Can't Connect to Wireguard on Virtualmin / Ubuntu 20.04 setup / FirewallD?

dragonsway · February 21, 2022, 3:04pm

🛈 SYSTEM INFORMATION
OS type and version	Ubuntu 20.04
Webmin version	1.984
Virtualmin version	6.17-3 Pro
Related packages	Wireguard

Does anyone know of any Virtualmin related aspects that can interfere / block a wireguard connection? My best guess is that FirewallD doesn’t like the routing used for wireguard, but I could be absolutely wrong.

I have verified that the port is available and can be accessed through FirewallD GUI and by running:

(server side)
nc -lu 51820

(client side)
echo Test message | nc -4u -w1 {host-ip} 51820

And seeing “Test message” output on remote server.

Under Webmin >> Webmin Configuration >> IP Access Control… I have added both the wireguard client and server’s addresses (i.e. 10.0.0.1 , 10.0.0.2)

I have generated fresh key pairs on client and server. Putting client’s pub key on the server and the Server’s pub key on the client.

I am asking here because I have literally the -identical same- setup on a Debian Server without Virtualmin and it works perfectly.

There seems to be something related to Vmin and/or Ubuntu that is simply blocking the connection and I can’t find any errors in /var/log

My /etc/wireguard/wg0.conf contains:

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = server-private-key

[Peer]
PublicKey = client-public-key
AllowedIPs = 10.0.0.2/32

And I edited /etc/sysctl.conf to have:
net.ipv4.ip_forward = 1

From the client side when I connect, I get:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg-client1
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

And on the server I get this out put when I start wireguard:

# wg-quick up wg0 
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Everything is correct… the client just can’t connect.

Joe · February 21, 2022, 6:13pm

Firewalld does nothing with local traffic in our default configuration.

You need to open the port(s) for wireguard, but that’s all.

You also need routing enabled (which you’ve done with ip_forward).

But, you can test by just stopping the firewalld service. No need to guess. If it works when firewalld isn’t enabled, you’re missing something in the firewalld configuration…if it doesn’t work with firewalld stopped, then you know it’s a problem somewhere else.

dragonsway · February 21, 2022, 6:46pm

Thanks for the feedback. I think you missed this part of the message above. I verified port connectivity.

I took your advice though and stopped firewalld while I tried to connect… same issue. I really wish wireguard had a handy-dandy log so that I could easily see at what point the connection fails…

I really can’t think of anything else that could be stopping the connection… Do u know any logs that might give a hint?

Joe · February 21, 2022, 7:20pm

I’ve never used Wireguard. I don’t have any further advice. I just wanted to help you rule out firewalld as a cause, which we’ve now done.

dragonsway · February 22, 2022, 11:38am

daggnabbit… bottlenecks

Ilia · February 23, 2022, 12:32pm

Unfortunately, the online tutorials I checked in the distant past are very confusing.

Try this simple server/client configuration that I came up with in the past, which works just fine:

Server:

# Server
[Interface]
PrivateKey = sec-key
Address = 192.168.66.1/24
ListenPort = 55555

# Home PC 1
[Peer]
PublicKey = pub-key
AllowedIPs = 192.168.66.2/32
PersistentKeepalive = 15

Client:

# Home PC 1
[Interface]
PrivateKey = sec-key
Address = 192.168.66.2/32
DNS = 8.8.8.8

# Remote server
[Peer]
PublicKey = pub-key
Endpoint = serverip:55555
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepalive = 15

Gomez_Adams · February 23, 2022, 12:40pm

I haven’t seen that word in print for at least 25 years. Well done.

dragonsway · February 24, 2022, 2:14am

@Gomez_Adams “All hail the immortal Bugs Bunny!”

@jaime thanks for the config… I am about to test on a completely fresh install…

dragonsway · February 24, 2022, 10:52am

'Tis the day of digital illusions.

It turns out that I am actually connecting to successfully to the wireguard server. I can ping successfully between the host and client. And my client’s installation of dnsmasq confirms that the wireguard server ip is being used for DNS resolution.

The problem is that after the connection is made to wireguard the packets are not being properly routed for DNS resolution to happen. (My local machine just gives me an error message of “No Connection”, hence the illusion)

Every tutorial for Ubuntu uses UFW to route packets
Set Up Your Own WireGuard VPN Server on Ubuntu 20.04/18.04 - LinuxBabe
(and many other)

So when it comes to routing packets with Firewalld, I am a complete and total noob.

I found a tutorial for enabling wireguard with Firewalld in Centos 8… but given @joe’s disdain for old web tutorials I figured I would ask before I break a perfectly good fresh install of Vmin. Are these instructions relevant?

https://www.cyberciti.biz/faq/centos-8-set-up-wireguard-vpn-server/

Or is there a better Vmin GUI way to get the wireguard packets routed correctly?

This is my current wg0.conf file:

[Interface]
Address = 192.XXX.XX.XX/24
DNS = host-ip 180.76.76.76
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = server-private-key

[Peer]
PublicKey = client-pub-key
AllowedIPs = 192.XXX.XX.XX/32
PersistentKeepalive = 15

dragonsway · February 24, 2022, 10:55am

FYI, I also have resolvconf installed on the server, if it matters at all.

dragonsway · February 25, 2022, 9:19am

I must have been brain dead yesterday… I just took a shot at the cyberciti.biz instructions… they worked perfectly…

Wireguard on Ubuntu 20.04 …up and running

https://www.cyberciti.biz/faq/centos-8-set-up-wireguard-vpn-server/

system · April 26, 2022, 9:20am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.