this post was submitted on 04 Jun 2024
90 points (95.9% liked)

Linux

48214 readers
1085 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I just finished setting up my Wireguard VPN "server". In this post I want to spread some information, I could've found useful but which didn't come up in most of the Wireguard tutorials.

If you aren't interested in VPN or self hosting, this post is not for you. If you haven't gotten around yet to try it out, I can only recommend doing it. Feels great being able to "phone home" from all over the world.

Alright, tricks and tips:

tcpdump

Wireguard will definitely not work first try. As Wireguard is a silent protocol, you won't see too many error messages. Dropped packets are how you know that something's off. tcpdump is a great command line tool, that, despite it's name, can also dump the precious UDP Wireguard packets. The tool will make you see how far your wireguard connection gets before the packets are dropped. Great for running on "server" and on clients.

ping

A classic tool. Helped me debugging some issues with DNS and Maximum Transfer Unit (MTU) size.

AllowedIPs

In a classic server-client situation, your clients should have AllowedIPs set to 0.0.0.0/0, ::/0 in their repecive configuration file. I found this pretty counterintuitive, but that seemingly is how it works.

IP Forwarding in sysctl

This one was by far the nastiest one to find out. Mainly because I'm not a linux or Debian expert. You need to tell sysctl to forward IP traffic, which ususally tutorials around the web will tell you to do like this: sysctl -w net.ipv4.ip_forward=1; sysctl -w net.ipv6.conf.all.forwarding=1. What I foolishly assumed, that this write operation was permanent. It's not. You need to edit /etc/sysctl.conf for making it permanent. Else, after a reboot you won't be able to connect to the internet. This took me a good amount of reconfigurations from scratch before I eventually found out these vars will reset on boot.

--

Maybe this helps some of you fellow Lemmings. If I stumble across further tips and tricks, I might update this post in the future. For now though, I think I'm done with my setup (philosophical question: are you ever done with setting up things?).

top 18 comments
sorted by: hot top controversial new old
[–] [email protected] 29 points 5 months ago

In a classic server-client situation, your clients should have AllowedIPs set to 0.0.0.0/0, ::/0 in their repecive configuration file.

Only if you want the VPN to be your default route! Many may not want this.

[–] [email protected] 21 points 5 months ago* (last edited 5 months ago) (1 children)

Good lawd, these are the basic tenants of networking. I'm so sad people are unfamiliar. Let me throw a few more tricks your way:

  • telnet or netcat (nc on CLI): check if a port is listening and available
  • wget or curl: find out if an HTTP server is listening (or whatever, really)
  • netstat: kind of phased out on modern *nix distros, but useful for checking connections from hosts (you can still install it, but has been superceded by...)
  • 'ss' : same deal, different name
  • 'ip route': check your routing tables to make sure traffic goes where you think it should

Check the docs, or search around for your particular usage, but these are all the barebones tools you need to figure out networking issues quickly.

[–] [email protected] 6 points 5 months ago (2 children)

Good lawd, these are the basic tenants of networking. I’m so sad people are unfamiliar.

https://xkcd.com/1053/

[–] [email protected] 3 points 5 months ago
[–] [email protected] 0 points 5 months ago

Nope. Just seems it's a thing not taught or learned anymore.

[–] [email protected] 18 points 5 months ago (1 children)

The "allowed host" on the client side is to put the networks in you would like to route to. If you want to use the VPN tunnel for your default route it's when you use the 0.0.0.0/0

[–] [email protected] 2 points 5 months ago

Yeah, if you're just trying to reach your home devices and the other devices on the vpn you should specify both of those subnets.

[–] [email protected] 9 points 5 months ago* (last edited 5 months ago) (2 children)

Wireguard will definitely not work first try.

And... why not? OpenVPN is 10 times worse because of the mess they've made with push route and other options.

your clients should have AllowedIPs set to 0.0.0.0/0, ::/0 in their repecive configuration file. I found this pretty counterintuitive, b

Why would you? Those are the IPs that the client is able to access through the VPN tunnel and 0.0.0.0/0, ::/0 means all IP addresses, totally NOT counterintuitive.

You need to tell sysctl to forward IP traffic,

Yes, maybe... but not permanently at least. You can setup it on the server conf file via PostUp and PostDown:

[Interface]
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

If required prepend sysctl -w net.ipv4.ip_forward=1; sysctl -w net.ipv6.conf.all.forwarding=1; to PostUp and remove with =0 on PostDown.

The downside of you described is that you're enabling IP Forwarding permanently and even if the WG tunnel is down. This may pose a few security concern in some situations.

[–] [email protected] 3 points 5 months ago (1 children)

And… why not? OpenVPN is 10 times worse

Classic tech holy wars rhetoric: "someone dared speak ill of the One True Software, time to talk smack about the competition"

Sometime people have problems when they're learning new software, sometimes people prefer software solutions that aren't what you picked. Live and let live.

[–] [email protected] 1 points 5 months ago

Not the case at all. I use both and I can objectively tell your that Wireguard is what the majority of people should be using because it is way easier to understand and setup securely. OVPN is good for other specific cases.

[–] [email protected] 2 points 5 months ago

Interesting ! Didn't knew you could add sysctl commands as Postup/Postdown. !!

Thank you :) !!

[–] [email protected] 5 points 5 months ago* (last edited 5 months ago)

Another tip: On Android phones, Tasker can be used to automatically activate Wireguard tunnels to your own or a commercial VPN host. Taskernet.com has one project that activates WG when off specific wifi networks, and another that I wrote that allows you to activate a tunnel on demand only when you open specific apps. Great if you want to access a home server occasionally (without detectable open router ports) or want an extra layer of security when running a financial app.

[–] [email protected] 4 points 5 months ago

I set up my server too, and other than the fields in the configuration and some iptables rules (I really should switch to nftables), it wasn't a big hassle. Worked perfectly. But yes good tips about IP forwarding, I did it in the file directly but that can be a problem

[–] [email protected] 4 points 5 months ago

"AllowedHosts" is the one thing that pisses me off the most. It's a terrible name and caused me tons of confusion when first setting up wg.

[–] [email protected] 3 points 5 months ago

I mean...all this and much more is part of the wireguard archwiki. And whoever wants to setup a wireguard server but doesn't know what ping is... Interesting would be an example on how to use tcpdump and how to read it.

[–] [email protected] 3 points 5 months ago

Wireguard self hosting

I parsed this as Wireguard self-loathing and thought "that's a little harsh". :-)

[–] [email protected] 2 points 5 months ago

Another tip: take a look at systemd-networkd for managing your network connections! It has builtin support for creating wireguard tunnels and it's very nice.

[–] [email protected] 2 points 5 months ago

Wireguard works out of the box for me. I use a docker image.