Tuesday, 8 November 2022

Wireguard on Raspberry Pi. 3 problems after install

System:  Raspberry Pi Model B Rev 2, Raspbian GNU/Linux 10 (buster), public ipv4 and ipv6

The install was simple with pivpn (see https://docs.pivpn.io/install/):

curl -L https://install.pivpn.io | bash

After that, I was left with three problems, two of which related to my system set up and one seemed to be an install problem.

1. I configured wireguard to use the dns server on the the same computer.  Clients could not use it.  This needed a change to /etc/bind/named.conf.option.  I needed to add the network that used by wireguard to "trusted" ie 10.157.73.0/24

acl "trusted" {
        90.155.48.128/27;
        81.187.211.32/28;
        2001:8b0:7c:1::/64;
        localhost;
        10.157.73.0/24;
 };
 

Because of this in the configuration.

allow-recursion {
trusted;
};

2. I run fail2ban.  I added the wireguard network to /etc/fail2ban/jail.d/mychanges.conf

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 10.157.73.0/24
 

3. At this point, ipv6 was working from my macbook.  I could see this as I run a bash script that pings various places.  It was obvious that my macbook could not ping outside my local network using ipv4.




 

 

This was getting beyond my level of competence but I ferreted around and Googled and discovered a bad line in nftables:

chain POSTROUTING {
   type nat hook postrouting priority srcnat; policy accept;
   oifname "eth0" ip saddr 10.185.2.0/24 counter packets 0 bytes 0 masquerade  comment "wireguard-nat-rule"
   }

10.185.2.0/24 is incorrect.

Then I discovered

pivpn debug

And that found the error and put in the correct line.

 chain POSTROUTING {
   type nat hook postrouting priority srcnat; policy accept;
   oifname "eth0" ip saddr 10.157.73.0/24 counter packets 0 bytes 0 masquerade  comment "wireguard-nat-rule"
   oifname "eth0" ip saddr 10.185.2.0/24 counter packets 0 bytes 0 masquerade  comment "wireguard-nat-rule"
   }



Clients

I did not have any problems with clients.   WireGuard, Official WireGuard VPN client from the Mac App Store for my Macbook and WireGuard from the F-droid site for Android.


IPV6

I've just noticed that, although the end endpoint on the Mac app is configured to be "Endpoint = strigosus.clifford.ac:51820" in edit mode, it is "90.155.48.158:51820" when just viewed.  Something to be looked at.  And the ipv6 address on the server is "fd11:5ee:bad:c0de::2/64" which looks a bit ominous.  And my website, http://clifford.ac, hosted on another Pi, shows ipv4 in the top corner when viewed through the vpn tunnel.


 



posted by Alan Clifford at 22:13:00 1 comments