My config has:
vpn:
rules:
allowedNetworks:
- 0.0.0.0/0
- 128.0.0.0/0
- ::/0
- 172.16.10.0/24
And it seems to generate a config
AllowedIPs = 10.44.0.1/32, 10.44.0.0/24, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 200.0.0.0/5, 172.64.0.0/10, 172.128.0.0/9, 12.0.0.0/6, 16.0.0.0/4, 11.0.0.0/8, 32.0.0.0/3, 128.0.0.0/3, 196.0.0.0/6, 64.0.0.0/2, 172.0.0.0/12, 194.0.0.0/7, 192.160.0.0/13, 192.0.0.0/9, 192.170.0.0/15, 160.0.0.0/5, 192.128.0.0/11, 193.0.0.0/8, 208.0.0.0/4, 192.172.0.0/14, 176.0.0.0/4, 192.169.0.0/16, 0.0.0.0/5, 174.0.0.0/7, 192.176.0.0/12, 192.192.0.0/10, 8.0.0.0/7, 172.32.0.0/11, 173.0.0.0/8, 168.0.0.0/6, 0.0.0.0/0, 128.0.0.0/0, ::/0, 172.16.10.0/24
Which wireguard for android goes «Error bringing up tunnel: Bad Address»
I havn’t tracked it down to the actual cause though
Troubleshooting Wireguard VPN on Windows 10, Android and Linux
I have had my share of pain over the compexity / slowness / incompatibilities / vulnerabilities of using Cisco,
To me it seems the primary problem with Wireguard are twofold:
- Not having enough experience in the community (blog posts, walk-throughs, how-tos etc.) to set up all kinds of arrangements besides the usual site-to-site and cloud VPN jump-host.
- Clients offer less the adequate error messages that could help with debugging / troubleshooting.
- Clients across platforms are not consistent.
I am writing this for two reasons:
- helping fellow users with similar situations
- and to give feedback to the developers (will try to figure there to submit reports and which of the issues are known already).
Things to fix / disambiguate / document in the various WireGuard components:
- The Android client does not have the nice log viewer that is part of the Windows client — and that helped me to see what is (not) happening)
- You can export the log form the Android client is full of UI related Java messages, unlike the clean log of the Windows client — it really makes it very hard to comprehend what is going on.
- The Android client just disappears after a while (even with the PersistentKeepalive set to 25), so suddenly the VPN protection disappears without any notification. This did not happen to the OpenVPN Android client, so probably just have to tell Android not to evict / suspend the VPN software somehow.
- The error message «bad address» (Android client, creating configuration from scratch) is misleading or not informative enough: got it for example for 192.168.1.1/24 (should be /32 or 192.168.1.0/24) — could correct it automatically or at least be more informative telling you what is wrong.
- It is hard to figure where Wireguard is logging on linux with systemd.
Is it logging at all?
— Could not find any trace of the failed connection attempts, so it was really hard to tell, if my DNS, my port forwarding or my Wireguard config is wrong (was the latter).
— Could not find messages about 192.168.1.2/24 being inaccessible (overridden) if there is a 192.168.1.3/24 peer afterwards, so have to use /32 peers even if the server interface address is communicating on a 192.168.1.1/24 address with both of the clients.
— systemd startup log did not habve any relevant messages either
What my mistakes and symptoms were:
- Accidentally mixed up a private and a public key. Wiregoard just silently fails, does not tell you that there was a connection attempt but the key was wrong. Could have been any network related inaccessibility as well…
- Did not know how to configure the peer addresses each for /32 so that they don’t interfere but both can communicate with the /24 server interface.
Describe the bug
WireGuard android app does not connect.
To Reproduce
Steps to reproduce the behavior:
- Install WireGuard (Unreleased) app
- Scan the QR code
- Tab connect
Full log
wireguard-log.txt
FullLog.txt
PLAY [Ask user for the input] ******************************************************************************************
TASK [Gathering Facts] *************************************************************************************************
ok: [localhost]
[pause]
What provider would you like to use?
