Android Samsung S20+) and disabled WIFI and connected to 4G. When the VPN is active I can access the server and nothing else on my home network (192.168.1.X) or the internet. The server has a 10.0.0.1 (VPN) and 192.168.1.171 (LAN) interface. The phone gets a 10.0.0.2 interface. I'm guessing I need to setup a route. Server firewall (ufw status) is inactive. Any help would be much appreciated.

/etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
Address = <MAC>::1/64
SaveConfig = true    
ListenPort = 51820
PrivateKey = <SERVER_KEY>

[Peer]
PublicKey = <CELL_PUB_KEY>
AllowedIPs = 10.0.0.2/32, 
Endpoint = <EXTERNAL_IP>:8598

Client Config

Cellphone config
[Interface]
PrivateKey =<CELL_KEY>
Address = 10.0.0.2/24
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = <SERVER_PUB_KEY>
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
Endpoint = <EXTERNAL_IP>:51820

/etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

route -n

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    100    0        0 enp2s0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp2s0
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 enp2s0

On the server

ip route get from 10.0.0.2 iif wg0 192.168.1.1
192.168.1.1 from 10.0.0.2 dev enp2s0
    cache iif wg0

EDIT - Solution - Needed PostUp and PostDown lines in wireguard.conf:

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <MY_KEY>

[Peer]
PublicKey = <MY_PUB_KEY>
AllowedIPs = 10.0.0.2/32
EncryptedWatermelon
  • 191
  • 1
  • 1
  • 9
  • 1
    Was routing enabled on the server? What's the output on the server of `ip route get from 10.0.0.2 iif wg0 192.168.1.1`? Do you get a result or something like `RTNETLINK answers: No route to host`? – A.B Oct 24 '20 at 15:45
  • @A.B `net.ipv4.ip_forward` and `net.ipv6.conf.all.forwarding` are enabled on server. I added route output to OP. It returns successful. – EncryptedWatermelon Oct 25 '20 at 00:37
  • 1
    At least 192.168.1.1 (and better, any other system in its LAN, to avoid a lot of ICMP redirects) should also have a route to 10.0.0.0/24 via the server. Or you can do it the lazy way and use NAT on the server. – A.B Oct 25 '20 at 00:42
  • 192.168.1.1 is a verizon router. The server is the only linux machine in the network. Are you saying I need to add a route to my phone? It's not rooted so I'm not sure I can do that. Do I need to add a route to the server? – EncryptedWatermelon Oct 25 '20 at 00:58
  • 1
    neither you have to do NAT on the server. Adding a route on the router might not work in all cases (it would generate ICMP redirects which might be rejected by some systems, even if they should not). – A.B Oct 25 '20 at 01:12
  • Figured it out. I'll update OP. – EncryptedWatermelon Oct 25 '20 at 01:18
  • Either answer the question yourself, delete it altogether, but don't leave it written as solved in the question itself. – A.B Oct 25 '20 at 11:41

2 Answers2

5

Needed PostUp and PostDown lines in wireguard.conf:

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <MY_KEY>

[Peer]
PublicKey = <MY_PUB_KEY>
AllowedIPs = 10.0.0.2/32
EncryptedWatermelon
  • 191
  • 1
  • 1
  • 9
0

I'm not sure but it works fine for me, try it

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE;

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE; ListenPort = 51820

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE;
ListenPort = 51820
PrivateKey = <MY_KEY>
    
[Peer]
PublicKey = <MY_PUB_KEY>
AllowedIPs = 10.0.0.2/32
H ALMaRRi
  • 1