[Solved] Can't connect to host after enabling WireGuard tunnel

user_naa@lemmy.world to Linux@lemmy.ml – 14 points –

I installed WireGuard on my host and set this configuration /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = [REDACTED]
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE


[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.3/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.4/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.5/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.6/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.7/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.8/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.9/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.10/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.11/32

Nmap scan when wg0 is down:

Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-16 03:26 CDT
Host is up (0.050s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT    STATE    SERVICE
22/tcp  open     ssh
179/tcp filtered bgp

Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds

Nmap scan when wg0 is up:

Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-16 03:27 CDT
All 1000 scanned ports are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 201.43 seconds

I also cannot connect to host via ssh. How to fix this issue?

Upd. Fixed my changing server WireGuard IP to 10.0.1.1. 10.0.0.1 was already taken

19

You are viewing a single comment

Like I said in another thread on this post, I'm pretty sure that's because they are forwarding input but not output in the PostUp rules. Setting a /32 in AllowedIPs works fine for me.

Thanks for help. Everything is fixed, read post update

Oh yeah, can't use the same IP range as your LAN, that will lead to problems. :D Glad it's fixed.

Out of curiosity, does forwarding work now without the output (-o) command in PostUp?

I left PostUp as is and didn't try removing -o))