1. DigitalOcean
2. Amazon EC2
3. Vultr
4. Microsoft Azure
5. Google Compute Engine
6. Scaleway
7. OpenStack (DreamCompute optimised)
8. Install to existing Ubuntu 18.04 server (Advanced)
Enter the number of your desired provider
:
1
TASK [pause] ***********************************************************************************************************
ok: [localhost]
TASK [Set facts based on the input] ************************************************************************************
ok: [localhost]
[pause]
Name the vpn server
[algo]
:
algo2
TASK [pause] ***********************************************************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]
:
TASK [pause] ***********************************************************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]
:
TASK [pause] ***********************************************************************************************************
ok: [localhost]
[pause]
Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]
:
TASK [pause] ***********************************************************************************************************
ok: [localhost]
[pause]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:
TASK [pause] ***********************************************************************************************************
ok: [localhost]
[pause]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:
TASK [pause] ***********************************************************************************************************
ok: [localhost]
[pause]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:
TASK [pause] ***********************************************************************************************************
ok: [localhost]
TASK [Set facts based on the input] ************************************************************************************
ok: [localhost]
PLAY [Provision the server] ********************************************************************************************
TASK [Gathering Facts] *************************************************************************************************
ok: [localhost]
--> Please include the following block of text when reporting issues:
Algo running on: Ubuntu 18.04.1 LTS
Created from git clone. Last commit: efc8dc7 add tags for the wireguard qr code task. variables fix (#1147)
Python 2.7.15rc1
Runtime variables:
algo_provider "digitalocean"
algo_ondemand_cellular "False"
algo_ondemand_wifi "False"
algo_ondemand_wifi_exclude "_null"
algo_local_dns "False"
algo_ssh_tunneling "False"
algo_windows "False"
wireguard_enabled "True"
dns_encryption "True"
TASK [Display the invocation environment] ******************************************************************************
changed: [localhost -> localhost]
TASK [Generate the SSH private key] ************************************************************************************
ok: [localhost]
TASK [Generate the SSH public key] *************************************************************************************
ok: [localhost]
[cloud-digitalocean : pause]
Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens):
(output is hidden):
TASK [cloud-digitalocean : pause] **************************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set the token as a fact] ********************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Get regions] ********************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set facts about thre regions] ***************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set default region] *************************************************************************
ok: [localhost]
[cloud-digitalocean : pause]
What region should the server be located in?
1. ams3 Amsterdam 3
2. blr1 Bangalore 1
3. fra1 Frankfurt 1
4. lon1 London 1
5. nyc1 New York 1
6. nyc3 New York 3
7. sfo2 San Francisco 2
8. sgp1 Singapore 1
9. tor1 Toronto 1
Enter the number of your desired region
[6]
:
1
TASK [cloud-digitalocean : pause] **************************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Set additional facts] ***********************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Delete the existing Algo SSH keys] **********************************************************
ok: [localhost]
TASK [cloud-digitalocean : Upload the SSH key] *************************************************************************
changed: [localhost]
TASK [cloud-digitalocean : Creating a droplet...] **********************************************************************
changed: [localhost]
TASK [cloud-digitalocean : set_fact] ***********************************************************************************
ok: [localhost]
TASK [cloud-digitalocean : Tag the droplet] ****************************************************************************
changed: [localhost]
FAILED - RETRYING: Delete the new Algo SSH key (10 retries left).
TASK [cloud-digitalocean : Delete the new Algo SSH key] ****************************************************************
ok: [localhost]
TASK [Set subjectAltName as afact] *************************************************************************************
ok: [localhost]
