Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Wireguard n00b, IP address doesn't change [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6364
Location: /usr/lib64/lv2

PostPosted: Wed Sep 30, 2020 9:41 pm    Post subject: Wireguard n00b, IP address doesn't change [SOLVED] Reply with quote

Using https://blogs.gentoo.org/lu_zero/2019/05/03/using-wireguard/ and other sources, I'm trying to set up a VPN.

Using Fdroid on my phone, I installed a Wireguard client and configured it. When I activate it, it appears to connect, but going to a browser doesn't show my server's IP address. (Just my usual IP address on my phone.)

wg0.conf:
Code:

[Interface]
Address = 192.168.2.1/32
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY

[Peer]
PublicKey = PHONE_PUBLIC_KEY
AllowedIPs = 192.168.2.2/32


On my phone, there isn't a conf file, but these are the settings:

Interface:
public key: PHONE_PUBLIC_KEY
addresses: 192.168.2.2/32

Peer:
Public key: SERVER_PUBLIC_KEY
Allowed IPs: 192.168.2.1/32
Endpoint: SERVER_IP_ADDRESS:51820

What am I missing?
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.


Last edited by audiodef on Thu Oct 08, 2020 1:56 pm; edited 1 time in total
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 461
Location: Russia

PostPosted: Wed Sep 30, 2020 10:37 pm    Post subject: Reply with quote

Isn't 192.168.* range is for local networks? What VPN provider do you use? Your own server? I have server's IPs in both Address and Endpoint, not local ones.
Back to top
View user's profile Send private message
Etal
Veteran
Veteran


Joined: 15 Jul 2005
Posts: 1826

PostPosted: Thu Oct 01, 2020 12:14 am    Post subject: Reply with quote

Not a wireguard expert by any means but I have a setup where my phone routes all its traffic through my home server, which I think is what you're looking for.

When you set Allowed IPs to 192.168.2.1/32 on your phone, it will only route that address to your server. You can try running something on your server (e.g. "python -m http.server") and see if you can connect to it via its wireguard address from the phone (http://192.168.2.1:8000/).

If you want to be able to route all traffic via your server (not just connect to it remotely), I think you need to set Allowed IPs to 0.0.0.0/0, which means all IP addresses. You will also need to set up nftables or iptables for ip forwarding.

I found the Arch wiki pretty helpful.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6364
Location: /usr/lib64/lv2

PostPosted: Thu Oct 01, 2020 12:25 am    Post subject: Reply with quote

Now that makes more sense.

Interestingly, my ssh connections get broken when I change my config to use my server's IP.

Here's what I have now:
wg0.conf:
Code:

[Interface]
Address = (ip_address)/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp6s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = server_priv_key

[Peer]
PublicKey = (phone_pub_key)
AllowedIPs = 0.0.0.0


No change on the app on my phone, but there seems to be more activity noted by the Wireguard app if I put a local IP into the app's Interface section than if I put the server IP there.

wg-quick up wg0 results in:
Code:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add (ip_address)/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 0.0.0.0/32 dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE


No connection gets through when I try to use my phone's browser, though.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
Etal
Veteran
Veteran


Joined: 15 Jul 2005
Posts: 1826

PostPosted: Thu Oct 01, 2020 1:37 am    Post subject: Reply with quote

Sorry, I meant set Allowed IPs to 0.0.0.0/0 on your phone, not your server.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1961

PostPosted: Thu Oct 01, 2020 6:19 pm    Post subject: Reply with quote

Quote:
Allowed IPs: 192.168.2.1/32
means "network 192.168.2.1/32 can reach me via this interface"
Wireguard will drop any packets from IPs that are not explicitly allowed.
wg-quick uses the same variable to add routing rules that will send traffic to allowed IP via this particular interface.

So you want to allow your client's IP on the server, and allow 0/0 on the client.
All the rest is usual, your client needs a static route to your vpn server so you won't tunnel your traffic through your tunnel tunneled in your tunnel.

Server needs the regular NAT rules.

Code:

AllowedIPs = 0.0.0.0
Are you trying to forward DHCP negotation? 0/32 means "no IP address claimed"
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6781

PostPosted: Fri Oct 02, 2020 4:04 am    Post subject: Reply with quote

Your server needs IPv4 forwarding enabled for traffic to pass between wg0 and the outside internet, else it'll only let your phone connect to services running on it.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6364
Location: /usr/lib64/lv2

PostPosted: Fri Oct 02, 2020 1:59 pm    Post subject: Reply with quote

Ant P. wrote:
Your server needs IPv4 forwarding enabled for traffic to pass between wg0 and the outside internet, else it'll only let your phone connect to services running on it.


Code:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE


doesn't handle that?
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16206

PostPosted: Fri Oct 02, 2020 5:50 pm    Post subject: Reply with quote

It does not. The shown iptables rule will cause the forwarded traffic to be sane enough that the connections will work when traffic is forwarded. It does not instruct the kernel to permit the traffic to be forwarded in the first place. For that, /proc/sys/net/ipv4/ip_forward must be non-zero (traditionally, 1).
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6364
Location: /usr/lib64/lv2

PostPosted: Sun Oct 04, 2020 9:43 pm    Post subject: Reply with quote

Hu wrote:
It does not. The shown iptables rule will cause the forwarded traffic to be sane enough that the connections will work when traffic is forwarded. It does not instruct the kernel to permit the traffic to be forwarded in the first place. For that, /proc/sys/net/ipv4/ip_forward must be non-zero (traditionally, 1).


Thanks for the tip. I've changed that. I'll tool around some more and see if I can elicit success.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6364
Location: /usr/lib64/lv2

PostPosted: Wed Oct 07, 2020 6:07 pm    Post subject: Reply with quote

Interesting...

I got it working when I use OpenDNS or Google for the DNS in my phone's peer settings. I can see from whatismyipaddress and doing a speed test that my IP address is my server's IP address.

So, ultimate test... open Netflix.

Still acts like it's in the US.

Did I miss something?

EDIT: Nm, Netlflix is telling me about the #2 show in Germany today. All I wanted was evidence my VPN was working, and it is.

Now on to the next step, making sure my VPN has good security and privacy protection.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1961

PostPosted: Wed Oct 07, 2020 10:23 pm    Post subject: Reply with quote

Quote:
Still acts like it's in the US.

Did I miss something?
I've heard from my coworkers that browsers like to remember their location. Even if you go through a VPN, it may still report your real location if you allowed it to connect anywhere before rerouting your traffic and keep doing that for a few days afterwards.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6364
Location: /usr/lib64/lv2

PostPosted: Thu Oct 08, 2020 1:56 pm    Post subject: Reply with quote

szatox wrote:
Quote:
Still acts like it's in the US.

Did I miss something?
I've heard from my coworkers that browsers like to remember their location. Even if you go through a VPN, it may still report your real location if you allowed it to connect anywhere before rerouting your traffic and keep doing that for a few days afterwards.


That makes sense.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum