Post AE6bZSgpyWMxBf7rA8 by pony@blovice.bahnhof.cz
(DIR) More posts by pony@blovice.bahnhof.cz
(DIR) Post #AE6b6nL67e7KpeHu4G by piggo@piggo.space
2021-12-05T20:56:14.986321Z
0 likes, 0 repeats
ok can anyone look and tell me what obvious mistake im making? ... #wireguardit creates the interface, routes, all looks nice except i cant ping
(DIR) Post #AE6bA7sYDHHJP3WWoK by deavmi@gleasonator.com
2021-12-05T20:56:50.661121Z
0 likes, 0 repeats
@piggo Does the ping just hang?
(DIR) Post #AE6bCCZtiG0UYYmx96 by piggo@piggo.space
2021-12-05T20:57:14.514874Z
0 likes, 0 repeats
@Johann150 @pony
(DIR) Post #AE6bY2xo8hej6oOAOe by kromonos@social.snopyta.org
2021-12-05T20:57:43Z
0 likes, 0 repeats
@piggo Interface address may be /32 not /24
(DIR) Post #AE6bY3SeI2KGeSonT6 by piggo@piggo.space
2021-12-05T21:01:08.297169Z
0 likes, 0 repeats
@kromonos thanks but that didnt change anything
(DIR) Post #AE6bZSgpyWMxBf7rA8 by pony@blovice.bahnhof.cz
2021-12-05T21:01:25.684420Z
0 likes, 0 repeats
@piggo probably the keys are wrong
(DIR) Post #AE6bZyseI8pb1Ytk12 by amolith@mk.nixnet.social
2021-12-05T21:00:26.338Z
0 likes, 0 repeats
@piggo@piggo.space iirc, the server needs to allow the client's interface IP, not just 10.0.0.0
(DIR) Post #AE6bZzHomYxqHcfqFM by piggo@piggo.space
2021-12-05T21:01:32.088552Z
0 likes, 0 repeats
@amolith interface IP? the client is behind nat
(DIR) Post #AE6biSPmMqHIwLR72m by piggo@piggo.space
2021-12-05T21:03:03.630914Z
0 likes, 0 repeats
@pony i generated them with thiswg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
(DIR) Post #AE6c2xHZJPusSwN0Cm by sqwishy@social.froghat.ca
2021-12-05T21:00:34Z
0 likes, 0 repeats
@piggo there is a way to get debug stuff in dmesg that helps a bit sometimesecho module wireguard +p > /sys/kernel/debug/dynamic_debug/control
(DIR) Post #AE6c2xjZdIJlrnTMrA by piggo@piggo.space
2021-12-05T21:06:39.873357Z
0 likes, 0 repeats
@sqwishy nice that did something[11059.326090] audit: type=1700 audit(1638738289.469:543): dev=wg0 prom=0 old_prom=256 auid=1000 uid=0 gid=0 ses=17[11062.964083] wireguard: wg0: Handshake for peer 4 (159.69.29.240:57423) did not complete after 5 seconds, retrying (try 2)[11062.964144] wireguard: wg0: Sending handshake initiation to peer 4 (159.69.29.240:57423)[11068.297408] wireguard: wg0: Handshake for peer 4 (159.69.29.240:57423) did not complete after 5 seconds, retrying (try 2)[11068.297505] wireguard: wg0: Sending handshake initiation to peer 4 (159.69.29.240:57423)
(DIR) Post #AE6c6iRCRj45aHfU48 by amolith@mk.nixnet.social
2021-12-05T21:06:15.033Z
0 likes, 0 repeats
@piggo@piggo.space yes but right now, your client doesn't have a local IP on the server. Interface as in the wireguard interface,== Client ==[Interface]Address: 10.0.0.9== Server ==[Peer]AllowedIPs = 10.0.0.9I'm on mobile rn and don't have access to any of my comfits or would try to give a better example but I'm 80% certain this is the problem
(DIR) Post #AE6c6irmqsKeuk6iVU by piggo@piggo.space
2021-12-05T21:07:26.297209Z
0 likes, 0 repeats
@amolith i tried 10.0.0.9/32 and also removing the whitelist entirely... well lets try again ig
(DIR) Post #AE6cFbC0khJHijndOC by sn0w@cofe.rocks
2021-12-05T21:08:57.440788Z
0 likes, 0 repeats
@piggo if you want your client to reach the internet instead of only the 10.0.0.0/24 network (which i'm assuming is the case because of the iptables stuff), you need to allow this in the AllowedIPs setting in the client's config file, eg via 0.0.0.0/0. Otherwise WG drops that traffic and only sends 10.0.0.0/24 to your server.similarly, you might want to change the server config's AllowedIPs to 10.0.0.8/32 since that's probably the only IP your peer can reasonably route/answer.
(DIR) Post #AE6cWO4Co6btvz9bFY by sn0w@cofe.rocks
2021-12-05T21:12:03.518157Z
0 likes, 0 repeats
@piggo eh whoops that last thing was supposed to be 10.0.0.9/32, mb
(DIR) Post #AE6cjJrVkezSerNmoC by piggo@piggo.space
2021-12-05T21:14:24.798260Z
0 likes, 0 repeats
@sn0w yeah you are right, it will be used for nginx running on the client (probably).one fun thing is to set 0.0.0.0/0 on the server. that fucks up everything because it adds a route for that lol
(DIR) Post #AE6ckzP4ms2XmmsXvU by kromonos@social.snopyta.org
2021-12-05T21:02:45Z
0 likes, 0 repeats
@piggo Then you could try to set the "AllowedIP" to the remote interface ip instead of the range. Just to test sth out.
