VPN Wireguard - handshake ok but no internet and LAN access
I have a problem with wireguard setup. After setup up I can connect to my device. Handshake is ok but I cannot accesss internet and lan.
Device: raspberry pi 4b 8gb ram OS: Ubuntu server ARM x64 20.04 LTS
My wg0.conf file contents
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = (hidden)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = oqL4CC4Y572iOvVtpDbASiajjgJPAjJhDODffMezcxA=
PresharedKey = (hidden)
AllowedIPs = 10.0.0.2/32
[Peer]
PublicKey = a6z779DYdezo/TMLbC7AJuenHpseaIqUr/gRx97D4Rw=
PresharedKey = (hidden)
AllowedIPs = 10.0.0.3/32
[Peer]
PublicKey = Fe4Nv3Ef8T5bc1p7sDCfNkLO/pTv5cIgHMJ0XCMa8Gg=
PresharedKey = (hidden)
AllowedIPs = 10.0.0.4/32
[Peer]
PublicKey = IdKkIYDctdHYwMx+ULlgntVllaBkIP8G8eIRxEQ9QWQ=
PresharedKey = (hidden)
AllowedIPs = 10.0.0.5/32
[Peer]
PublicKey = qdpWjwlnUuwVxqKnCfta+W/B4XyxZT868aOPtmSOek8=
PresharedKey = (hidden)
AllowedIPs = 10.0.0.6/32
First client config file:
[Interface]
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = OPgCJeBSPevFR+oleTbDqVCNyn+7G0mhSA0QRHqnklg=
[Peer]
PublicKey = W6B77KxgOpshDLX7gc0Jz10Z/WfUl4zVCLrIL/luoR4=
PresharedKey = tI3YFvK195G257yQBAYx+bS9S1j2qkZZOgsdoN3/yPI=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = {my_external_ip_address}:51820
My router setup explanation. I have a UPC Connect Box device which has IP: 192.168.0.1. UPC Connect Box is my gateway. To this UPC Connect Box I have connected my other router. IP address: 192.168.1.1. I can access other subnets from all my routers. I can also access all computers inside my lan in any subnet. I can also access everything on my net and subnet from the device which has wireguard installed but it does not work when I am connected as a client.
Port forwarding is setup correctly on my upc connect box with port 51820 to my other router 192.168.1.1 and from this device to my raspberry pi ubuntu device with internal ip: 192.168.1.12.
What I did ? Allowed ipv4 port forwading using:
sudo sysctl -w net.ipv4.ip_forward=1
Also did:
sudo ufw allow 51820/tcp
sudo ufw allow 51820/udp
sudo ufw allow in on wg0 to any
sudo ufw allow out on wg0 to any
ufw status:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
51820 ALLOW Anywhere
51820/tcp ALLOW Anywhere
51820/udp ALLOW Anywhere
OpenSSH ALLOW Anywhere
51821/udp ALLOW Anywhere
51821/tcp ALLOW Anywhere
446/tcp ALLOW Anywhere
993/tcp ALLOW Anywhere
8080/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
5900/tcp ALLOW Anywhere
Anywhere on wg0 ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
51820 (v6) ALLOW Anywhere (v6)
51820/tcp (v6) ALLOW Anywhere (v6)
51820/udp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
51821/udp (v6) ALLOW Anywhere (v6)
51821/tcp (v6) ALLOW Anywhere (v6)
446/tcp (v6) ALLOW Anywhere (v6)
993/tcp (v6) ALLOW Anywhere (v6)
8080/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
5900/tcp (v6) ALLOW Anywhere (v6)
Anywhere (v6) on wg0 ALLOW Anywhere (v6)
22/tcp ALLOW OUT Anywhere
Anywhere ALLOW OUT Anywhere on wg0
22/tcp (v6) ALLOW OUT Anywhere (v6)
Anywhere (v6) ALLOW OUT Anywhere (v6) on wg0
I can connect from my iOS, Android or macOS device but no internet and lan access. I cannot ping anything after successfull connection. Cannot ping even devices on subnets and current net. Cannot ping anything external for example: 8.8.8.8 or 1.1.1.1 Everything seems fine - handshake is ok. Please guide me where is the mistake.
I need LAN and internet accesss through wireguard VPN.
Solution 1:
SOLVED! Seems that this not correct. Replacing "%i" with "wg0" solved the problem.
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Should be:
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
LAN access works. Internet access works !
THanks to this guy from this video: https://www.youtube.com/watch?v=bVKNSf1p1d0