Wireguard VPN, no Internet access

Question

I'm trying out Wireguard VPN, and although I believe that I've finally got it to connect, I have no Internet access, and can't ping various sites on the Internet.

I took a Wireguard .conf file provided by my VPN vendor, renamed it, and copied it to /etc/wireguard/wg0.conf.

[Interface]
PrivateKey = redacted
ListenPort = 51820
Address = redacted/32
DNS = 10.100.0.1
[Peer]
PublicKey = redacted
PresharedKey = redacted
AllowedIPs = 0.0.0.0/0
Endpoint = redacted:51820
PersistentKeepalive = 25

If I do sudo wg-quick up wg0 it appears to connect, but I have no Internet access.

$ sudo wg-quick up wg0

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add redacted/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

$ sudo wg show

interface: wg0
  public key: redacted
  private key: (hidden)
  listening port: 51820
  fwmark: 0xca6c
peer: redacted
  preshared key: (hidden)
  endpoint: redacted:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 2.89 KiB sent
  persistent keepalive: every 25 seconds

I've tried disabling the firewall with no luck. I've tried sysctl -w net.ipv4.ip_forward=1 with no luck.

Any ideas why no Internet?

Answer 1

I have success troubleshooting Wireguard links by analizing the main points of the configuration:

1. Are the wireguard endpoints restarted so they both recognize the other side keys, and didn't generate error messages?

2. Is the VPN network range different from all the ranges present in the endpoints so the VPN could have its own separate net?

3. Are the local firewalls allowing ingress of traffic thru the UDP ports used in each node?

4. Does each node have a unique IP address in the VPN range?

5. Do the masks of the VPN IP address/range allow for visibility of the required nodes?

6. If DNS address is configured, is the server reachable and responding directly or thru VPN allowed ranges?

7. Is the endpoint declared in the peer accesible directly by it?

8. The routes created in the peer by its Allowed IPs line are referring to ranges present in the other side of the link?

9. The firewall rules added by wg-quick allow traffic thru/from the VPN and local/remote IP ranges?

10. Is the kernel ip_forward variable enabled?

11. Is NAT at egress traffic required?

Notes

Directly: Not using the VPN.

VPN range: The IP range selected for the peer Address line and mask of all nodes.

Each of the questions require different rules/tecniques to test/solve, but is required some knowledge of IP addressing and access to network tools like ping, nmap or nslookup/dig and the corresponding operating system commands to ask for network current status of interface addresses, routes and firewall. Some actions could be:

1. Check the /var/log/syslog for error messages and that the wg interface is defined and have the configured IP address.

2,4,5,8. Calculate IP address intervals for all ranges/masks involved and draw a diagram indicating how are they interconnected and how traffic will flow between them. Check for inconsistencies.

3,9. Check the current firewall used (iptables, ufw, nftables, etc.) and the rules currently applied.

6. Use dig, nslookup or host to check DNS resolution (man each command to increase verbosity if necessary).

7. The Endpoint line has to use a public IP address, or one directly accesible without using the VPN.

Last, 11.(Had to add the "Last" word to avoid auto renumbering of "11" to "8") If the remote hosts (besides the remote peer node) that we want to have access to do not have routes for our local IP address/range thru the VPN/peer node, then we need NAT translation in the peer.

For example, if we need to route all traffic thru the VPN, the remote peer node has to NAT all traffic directed to internet from the VPN so the remote hosts like Google/Facebook respond directly to the peer, and so the data could be rerouted correctly to us.

Answer 2

I obtained a new wireguard .conf file from my VPN vendor, using a different (correct) peer hostname, and my initial testing indicates that it's working now.