(DIR) Post #AE6ckzqN9NsH9ReLTM by kromonos@social.snopyta.org
2021-12-05T21:09:56Z
0 likes, 0 repeats
@piggo I took a short look into my config
(DIR) Post #AE6cl0GFbAZgRhl0oC by piggo@piggo.space
2021-12-05T21:14:41.898694Z
0 likes, 0 repeats
@kromonos thanks yeah that helped!! its working now
(DIR) Post #AE6ebtUNbjEqkE9NFg by masstransitkrow@shitposter.club
2021-12-05T21:25:12.093275Z
0 likes, 0 repeats
@piggo @kromonos I've also got a tutorial on Wireguard.All Wireguard servers are technically peers, but it looks like you're configuring an endpoint.I discovered that you can have concurrent Wireguard connections, but you can only enable one of their DNS and passthroughs at a time. On the client peer side, adding 0.0.0.0/0 as an allowed IP prevents DNS leaks to your ISP but it also prevents DNS queries from other connected Wireguard tunnels.
(DIR) Post #AE6ebtq0JKXHpIGdxQ by piggo@piggo.space
2021-12-05T21:35:29.044732Z
0 likes, 0 repeats
@masstransitkrow @kromonos if I add 0.0.0.0/0, will the server still be accessible on LAN e.g. with ssh? its my understanding that wg adds a route for the AllowedIPs
(DIR) Post #AE6fFOgRYp2cmpd5Yu by kromonos@social.snopyta.org
2021-12-05T21:40:16Z
0 likes, 0 repeats
@piggo you need to add a rule onto your gateway, to make it public available to any member of your LAN. Something like:ip route add 10.0.0.0/8 via <the LAN IP of your internal wireguard box>
(DIR) Post #AE6fFPAZkn90IHj9Wq by piggo@piggo.space
2021-12-05T21:42:36.374497Z
0 likes, 0 repeats
@kromonos yeah i understand this bit, but - the wireguard box has route 0.0.0.0/0->wg0so it will try to route the response through the "exit node" on the other end of the wireguard tunnel, won't it?
(DIR) Post #AE6fIdW6rpCpezLArQ by piggo@piggo.space
2021-12-05T21:43:13.502013Z
0 likes, 0 repeats
@kromonos this is still kinda hypothetical, im not sure i will end up adding this route. DNS leak is probably ok for what i want to do with the server
(DIR) Post #AE6jrHKfjwVkoAlTyS by amolith@mk.nixnet.social
2021-12-05T22:23:19.073Z
0 likes, 0 repeats
@piggo@piggo.space did it werk?Should be home in about an hour and I can maybe help more. I've been at a concert all day :blobfoxmelt3:
(DIR) Post #AE6jrHoRxEKYIWhGO8 by piggo@piggo.space
2021-12-05T22:34:16.532057Z
0 likes, 0 repeats
@amolith yeah it did werk! id what exactly because i was fucking around with the config files, ufw rules, and then also discovered something was persistently overwriting my wireguard config with wrong settings lolnow i just need to figure out how to do reverse proxy and it's done!
(DIR) Post #AE6p6bh4op5s4YNBC4 by amolith@mk.nixnet.social
2021-12-05T23:29:59.979Z
0 likes, 0 repeats
@piggo@piggo.space what are you proxying? :wolfnerd:I have a similar setup for running some personal stuff on my PC and exposing it to my main server over wireguard then proxying that so it's publicly accessible. Speeds aren't great but that doesn't really matter lol
(DIR) Post #AE6p6c7JFI4rNue85A by piggo@piggo.space
2021-12-05T23:33:05.146529Z
0 likes, 0 repeats
@amolith something very much like that, I will run a smart home hub service here and want to have it accessible from anywhere. Then, maybe move my git server here too, gitea, blog etc. And then I can downscale that hetzner server, maybe. And also I want to self host Nextcloud...
(DIR) Post #AE7RUtpapgAfX5MoQi by amolith@mk.nixnet.social
2021-12-05T23:38:43.788Z
1 likes, 0 repeats
@piggo@piggo.space git over SSH over wireguard would be a bit of a pain. Maybe just use SSH and configure the server as a bastion instead. Smart home stuff would have much latency but probably fine. Blog would be fine. From personal experience, nextcloud over Wireguard is incredibly slow and a pretty terrible experience. I just have dynamic DNS crap set up and point the nextcloud subdomain directly to my home IP, which should ™ be fine as it's private
(DIR) Post #AE7RUuJj1eH32XSsOe by piggo@piggo.space
2021-12-06T06:43:14.831777Z
0 likes, 0 repeats
@amolith (Nextcloud is a horrible experience even without wireguard 😅)
(DIR) Post #AEK4suU4dQ0gYR4QeO by amolith@mk.nixnet.social
2021-12-06T06:47:36.285Z
0 likes, 0 repeats
@piggo@piggo.space you're not wrong :gura_laugh:i wish there was something better :akko_badday:cc @manton
(DIR) Post #AEK4suxqqhpU2n0D44 by manton@mk.nixnet.social
2021-12-12T08:58:57.239Z
1 likes, 0 repeats
@amolith @piggo@piggo.space I'm currently running nextcloud over wireguard and it's quite a miserable experience... but you're right, nextcloud itself is a miserable experienceI wish something better would do what I want
(DIR) Post #AF0M1EwDClf3N3OxgO by eric@federation.krowverse.services
2022-01-01T17:57:43.254906Z
0 likes, 0 repeats
@piggo @amolith you can view my tutorial files to see if they help; they're based on working configurations
(DIR) Post #AF0M1FNrXxmMkoL2mW by piggo@piggo.space
2022-01-01T18:31:00.445174Z
0 likes, 0 repeats
@eric @amolith it was 26 days ago xDI have it solved and working now