I installed WireGuard on my host and set this configuration /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = [REDACTED]
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE


[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.3/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.4/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.5/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.6/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.7/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.8/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.9/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.10/32

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.11/32

Nmap scan when wg0 is down:

Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-16 03:26 CDT
Host is up (0.050s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT    STATE    SERVICE
22/tcp  open     ssh
179/tcp filtered bgp

Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds

Nmap scan when wg0 is up:

Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-16 03:27 CDT
All 1000 scanned ports are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 201.43 seconds

I also cannot connect to host via ssh. How to fix this issue?

Upd. Fixed my changing server WireGuard IP to 10.0.1.1. 10.0.0.1 was already taken

  • Muehe@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    3 maanden geleden

    You have ALL traffic being routed over Wireguard here.

    Please correct me if I’m wrong, but isn’t it the other way around? All Wireguard traffic is forwarded to the local interface.

      • Muehe@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        3 maanden geleden

        I don’t think that’s what the setting does. Anyway, I have them set to a /32 IP in my server config and it works nonetheless. I get full access to the /24 behind the server from the client.

          • Muehe@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            3 maanden geleden

            What are you trying to say? That reply also shows AllowedIPs set to a /32 on the server side.

            • just_another_person@lemmy.world
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              3 maanden geleden

              For Peers. There’s no other route in OPs post. Like they said, when wg0 goes up, he can’t reach anything else. All that happens is this interface comes out, changes the routing tables and forwarding, but doesn’t go anywhere. It needs to be routed to the existing default gateway of the host. All this does is blackhole to the wg0 interface.

              • atzanteol@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                ·
                3 maanden geleden

                What “other route” are you expecting to see? My configuration looks very similar to OPs though I have an extra iptables entry in PostUp:

                PostUp   = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
                

                Is that what you mean?

              • Muehe@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                3 maanden geleden

                Like I said in another thread on this post, I’m pretty sure that’s because they are forwarding input but not output in the PostUp rules. Setting a /32 in AllowedIPs works fine for me.

                  • Muehe@lemmy.ml
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    3 maanden geleden

                    Oh yeah, can’t use the same IP range as your LAN, that will lead to problems. :D Glad it’s fixed.

                    Out of curiosity, does forwarding work now without the output (-o) command in PostUp?