TASK [Add the server to an inventory group] ****************************************************************************
changed: [localhost]
TASK [Additional variables for the server] *****************************************************************************
changed: [localhost]
TASK [Wait until SSH becomes ready...] *********************************************************************************
ok: [localhost]
TASK [debug] ***********************************************************************************************************
ok: [localhost] => {
"IP_subject_alt_name": "xx.xx.xxx.xx"
}
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
TASK [A short pause, in order to be sure the instance is ready] ********************************************************
ok: [localhost]
PLAY [Configure the server and install required software] **************************************************************
TASK [common : Check the system] ***************************************************************************************
changed: [xx.xx.xxx.xx]
TASK [common : include_tasks] ******************************************************************************************
included: /home/sam/algo/roles/common/tasks/ubuntu.yml for xx.xx.xxx.xx
changed: [xx.xx.xxx.xx] => (item=[u'python2.7', u'sudo'])
TASK [common : Ubuntu | Install prerequisites] *************************************************************************
TASK [common : Ubuntu | Configure defaults] ****************************************************************************
changed: [xx.xx.xxx.xx]
TASK [common : Gather facts] *******************************************************************************************
ok: [xx.xx.xxx.xx]
TASK [common : Install software updates] *******************************************************************************
changed: [xx.xx.xxx.xx]
TASK [common : Check if reboot is required] ****************************************************************************
changed: [xx.xx.xxx.xx]
TASK [common : Install unattended-upgrades] ****************************************************************************
ok: [xx.xx.xxx.xx]
TASK [common : Configure unattended-upgrades] **************************************************************************
changed: [xx.xx.xxx.xx]
TASK [common : Periodic upgrades configured] ***************************************************************************
changed: [xx.xx.xxx.xx]
TASK [common : Unattended reboots configured] **************************************************************************
changed: [xx.xx.xxx.xx]
changed: [xx.xx.xxx.xx] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
changed: [xx.xx.xxx.xx] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})
TASK [common : Disable MOTD on login and SSHD] *************************************************************************
TASK [common : Loopback for services configured] ***********************************************************************
changed: [xx.xx.xxx.xx]
ok: [xx.xx.xxx.xx] => (item=systemd-networkd)
ok: [xx.xx.xxx.xx] => (item=systemd-resolved)
TASK [common : systemd services enabled and started] *******************************************************************
RUNNING HANDLER [common : restart systemd-networkd] ********************************************************************
changed: [xx.xx.xxx.xx]
TASK [common : Check apparmor support] *********************************************************************************
changed: [xx.xx.xxx.xx]
TASK [common : set_fact] ***********************************************************************************************
ok: [xx.xx.xxx.xx]
TASK [common : set_fact] ***********************************************************************************************
ok: [xx.xx.xxx.xx]
ok: [xx.xx.xxx.xx] => (item=git)
ok: [xx.xx.xxx.xx] => (item=screen)
changed: [xx.xx.xxx.xx] => (item=apparmor-utils)
ok: [xx.xx.xxx.xx] => (item=uuid-runtime)
ok: [xx.xx.xxx.xx] => (item=coreutils)
changed: [xx.xx.xxx.xx] => (item=iptables-persistent)
changed: [xx.xx.xxx.xx] => (item=cgroup-tools)
ok: [xx.xx.xxx.xx] => (item=openssl)
TASK [common : Install tools] ******************************************************************************************
ok: [xx.xx.xxx.xx] => (item=[u'linux-headers-generic', u'linux-headers-4.15.0-36-generic'])
TASK [common : Install headers] ****************************************************************************************
TASK [common : Generate password for the CA key] ***********************************************************************
changed: [xx.xx.xxx.xx -> localhost]
TASK [common : Generate p12 export password] ***************************************************************************
changed: [xx.xx.xxx.xx -> localhost]
TASK [common : Define facts] *******************************************************************************************
ok: [xx.xx.xxx.xx]
TASK [common : set_fact] ***********************************************************************************************
ok: [xx.xx.xxx.xx]
TASK [common : Set IPv6 support as a fact] *****************************************************************************
ok: [xx.xx.xxx.xx]
changed: [xx.xx.xxx.xx] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
