VPN Wireguard - handshake ok but no internet and LAN access

I have a problem with wireguard setup. After setup up I can connect to my device. Handshake is ok but I cannot accesss internet and lan.

Device: raspberry pi 4b 8gb ram OS: Ubuntu server ARM x64 20.04 LTS

My wg0.conf file contents

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = (hidden)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = oqL4CC4Y572iOvVtpDbASiajjgJPAjJhDODffMezcxA=
PresharedKey = (hidden)
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = a6z779DYdezo/TMLbC7AJuenHpseaIqUr/gRx97D4Rw=
PresharedKey = (hidden)
AllowedIPs = 10.0.0.3/32

[Peer]
PublicKey = Fe4Nv3Ef8T5bc1p7sDCfNkLO/pTv5cIgHMJ0XCMa8Gg=
PresharedKey = (hidden)
AllowedIPs = 10.0.0.4/32

[Peer]
PublicKey = IdKkIYDctdHYwMx+ULlgntVllaBkIP8G8eIRxEQ9QWQ=
PresharedKey = (hidden)
AllowedIPs = 10.0.0.5/32

[Peer]
PublicKey = qdpWjwlnUuwVxqKnCfta+W/B4XyxZT868aOPtmSOek8=
PresharedKey = (hidden)
AllowedIPs = 10.0.0.6/32

First client config file:

  [Interface]
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = OPgCJeBSPevFR+oleTbDqVCNyn+7G0mhSA0QRHqnklg=

[Peer]
PublicKey = W6B77KxgOpshDLX7gc0Jz10Z/WfUl4zVCLrIL/luoR4=
PresharedKey = tI3YFvK195G257yQBAYx+bS9S1j2qkZZOgsdoN3/yPI=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = {my_external_ip_address}:51820

My router setup explanation. I have a UPC Connect Box device which has IP: 192.168.0.1. UPC Connect Box is my gateway. To this UPC Connect Box I have connected my other router. IP address: 192.168.1.1. I can access other subnets from all my routers. I can also access all computers inside my lan in any subnet. I can also access everything on my net and subnet from the device which has wireguard installed but it does not work when I am connected as a client.

Port forwarding is setup correctly on my upc connect box with port 51820 to my other router 192.168.1.1 and from this device to my raspberry pi ubuntu device with internal ip: 192.168.1.12.

What I did ? Allowed ipv4 port forwading using:

sudo sysctl -w net.ipv4.ip_forward=1

Also did:

sudo ufw allow 51820/tcp
sudo ufw allow 51820/udp
sudo ufw allow in on wg0 to any
sudo ufw allow out on wg0 to any

ufw status:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
51820                      ALLOW       Anywhere                  
51820/tcp                  ALLOW       Anywhere                  
51820/udp                  ALLOW       Anywhere                  
OpenSSH                    ALLOW       Anywhere                  
51821/udp                  ALLOW       Anywhere                  
51821/tcp                  ALLOW       Anywhere                  
446/tcp                    ALLOW       Anywhere                  
993/tcp                    ALLOW       Anywhere                  
8080/tcp                   ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
5900/tcp                   ALLOW       Anywhere                  
Anywhere on wg0            ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
51820 (v6)                 ALLOW       Anywhere (v6)             
51820/tcp (v6)             ALLOW       Anywhere (v6)             
51820/udp (v6)             ALLOW       Anywhere (v6)             
OpenSSH (v6)               ALLOW       Anywhere (v6)             
51821/udp (v6)             ALLOW       Anywhere (v6)             
51821/tcp (v6)             ALLOW       Anywhere (v6)             
446/tcp (v6)               ALLOW       Anywhere (v6)             
993/tcp (v6)               ALLOW       Anywhere (v6)             
8080/tcp (v6)              ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             
5900/tcp (v6)              ALLOW       Anywhere (v6)             
Anywhere (v6) on wg0       ALLOW       Anywhere (v6)             

22/tcp                     ALLOW OUT   Anywhere                  
Anywhere                   ALLOW OUT   Anywhere on wg0           
22/tcp (v6)                ALLOW OUT   Anywhere (v6)             
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on wg0

I can connect from my iOS, Android or macOS device but no internet and lan access. I cannot ping anything after successfull connection. Cannot ping even devices on subnets and current net. Cannot ping anything external for example: 8.8.8.8 or 1.1.1.1 Everything seems fine - handshake is ok. Please guide me where is the mistake.

I need LAN and internet accesss through wireguard VPN.


Solution 1:

SOLVED! Seems that this not correct. Replacing "%i" with "wg0" solved the problem.

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Should be:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

LAN access works. Internet access works !

THanks to this guy from this video: https://www.youtube.com/watch?v=bVKNSf1p1d0