Messages

@Monviech I will check the firewall rule on the WAN. I double checked and can confirm the IP I am using for the WAN address is correct(couldn't get duckdns figured out to get a FQDN for connecting, but that's an issue for later). Based on the information I posted last, does the key information look correct to you? I am hoping for some assistance in regards to ensuring the pair looks correct. If you need more information, please let me know.

Thank you. I followed your steps and can confirm, I am not getting a handshake. So likely there is something wrong with my key pairs. I'll double check what I have set for where and made adjustments if needed.

Just so I'm clear, the pub key in the local config would go into the PublicKey entry under the [Peer] section on the client(laptop) config, correct?

I re-went through and confirmed the keys are correct, following the road warrior guide. I can confirm the keys are correct, but still no dice when trying to get the handshake

~$ WG-UP
Warning: `/etc/wireguard/wg0.conf' is world accessible

• ip link add wg0 type wireguard
  
• wg setconf wg0 /dev/fd/63
  
• ip -4 address add 10.0.2.2/24 dev wg0
  
• ip link set mtu 1420 up dev wg0
  interface: wg0
    public key: cpp(this is the key generated on my client by running sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key. This is also the key on VPN --> WireGuard --> Endpoint --> Public Key
    private key: (hidden)
    listening port: 34309
  
  peer: z1v(confirmed to be same as what's on VPN --> WireGuard --> Local --> Public Key)
    endpoint: PUBLIC.IP.ADDRESS:51820
    allowed ips: 10.0.2.0/24
  ~$ ping 10.0.2.1
  PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
  ^C
  --- 10.0.2.1 ping statistics ---
  6 packets transmitted, 0 received, 100% packet loss, time 5084ms
  
  ~$ sudo wg
  interface: wg0
    public key: cpp1aArw8UcKd6FU09IQ7i/bQCtdfzTz1DBHSsi+QBY=
    private key: (hidden)
    listening port: 34309
  
  peer: z1vcnYO+25OXVTxTDmoBby6n6beXVUDtRhQr0LyEomA=
    endpoint: 162.219.228.99:51820
    allowed ips: 10.0.2.0/24
    transfer: 0 B received, 296 B sent

I'm not sure I follow. When I WG-UP(alias to sudo wg-quick up wg1 ; sudo wg) on my client(my laptop) it shows you what I just sent. When I run ping from the client(my laptop) all pings fail to reach out. But from the way the WG-UP command looks it seems to complete the tunnel. additionally when I go to VPN --> WireGuard --> Handshake I see the following:

wg1   pubkey-on-firewall-endpoint   1698437456

So I can compare and be sure, what is the paring of the keys supposed to be between the local tab, endpoints tab, and the client(my laptop)? I feel like I have it correct but I'm not going to rule out me messing something up there.

WG-UP
Warning: `/etc/wireguard/wg0.conf' is world accessible

• ip link add wg0 type wireguard
  
• wg setconf wg0 /dev/fd/63
  
• ip -4 address add 10.0.2.2/24 dev wg0
  
• ip link set mtu 1420 up dev wg0
  interface: wg0
    public key: publickey
    private key: (hidden)
    listening port: 57081
  
  peer: z1vcnYO+25OXVTxTDmoBby6n6beXVUDtRhQr0LyEomA=
    endpoint: public.ip.address:51820
    allowed ips: 10.0.2.0/24
  
  
  I have included a screenshot of firewall rules for wireguard(group). There previously was none but I decided to recreate the single rule I had in the regular wireguard firewall rule.
  
  I also noticed that when connected I can't ping IPv4 addresses, namely that I can't ping cloudflare's DNS address.
  
  ping www.google.com
  PING www.google.com(yo-in-f106.1e100.net (2607:f8b0:4002:c0f::6a)) 56 data bytes
  64 bytes from yo-in-f106.1e100.net (2607:f8b0:4002:c0f::6a): icmp_seq=1 ttl=108 time=65.8 ms
  64 bytes from yo-in-f106.1e100.net (2607:f8b0:4002:c0f::6a): icmp_seq=2 ttl=108 time=71.5 ms
  64 bytes from yo-in-f106.1e100.net (2607:f8b0:4002:c0f::6a): icmp_seq=3 ttl=108 time=87.3 ms
  ^C
  --- www.google.com ping statistics ---
  3 packets transmitted, 3 received, 0% packet loss, time 2003ms
  rtt min/avg/max/mdev = 65.752/74.863/87.317/9.115 ms
  ping 1.1.1.1
  PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
  ^C
  --- 1.1.1.1 ping statistics ---
  17 packets transmitted, 0 received, 100% packet loss, time 16382ms
  

I changed the IP to 10.0.2.0/24 but when I try pinging like suggested I get this:

ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
z^C
--- 10.0.2.1 ping statistics ---
36 packets transmitted, 0 received, 100% packet loss, time 35541ms

What would I need to add to ensure that it can still work with IPv6? My ISP only gives me a IPV4 address.

@Monviech So I did what you said...kind of. I ran a packet capture via the web ui instead. I have included a screenshot of the settings I ran. Note I also ran the test again with the protocol as any and another test with promiscuous on and off. In all situations, the packet capture turned out empty. On my laptop I would connect to the VPN while connected to a hot spot on my phone, then ping the IP address for my DNS server and then for the firewall itself. In both cases I was not able to reach the resource. I was however able to ping google and able to access the internet through Firefox.

Theory: am I even connecting to the VPN properly. When I go to whatismyipaddress dot com I see that my mobile carrier is my ISP, which is different for that of my home. I think this theory holds some water, as if there was an error we would see SOMETHING in the packet capture.

@patrick fair point, I only had space for 4 uploads though so I tried to pick what I thought might be most useful. I do want to note that the connection does work in the sense I am able to connect to the internet, just not resources on the lan, such as my home server.

On the status tab of the wireguard settings on the firewall, this is what it states:

interface: wg1
  public key: PUBLICKEY(can confirm it's the same key as on my laptop)
  private key: (hidden)
  listening port: 51820

peer: hash of peer, not sure if this is safe to post or not.
  allowed ips: 10.0.2.2/32

Shouldn't

Address = 10.0.2.2/32

Match your actual network size (not /32)?
---------------------------------
I have had it match before, doing /24, but the issue persists all the same. I can change it though should that be the better way to do it going forward.

I have changed my local config to the following:

[Interface]
PrivateKey = ClientPrivateKey
Address = 10.0.2.2/24

[Peer]
PublicKey = PublicKeyFromFirewall
AllowedIPs = 0.0.0.0/0
Endpoint = PUBLIC.IP.ADDRESS:51820

I have been trying to get wireguard set up on my DEC695 and despite following the road warrior guide as close as possible I can't get it functioning the way I want. I can connect to the VPN and access the internet at large fine, but I am unable to access my lab on the LAN. I have included screenshots of my config settings, and can provide more upon request, but at this point I'm not sure what is going wrong.

Client config:
[Interface]
PrivateKey = ClientPrivateKey
Address = 10.0.2.2/32

[Peer]
PublicKey = PublicKeyFromFirewall
AllowedIPs = 0.0.0.0/0
Endpoint = PUBLIC.IP.ADDRESS:51820