changed: [xx.xx.xxx.xx] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
changed: [xx.xx.xxx.xx] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})
TASK [common : Sysctl tuning] ******************************************************************************************
TASK [dns_encryption : Include tasks for Ubuntu] ***********************************************************************
included: /home/sam/algo/roles/dns_encryption/tasks/ubuntu.yml for xx.xx.xxx.xx
TASK [dns_encryption : Add the repository] *****************************************************************************
changed: [xx.xx.xxx.xx]
TASK [dns_encryption : Install dnscrypt-proxy] *************************************************************************
changed: [xx.xx.xxx.xx]
TASK [dns_encryption : Configure unattended-upgrades] ******************************************************************
changed: [xx.xx.xxx.xx]
TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] ***********************************************
changed: [xx.xx.xxx.xx]
TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] ********************************************
ok: [xx.xx.xxx.xx]
TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ********************************
changed: [xx.xx.xxx.xx]
TASK [dns_encryption : Ubuntu | Add capabilities to bind ports] ********************************************************
changed: [xx.xx.xxx.xx]
TASK [dns_encryption : dnscrypt-proxy ip-blacklist configured] *********************************************************
changed: [xx.xx.xxx.xx]
TASK [dns_encryption : dnscrypt-proxy configured] **********************************************************************
changed: [xx.xx.xxx.xx]
TASK [dns_encryption : dnscrypt-proxy enabled and started] *************************************************************
ok: [xx.xx.xxx.xx]
RUNNING HANDLER [dns_encryption : restart dnscrypt-proxy] **************************************************************
changed: [xx.xx.xxx.xx]
changed: [xx.xx.xxx.xx -> localhost] => (item=private)
changed: [xx.xx.xxx.xx -> localhost] => (item=public)
TASK [wireguard : Ensure the required directories exist] ***************************************************************
TASK [wireguard : Include tasks for Ubuntu] ****************************************************************************
included: /home/sam/algo/roles/wireguard/tasks/ubuntu.yml for xx.xx.xxx.xx
TASK [wireguard : WireGuard repository configured] *********************************************************************
changed: [xx.xx.xxx.xx]
TASK [wireguard : WireGuard installed] *********************************************************************************
changed: [xx.xx.xxx.xx]
TASK [wireguard : WireGuard reload-module-on-update] *******************************************************************
changed: [xx.xx.xxx.xx]
TASK [wireguard : Configure unattended-upgrades] ***********************************************************************
changed: [xx.xx.xxx.xx]
TASK [wireguard : set_fact] ********************************************************************************************
ok: [xx.xx.xxx.xx]
changed: [xx.xx.xxx.xx] => (item=dan)
changed: [xx.xx.xxx.xx] => (item=jack)
changed: [xx.xx.xxx.xx] => (item=xx.xx.xxx.xx)
TASK [wireguard : Generate private keys] *******************************************************************************
changed: [xx.xx.xxx.xx] => (item=None)
changed: [xx.xx.xxx.xx] => (item=None)
changed: [xx.xx.xxx.xx] => (item=None)
TASK [wireguard : Save private keys] ***********************************************************************************
changed: [xx.xx.xxx.xx] => (item=dan)
changed: [xx.xx.xxx.xx] => (item=jack)
changed: [xx.xx.xxx.xx] => (item=xx.xx.xxx.xx)
TASK [wireguard : Touch the lock file] *********************************************************************************
ok: [xx.xx.xxx.xx] => (item=dan)
ok: [xx.xx.xxx.xx] => (item=jack)
ok: [xx.xx.xxx.xx] => (item=xx.xx.xxx.xx)
TASK [wireguard : Generate public keys] ********************************************************************************
changed: [xx.xx.xxx.xx] => (item=None)
changed: [xx.xx.xxx.xx] => (item=None)
changed: [xx.xx.xxx.xx] => (item=None)
TASK [wireguard : Save public keys] ************************************************************************************
TASK [wireguard : WireGuard configured] ********************************************************************************
changed: [xx.xx.xxx.xx]
changed: [xx.xx.xxx.xx -> localhost] => (item=(0, u'dan'))
changed: [xx.xx.xxx.xx -> localhost] => (item=(1, u'jack'))
TASK [wireguard : WireGuard users config generated] ********************************************************************
ok: [xx.xx.xxx.xx -> localhost] => (item=(0, u'dan'))
ok: [xx.xx.xxx.xx -> localhost] => (item=(1, u'jack'))
TASK [wireguard : Generate QR codes] ***********************************************************************************
TASK [wireguard : WireGuard enabled and started] ***********************************************************************
changed: [xx.xx.xxx.xx]
RUNNING HANDLER [wireguard : restart wireguard] ************************************************************************
