11
submitted 1 year ago* (last edited 1 year ago) by clmbmb@lemmy.dbzer0.com to c/selfhosted@lemmy.world

I've used wireguard for a pretty long time on my server and the phone as a client. I've had the same configuration for at least 4-5 years and never had issues. Last week I moved to using pihole in a container with a macvlan interface, so it has a different IP address than my physical server. Then I went and changed the DNS server IP on the wireguard config on the phone. When I reconnected I see I can't connect to any local IP address like I used to and I can't figure out why.

The local LAN is 10.11.12.0/24, the VPN is on 10.11.13.0/24.

Here's the server wireguard config:

[Interface]
Address = 10.11.13.1
ListenPort = 11194
PrivateKey = ...

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE

[Peer]
# Galaxy S20+
PublicKey = U59JZqVbk2eFxTb7tteyu0WHlMTZsk68E7CF7v2AX2U=
AllowedIPs = 10.11.13.5/32

[Peer]
# narwhal - T480 job
PublicKey = Ja9OL13IoZA17GJq0/LbwizB9s2dRQLHHgW2C4TcFyY=
AllowedIPs = 10.11.13.7/32

And here's the phone's wireguard config:

Address = 10.11.13.5/24
DNS = 10.11.12.55
PrivateKey = ....

[Peer]
AllowedIPs = 10.11.0.0/16
Endpoint = my_dyndns_hostname:11194
PublicKey = 6aF1cJhH9oeQWr9LYOpH3wk+lN4k9/tSiAqV6LkUQ1Y=

I am able to connect and can ping 10.11.12.77, the IP address of the server, but nothing else. I have two RPis running as mpd servers and I used to be able to connect to them too, but not anymore. Their IP addresses are 10.11.12.105 and .106.

Also, before the dns change I was able (of course!) to use the local DNS I set up on the pihole, but now I'm not able to connect to the new DNS (.55) so I can't get any local address to resolve.

I'm looking for some hints on what I'm doing wrong. Please help.

you are viewing a single comment's thread
view the rest of the comments
[-] BitPirate@feddit.de 1 points 1 year ago

You only need the masquerade rule.

iptables -t nat -A POSTROUTING -s 10.11.13.0/24  -o enp3s0 -j MASQUERADE
[-] clmbmb@lemmy.dbzer0.com 0 points 1 year ago
[-] BitPirate@feddit.de 1 points 1 year ago

Did you enable forwarding via sysctl?

sysctl net.ipv4.ip_forward

This should report 1

[-] clmbmb@lemmy.dbzer0.com 0 points 1 year ago

Yes. That was one of the first checks I did.

this post was submitted on 16 Aug 2023
11 points (86.7% liked)

Selfhosted

39677 readers
456 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS