this post was submitted on 20 Dec 2023
27 points (93.5% liked)

Selfhosted

39985 readers
761 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
27
[Fixed] Weird Wireguard issues I could use some help with. (lemmy.procrastinati.org)
submitted 10 months ago* (last edited 10 months ago) by SeeJayEmm@lemmy.procrastinati.org to c/selfhosted@lemmy.world
29 comments fedilink hide all child comments
 

I've hit a wall with a weird Wireguard issue. I'm trying to connect my phone (over cell) to my home router using wireguard and it will not connect.

  • The keys are all correct.
  • The IPs are all correct.
  • The ports are open on the firewall.
  • My router has a public IP, no CGNAT.

The router is opnsense, I have a tcpdump session going and when I attempt a connection from the phone I see 0 packets on that port. I am able to ping the router and reach the web server sitting behind it from the phone.

I have a VPS that I configured WG on and the phone connects fine to that. I also tested configuring the VPS to connect to my home router and that also works fine.

I'm really at a loss as to where to go next.

Edit 2: I completely blew out the config on both sides and rebuilt it from scratch, using a different UDP port, and it all appears to be working now. Thanks for everyone's help in tracking this down.

Edit: It was requested I provide my configs.

opnsense:

####################################################
# Interface settings, not used by `wg`             #
# Only used for reference and detection of changes #
# in the configuration                             #
####################################################
# Address =  172.31.254.1/24
# DNS =
# MTU =
# disableroutes = 0
# gateway =

[Interface]
PrivateKey = 
ListenPort = 51821

[Peer]
# friendly_name = note20
PublicKey = 
AllowedIPs = 172.31.254.100/32

Android:

[Interface]
Address = 172.31.254.100/32
PrivateKey = 

[Peer]
AllowedIPs = 0.0.0.0/32
Endpoint = :51821
PublicKey =
you are viewing a single comment's thread
view the rest of the comments
[–] nightrunner@lemmy.world 0 points 10 months ago (2 children)

Did you setup a NAT on the firewall? You have to setup a static NAT on the interface that your Public IP sits on and to the private IP address of your VPS (you are using a private network space from one of the other interfaces on your FW right?).

Make sure that the policy that you create with the NAT includes UDP 51820 (unless you changed the default port) People often mistake using TCP which is a different protocol. If that doesn’t work, then look at the traffic on your FW

[–] nightrunner@lemmy.world 1 points 10 months ago (1 children)

Meant to say if you still get stuck, run Wireshark on your FW and your VPS and run a tcp dump and filter the traffic to see where the data stops.

You can also use traceroute to your public IP on the port 51820 and check your connectivity or even curl: -v http:////publicip:51820

[–] taaz@biglemmowski.win 1 points 10 months ago* (last edited 10 months ago) (1 children)

Yeah I would probably try if the phone can actually access anything on that port.

On router: netcat -vvvl 0.0.0.0 51820
On phone: http://router_ip:51820

The browser will fail opening it but on router you should see the first incoming HTTP GET packet.
Or one could run a local shell on the phone (assuming android) and try netcat too.

(or this http server one liner python3 -m http.server can be used instead of netcat)

[–] SeeJayEmm@lemmy.procrastinati.org 1 points 10 months ago (2 children)

I have an network tools app that lets me test arbitrary ports and I do see those packets on a tcpdump, but this app (and you're suggestions above) are all TCP while Wireguard listens on UDP. I haven't come up with a way to test UDP from the phone yet.

[–] taaz@biglemmowski.win 2 points 10 months ago* (last edited 10 months ago)

Netcat can do UDP with -u flag, to get netcat on the phone (android) you could try local shell (Connect Bot app can do it) and try calling the local netcat (nc, though it's a simple busybox implementation so it might not have all the features). Not sure if it would let you send udp just like that.

[–] nightrunner@lemmy.world 1 points 10 months ago

They call it a tcpdump but Wireshark analyzes all network traffic. You can use the udp.port == 51820

Do you have a laptop? Probably more tools and easier to test from there.

[–] SeeJayEmm@lemmy.procrastinati.org 1 points 10 months ago (2 children)

There's some confusion here. I'm running wireguard on my opnsense router and I'm trying to connect my Android phone to it.

I just used the VPS to help troubleshoot to show other clients can connect to opnsense AND the phone can connect to other servers but the phone and opn won't talk.

I know this screams config issue. I've gone over it and rebuilt it multiple times. I can't find anything wrong. Someone else asked to see configs so I'll post those tomorrow.

[–] stown@sedd.it 2 points 10 months ago

It is a config issue. Allowed IPs for your client should be 0.0.0.0/0 not 0.0.0.0/32