changed: [xx.xx.xxx.xx]
TASK [vpn : Include WireGuard role] ************************************************************************************
ok: [xx.xx.xxx.xx -> localhost] => (item=private)
ok: [xx.xx.xxx.xx -> localhost] => (item=public)
TASK [wireguard : Ensure the required directories exist] ***************************************************************
TASK [wireguard : Include tasks for Ubuntu] ****************************************************************************
included: /home/sam/algo/roles/wireguard/tasks/ubuntu.yml for xx.xx.xxx.xx
TASK [wireguard : WireGuard repository configured] *********************************************************************
ok: [xx.xx.xxx.xx]
TASK [wireguard : WireGuard installed] *********************************************************************************
ok: [xx.xx.xxx.xx]
TASK [wireguard : WireGuard reload-module-on-update] *******************************************************************
changed: [xx.xx.xxx.xx]
TASK [wireguard : Configure unattended-upgrades] ***********************************************************************
ok: [xx.xx.xxx.xx]
TASK [wireguard : set_fact] ********************************************************************************************
ok: [xx.xx.xxx.xx]
ok: [xx.xx.xxx.xx] => (item=dan)
ok: [xx.xx.xxx.xx] => (item=jack)
ok: [xx.xx.xxx.xx] => (item=xx.xx.xxx.xx)
TASK [wireguard : Generate private keys] *******************************************************************************
ok: [xx.xx.xxx.xx] => (item=dan)
ok: [xx.xx.xxx.xx] => (item=jack)
ok: [xx.xx.xxx.xx] => (item=xx.xx.xxx.xx)
TASK [wireguard : Generate public keys] ********************************************************************************
ok: [xx.xx.xxx.xx] => (item=None)
ok: [xx.xx.xxx.xx] => (item=None)
ok: [xx.xx.xxx.xx] => (item=None)
TASK [wireguard : Save public keys] ************************************************************************************
TASK [wireguard : WireGuard configured] ********************************************************************************
ok: [xx.xx.xxx.xx]
ok: [xx.xx.xxx.xx -> localhost] => (item=(0, u'dan'))
ok: [xx.xx.xxx.xx -> localhost] => (item=(1, u'jack'))
TASK [wireguard : WireGuard users config generated] ********************************************************************
ok: [xx.xx.xxx.xx -> localhost] => (item=(0, u'dan'))
ok: [xx.xx.xxx.xx -> localhost] => (item=(1, u'jack'))
TASK [wireguard : Generate QR codes] ***********************************************************************************
TASK [wireguard : WireGuard enabled and started] ***********************************************************************
ok: [xx.xx.xxx.xx]
TASK [vpn : include_tasks] *********************************************************************************************
included: /home/sam/algo/roles/vpn/tasks/ubuntu.yml for xx.xx.xxx.xx
TASK [vpn : set_fact] **************************************************************************************************
ok: [xx.xx.xxx.xx]
TASK [vpn : Ubuntu | Install strongSwan] *******************************************************************************
changed: [xx.xx.xxx.xx]
changed: [xx.xx.xxx.xx] => (item=/usr/lib/ipsec/charon)
changed: [xx.xx.xxx.xx] => (item=/usr/lib/ipsec/lookip)
changed: [xx.xx.xxx.xx] => (item=/usr/lib/ipsec/stroke)
TASK [vpn : Ubuntu | Enforcing ipsec with apparmor] ********************************************************************
ok: [xx.xx.xxx.xx] => (item=apparmor)
ok: [xx.xx.xxx.xx] => (item=strongswan)
ok: [xx.xx.xxx.xx] => (item=netfilter-persistent)
TASK [vpn : Ubuntu | Enable services] **********************************************************************************
TASK [vpn : Ubuntu | Ensure that the strongswan service directory exist] ***********************************************
changed: [xx.xx.xxx.xx]
TASK [vpn : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ************************************************
changed: [xx.xx.xxx.xx]
TASK [vpn : include_tasks] *********************************************************************************************
included: /home/sam/algo/roles/vpn/tasks/iptables.yml for xx.xx.xxx.xx
changed: [xx.xx.xxx.xx] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})
TASK [vpn : Iptables configured] ***************************************************************************************
changed: [xx.xx.xxx.xx] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})
TASK [vpn : Iptables configured] ***************************************************************************************
TASK [vpn : Install strongSwan] ****************************************************************************************
ok: [xx.xx.xxx.xx]
changed: [xx.xx.xxx.xx] => (item={u'dest': u'/etc/strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [xx.xx.xxx.xx] => (item={u'dest': u'/etc/ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'})
changed: [xx.xx.xxx.xx] => (item={u'dest': u'/etc/ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
TASK [vpn : Setup the config files from our templates] *****************************************************************
