I’ve used wireguard for a pretty long time on my server and the phone as a client. I’ve had the same configuration for at least 4-5 years and never had issues. Last week I moved to using pihole in a container with a macvlan interface, so it has a different IP address than my physical server. Then I went and changed the DNS server IP on the wireguard config on the phone. When I reconnected I see I can’t connect to any local IP address like I used to and I can’t figure out why.

The local LAN is 10.11.12.0/24, the VPN is on 10.11.13.0/24.

Here’s the server wireguard config:

[Interface]
Address = 10.11.13.1
ListenPort = 11194
PrivateKey = ...

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE

[Peer]
# Galaxy S20+
PublicKey = U59JZqVbk2eFxTb7tteyu0WHlMTZsk68E7CF7v2AX2U=
AllowedIPs = 10.11.13.5/32

[Peer]
# narwhal - T480 job
PublicKey = Ja9OL13IoZA17GJq0/LbwizB9s2dRQLHHgW2C4TcFyY=
AllowedIPs = 10.11.13.7/32

And here’s the phone’s wireguard config:

Address = 10.11.13.5/24
DNS = 10.11.12.55
PrivateKey = ....

[Peer]
AllowedIPs = 10.11.0.0/16
Endpoint = my_dyndns_hostname:11194
PublicKey = 6aF1cJhH9oeQWr9LYOpH3wk+lN4k9/tSiAqV6LkUQ1Y=

I am able to connect and can ping 10.11.12.77, the IP address of the server, but nothing else. I have two RPis running as mpd servers and I used to be able to connect to them too, but not anymore. Their IP addresses are 10.11.12.105 and .106.

Also, before the dns change I was able (of course!) to use the local DNS I set up on the pihole, but now I’m not able to connect to the new DNS (.55) so I can’t get any local address to resolve.

I’m looking for some hints on what I’m doing wrong. Please help.

  • Nico@r.dcotta.euEnglish
    1·
    11 months ago
    • Can you show the diff with your previous WG config?
    • Is 10.11.12.0/24 also on enp3s0?

    I am able to connect and can ping 10.11.12.77, the IP address of the server, but nothing else

    Including the wider internet, if you set your phone’s AllowedIPs to 0.0.0.0/0? This makes me think it’s a problem with the NAT, not so much wireguard. Also make sure ipv4 forwarding is enabled:

    sysctl -w net.ipv4.conf.default.forwarding=1
sysctl -w net.ipv4.conf.enp3s0.forwarding=1

    Reading this article might help! I know this is not what you asked, but otherwise, my approach to accessing devices on my LAN is to also include them in the WG VPN - so that they all have an IP address on the VPN subnet (in your case 10.11.13.0/24). Bonus points for excluding your LAN guests from your selfhosted subnet.

    • calm.like.a.bomb@lemmy.dbzer0.comOPEnglish
      1·
      11 months ago

      Can you show the diff with your previous WG config?

      I didn’t have a previous WG config. This is really the problem: I didn’t change anything. It just stopped working. My phone connects to the server and I can ping it, and I’m also able to use the web interface on the server, but I can’t connect to any other host on the network.

      This makes me think it’s a problem with the NAT

      This is my assumption too. Still looking into it.

  • BitPirate@feddit.deEnglish
    1·
    11 months ago

    You only need the masquerade rule.

    iptables -t nat -A POSTROUTING -s 10.11.13.0/24  -o enp3s0 -j MASQUERADE
  • calm.like.a.bomb@lemmy.dbzer0.comOPEnglish
    21·
    11 months ago

    Coming back to this: it was a case of “did you turn it off and then back on?” I did some server upgrades a day before setting up wireguard and it’s possible there were some changes that needed a reboot. I just rebooted today and everything works as expected.