Can't connect to host after enabling WireGuard tunnel
Can't connect to host after enabling WireGuard tunnel
I installed WireGuard on my host and set this configuration /etc/wireguard/wg0.conf:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = [REDACTED]
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.2/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.3/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.4/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.5/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.6/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.7/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.8/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.9/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.10/32
[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
AllowedIPs = 10.0.0.11/32
Nmap scan when wg0 is down:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-16 03:26 CDT
Host is up (0.050s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
179/tcp filtered bgp
Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds
Nmap scan when wg0 is up:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-16 03:27 CDT
All 1000 scanned ports are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 201.43 seconds
I also cannot connect to host via ssh. How to fix this issue?
Upd. Fixed my changing server WireGuard IP to 10.0.1.1. 10.0.0.1 was already taken
Because the default route is changing. You have ALL traffic being routed over Wireguard here. How would you expect that to allow the interface routing to work for the local network if you're telling this to punt all traffic to this specific connection?
Please correct me if I'm wrong, but isn't it the other way around? All Wireguard traffic is forwarded to the local interface.
AllowdIPs defines the traffic to be routed. These are single IPs, not subnets.
Edit: discussion talking about this same problem to illustrate: https://forum.gl-inet.com/t/split-tunnel-via-vpn-policy-or-via-wireguard-allowedips-config/31318
I removed all PostUp rules and cleared iptables but still the same problem
Well, I mean...I can't give you an entire tutorial on how Wireguard works here, but you have it way wrong.
If you're not sure of the concepts and what you're trying to do, I don't know how to answer any questions for you. If you're not familiar with what split-tunneling, subnet routing, and routing tables...you need to get way familiar before you start messing with this.
Your rules aren't the problem. You're only allowing a single IP at a time across many connections here. Learn to read your routing tables and debug from there.