TASK [vpn : Get loaded plugins] ****************************************************************************************
changed: [xx.xx.xxx.xx]
changed: [xx.xx.xxx.xx] => (item=xcbc)
changed: [xx.xx.xxx.xx] => (item=sshkey)
changed: [xx.xx.xxx.xx] => (item=updown)
changed: [xx.xx.xxx.xx] => (item=mgf1)
changed: [xx.xx.xxx.xx] => (item=connmark)
changed: [xx.xx.xxx.xx] => (item=attr)
changed: [xx.xx.xxx.xx] => (item=constraints)
changed: [xx.xx.xxx.xx] => (item=sha1)
changed: [xx.xx.xxx.xx] => (item=md5)
changed: [xx.xx.xxx.xx] => (item=md4)
changed: [xx.xx.xxx.xx] => (item=aesni)
changed: [xx.xx.xxx.xx] => (item=agent)
changed: [xx.xx.xxx.xx] => (item=pkcs1)
changed: [xx.xx.xxx.xx] => (item=counters)
changed: [xx.xx.xxx.xx] => (item=eap-mschapv2)
changed: [xx.xx.xxx.xx] => (item=fips-prf)
changed: [xx.xx.xxx.xx] => (item=gmp)
changed: [xx.xx.xxx.xx] => (item=xauth-generic)
changed: [xx.xx.xxx.xx] => (item=dnskey)
changed: [xx.xx.xxx.xx] => (item=resolve)
changed: [xx.xx.xxx.xx] => (item=rc2)
changed: [xx.xx.xxx.xx] => (item=bypass-lan)
changed: [xx.xx.xxx.xx] => (item=sha2)
changed: [xx.xx.xxx.xx] => (item=pkcs8)
changed: [xx.xx.xxx.xx] => (item=kernel-netlink)
changed: [xx.xx.xxx.xx] => (item=pubkey)
changed: [xx.xx.xxx.xx] => (item=random)
changed: [xx.xx.xxx.xx] => (item=aes)
changed: [xx.xx.xxx.xx] => (item=nonce)
changed: [xx.xx.xxx.xx] => (item=pkcs7)
changed: [xx.xx.xxx.xx] => (item=revocation)
changed: [xx.xx.xxx.xx] => (item=stroke)
changed: [xx.xx.xxx.xx] => (item=pgp)
changed: [xx.xx.xxx.xx] => (item=x509)
changed: [xx.xx.xxx.xx] => (item=pem)
changed: [xx.xx.xxx.xx] => (item=gcm)
changed: [xx.xx.xxx.xx] => (item=pkcs12)
changed: [xx.xx.xxx.xx] => (item=openssl)
changed: [xx.xx.xxx.xx] => (item=socket-default)
changed: [xx.xx.xxx.xx] => (item=hmac)
TASK [vpn : Set subjectAltName as a fact] ******************************************************************************
ok: [xx.xx.xxx.xx -> localhost]
changed: [xx.xx.xxx.xx -> localhost] => (item=ecparams)
changed: [xx.xx.xxx.xx -> localhost] => (item=certs)
changed: [xx.xx.xxx.xx -> localhost] => (item=crl)
changed: [xx.xx.xxx.xx -> localhost] => (item=newcerts)
changed: [xx.xx.xxx.xx -> localhost] => (item=private)
changed: [xx.xx.xxx.xx -> localhost] => (item=public)
changed: [xx.xx.xxx.xx -> localhost] => (item=reqs)
TASK [vpn : Ensure the pki directories exist] **************************************************************************
changed: [xx.xx.xxx.xx -> localhost] => (item=.rnd)
changed: [xx.xx.xxx.xx -> localhost] => (item=private/.rnd)
changed: [xx.xx.xxx.xx -> localhost] => (item=index.txt)
changed: [xx.xx.xxx.xx -> localhost] => (item=index.txt.attr)
changed: [xx.xx.xxx.xx -> localhost] => (item=serial)
TASK [vpn : Ensure the files exist] ************************************************************************************
TASK [vpn : Generate the openssl server configs] ***********************************************************************
changed: [xx.xx.xxx.xx -> localhost]
TASK [vpn : Build the CA pair] *****************************************************************************************
changed: [xx.xx.xxx.xx -> localhost]
TASK [vpn : Copy the CA certificate] ***********************************************************************************
changed: [xx.xx.xxx.xx -> localhost]
TASK [vpn : Generate the serial number] ********************************************************************************
changed: [xx.xx.xxx.xx -> localhost]
TASK [vpn : Build the server pair] *************************************************************************************
changed: [xx.xx.xxx.xx -> localhost]
changed: [xx.xx.xxx.xx -> localhost] => (item=dan)
changed: [xx.xx.xxx.xx -> localhost] => (item=jack)
TASK [vpn : Build the client's pair] ***********************************************************************************
changed: [xx.xx.xxx.xx -> localhost] => (item=dan)
changed: [xx.xx.xxx.xx -> localhost] => (item=jack)
TASK [vpn : Create links for the private keys] *************************************************************************
changed: [xx.xx.xxx.xx -> localhost] => (item=dan)
changed: [xx.xx.xxx.xx -> localhost] => (item=jack)
TASK [vpn : Build openssh public keys] *********************************************************************************
changed: [xx.xx.xxx.xx -> localhost] => (item=dan)
changed: [xx.xx.xxx.xx -> localhost] => (item=jack)
TASK [vpn : Build the client's p12] ************************************************************************************
changed: [xx.xx.xxx.xx -> localhost] => (item=dan)
changed: [xx.xx.xxx.xx -> localhost] => (item=jack)
TASK [vpn : Copy the p12 certificates] *********************************************************************************
TASK [vpn : Get active users] ******************************************************************************************
changed: [xx.xx.xxx.xx -> localhost]
changed: [xx.xx.xxx.xx] => (item={u'dest': u'/etc/ipsec.d/cacerts/ca.crt', u'src': u'configs/xx.xx.xxx.xx/pki/cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [xx.xx.xxx.xx] => (item={u'dest': u'/etc/ipsec.d/certs/xx.xx.xxx.xx.crt', u'src': u'configs/xx.xx.xxx.xx/pki/certs/xx.xx.xxx.xx.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
changed: [xx.xx.xxx.xx] => (item={u'dest': u'/etc/ipsec.d/private/xx.xx.xxx.xx.key', u'src': u'configs/xx.xx.xxx.xx/pki/private/xx.xx.xxx.xx.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
TASK [vpn : Copy the keys to the strongswan directory] *****************************************************************
changed: [xx.xx.xxx.xx -> localhost] => (item=dan)
changed: [xx.xx.xxx.xx -> localhost] => (item=jack)
TASK [vpn : Register p12 PayloadContent] *******************************************************************************
TASK [vpn : Set facts for mobileconfigs] *******************************************************************************
ok: [xx.xx.xxx.xx -> localhost]
changed: [xx.xx.xxx.xx] => (item=None)
changed: [xx.xx.xxx.xx] => (item=None)
TASK [vpn : Build the mobileconfigs] ***********************************************************************************
changed: [xx.xx.xxx.xx -> localhost] => (item=dan)
changed: [xx.xx.xxx.xx -> localhost] => (item=jack)
TASK [vpn : Build the client ipsec config file] ************************************************************************
changed: [xx.xx.xxx.xx -> localhost] => (item=dan)
changed: [xx.xx.xxx.xx -> localhost] => (item=jack)
TASK [vpn : Build the client ipsec secret file] ************************************************************************
changed: [xx.xx.xxx.xx -> localhost] => (item=configs/xx.xx.xxx.xx)
TASK [vpn : Restrict permissions for the local private directories] ****************************************************
TASK [vpn : strongSwan started] ****************************************************************************************
ok: [xx.xx.xxx.xx]
RUNNING HANDLER [dns_adblocking : restart apparmor] ********************************************************************
RUNNING HANDLER [vpn : restart strongswan] *****************************************************************************
changed: [xx.xx.xxx.xx]
RUNNING HANDLER [vpn : daemon-reload] **********************************************************************************
changed: [xx.xx.xxx.xx]
RUNNING HANDLER [vpn : restart iptables] *******************************************************************************
changed: [xx.xx.xxx.xx]
TASK [Delete the CA key] ***********************************************************************************************
changed: [xx.xx.xxx.xx -> localhost]
TASK [Dump the configuration] ******************************************************************************************
changed: [xx.xx.xxx.xx -> localhost]
TASK [debug] ***********************************************************************************************************
ok: [xx.xx.xxx.xx] => {
"msg": [
[
"\"# Congratulations! #\"",
"\"# Your Algo server is running. #\"",
"\"# Config files and certificates are in the ./configs/ directory. #\"",
"\"# Go to https://whoer.net/ after connecting #\"",
"\"# and ensure that all your traffic passes through the VPN. #\"",
"\"# Local DNS resolver 172.16.0.1 #\"",
""
],
" \"# The p12 and SSH keys password for new users is 8AXPGV4A #\"\n",
" ",
" \"# Shell access: ssh -i configs/algo.pem root@xx.xx.xxx.xx #\"\n"
]
}
PLAY RECAP *************************************************************************************************************
xx.xx.xxx.xx : ok=112 changed=73 unreachable=0 failed=0
localhost : ok=34 changed=6 unreachable=0 failed=0
Использую облачный сервер на ubuntu 20.04, работает по ip 185.253.44.4:3333, вот содержание конфига(wg0.conf):
[Interface]
Address = 185.253.44.4/24
ListenPort = 3333
PrivateKey = mLc+jV2XjWt9OLvXyqa2+J+OOPmuV77As4jUZTss8mk=Вот, что выводит по команде «sudo systemctl status wg-quick@wg0»:
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2022-03-16 10:50:13 UTC; 4s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 4443 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 4443 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 527)
Memory: 1.5M
CGroup: /system.slice/system-wg\x2dquick.slice/wg-quick@wg0.service
Mar 16 10:50:13 opezd79549 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Mar 16 10:50:13 opezd79549 wg-quick[4443]: [#] ip link add wg0 type wireguard
Mar 16 10:50:13 opezd79549 wg-quick[4443]: [#] wg setconf wg0 /dev/fd/63
Mar 16 10:50:13 opezd79549 wg-quick[4443]: [#] ip -4 address add 185.253.44.4/24 dev wg0
Mar 16 10:50:13 opezd79549 wg-quick[4443]: [#] ip link set mtu 1420 up dev wg0
Mar 16 10:50:13 opezd79549 systemd[1]: Finished WireGuard via wg-quick(8) for wg0.Вывод после «sudo ip a show wg0»:
interface: wg0
public key: FRrQgjEXAeY7MpLPcdDuCd1e6LylHc6414zbpUEclkQ=
private key: (hidden)
listening port: 3333
root@opezd79549:/etc/wireguard# sudo ip a show wg0
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 185.253.44.4/24 scope global wg0
valid_lft forever preferred_lft foreverНа windows подключаюсь через приложение от wireguard. Вот конфиг тоннеля:
[Interface]
PrivateKey = 6JW3oWJ/cXg1T9Q7b9jCShQ8snoEaf4sCBSllJD6a0E=
Address = 178.155.6.110/24
[Peer]
PublicKey = FRrQgjEXAeY7MpLPcdDuCd1e6LylHc6414zbpUEclkQ=
AllowedIPs = 0.0.0.0/0
Endpoint = 185.253.44.4:3333
PersistentKeepalive = 15Я не использую фаерволл, так как даже после открытия порта для сервера, к нему невозможно подключится.
На клиенте ВПН подключается моментально, но перестает работать интернет соединение.
Велик соблазн написать «наконец-то нормальный» мануал для настройке wireguard. Но в итоге такой мануал станет очередным, который не решает все проблемы пользователя при настройке. Поэтому данная запись носит цель подсветить возможные проблемы, с которыми может столкнуться рядовой пользователь при настройке базового vpn через wireguard на типовом vds.
Использовал данный мануал по настройке:
- видео версия на YouTube
- текстовая инструкция в Telegram
Вполне возможно, что статья будет добавлять или в итоге в комментариях окажется больше полезной информации нежели в самом посте.
Мой VDS
- базовый VDS в DIgitalOcean за $4: 512 MB Memory / 10 GB Disk / SGP1 — Ubuntu 22.10 x64
- регион Сингапур. Скорее всего не лучший вариант, но точно рабочий. Изначально пробовал другие регионы, но в процессе поиска проблем менял сервера. Встречал комменты, что для некоторых регионов не «заводилось». Пример замера скорости в конце статьи.
Примечание: при регистрации Digital Ocean предоставил пробный период с «$200.00 (expires in 59 days)». При этом DO сделал списание (и сразу возврат) тестовой суммы в $5 при регистрации. Если есть подходящая карта, то скорее всего есть рабочий вариант завести новый аккаунт и раскатать wireguard еще раз на два месяца. При необходимости повторить.
Пробовал настраивать VDS по нескольким инструкциям. Вцелом, они однотипны и по каждой из них была проблема на финальном шаге — подключаюсь в WireGuard через клиент, но интернета нет. Скорее всего если есть проблема, то она будет воспроизводиться именно на этом шаге.
Полагаю, что вы прошли инструкцию и понимаете о чем идет речь дальше.
Еще раз проверяем файлы конфигураций
Проверьте еще раз файлы конфигураций. При минимальной настройке файлов получается два:
- первый файл wg0.conf располагается на самом VDS и задает настройки для wireguard
- второй, к примеру, mac.conf в моем случае, в котором задаются настройки клиента
Пример моего файла wg0.conf
[Interface]
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51830
PrivateKey = <private_key>
[Peer]
PublicKey = <public_key>
AllowedIPs = 10.0.0.2/32
Пройдемся по основным полям:
- PrivateKey & PublicKey. В процессе настройке можно вполне легко перепутать данные для вставки в поля PrivateKey и PublicKey при вставке в файлы конфигураций. Проверьте еще раз, что в этой части все правильно.
- ListenPort. У меня указан 51830, но вроде как 51820 согласно другим инструкциям тоже должен работать. Проблем тут быть не должно.
- AllowedIPs. По сути данное значение должно совпадать с указанным в файле настроек клиента.
- ⚡⚡⚡ PostUp & PostDown. Молния. Даже три. В инструкции указана такая строчка:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Данные команды выполняются при старте/останове wireguard сервера. Здесь нас интересуют значения %i и eth0.
Так понял значение %i является шаблоном для сетевого интерфейса, вместо которого в итоге подставляется конкретное значение. В моем случаем указал хардкодом ‘wg0’. Без этого у меня не работало.
Также вместо eth0 иногда требуется указать ваше значение сетевого интерфейса. Для просмотра сетевых интерфейсов можно использовать команду ifconfig -a в терминале VDS. В моем случае eth0, но может быть ens3 или другое значение. Если здесь указан неправильный интерфейс, то при просмотре статуса через команду systemctl status [email protected] видел ошибку в консоли. В моем случае правка относительно инструкции не понадобилась.
Пример моего файла mac.conf (файл клиента)
[Interface]
PrivateKey = <private_key>
Address = 10.0.0.2/32 # должно совпадать с указанным в wg0.cong в для настойки [Peer]
DNS = 1.1.1.1 # сами задаем DNS, можно 8.8.8.8 или любой другой
[Peer]
PublicKey = <public_key>
Endpoint = <ip_vds>:51830 # проверяем порт
AllowedIPs = 0.0.0.0/0 # пропускаем весь трафик через wireguard
PersistentKeepalive = 20
Основные момент прокомментировал по файлу.
Клиент настраивал на MacOS. Приложение WireGuard можно скачать из AppStore. Приложение в итоге рабочее, но не отличается многословностью в случае ошибок. Даже в кривыми конфигами подключается и горит зеленым. что появились строки — получено данных, отправлено данных, последнее рукопожатие. Пример скрина с удачно запущенным wireguard:
Напоследок замеры скорости по WI-FI: