Wireguard VPN Connection Issues with EOS

Hello everyone,
I’ve recently set up a PiVPN using Wireguard, and generated profiles for my families phones. Everything worked without an issue, everyone can reach all services and the internet. Now, I wanted to add the VPN to my two EOS machines, so I created new profiles for them - but they don’t work. I cannot reach internal or external services correctly. I did sudo systemctl stop firewalld.service as a test, but it didn’t help either.
And here is the weird part: I can reach all services, I can ping them:

$ ping pontus
PING pontus (192.168.178.3) 56(84) bytes of data.
64 bytes from pontus.fritz.box (192.168.178.3): icmp_seq=1 ttl=63 time=15.9 ms
64 bytes from pontus.fritz.box (192.168.178.3): icmp_seq=2 ttl=63 time=15.8 ms

and external services too:

ping google.com
PING google.com (142.250.181.238) 56(84) bytes of data.
64 bytes from fra16s56-in-f14.1e100.net (142.250.181.238): icmp_seq=1 ttl=118 time=26.5 ms
64 bytes from fra16s56-in-f14.1e100.net (142.250.181.238): icmp_seq=2 ttl=118 time=26.2 ms

But for everything else, the internet connection is just too…, slow? I am unsure what is going on. I cannot ssh pontus (no output) or visit webservices hosted on pontus, the browser times out. Here is some troubleshooting output that might help you (all with VPN enabled):

$ ip route
default via 192.168.1.1 dev enp34s0 proto dhcp src 192.168.1.107 metric 100
10.186.15.0/24 dev zuhause proto kernel scope link src 10.186.15.6 metric 50 // The VPN
192.168.1.0/24 dev enp34s0 proto kernel scope link src 192.168.1.107 metric 100

$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.178.1 // The VPN DNS server (Fritzbox)
nameserver 192.168.1.1
nameserver fe80::1%enp34s0

$ nslookup pontus
Server: 192.168.178.1
Address: 192.168.178.1#53

Name: pontus
Address: 192.168.178.3

cat zuhause.conf
[Interface]
PrivateKey = redacted
Address = 10.186.15.6/24,fd11:5ee:bad:c0de::aba:f06/64
DNS = 192.168.178.1

[Peer]
PublicKey = redacted
PresharedKey = redacted
Endpoint = DNS of target network:51820
AllowedIPs = 0.0.0.0/0, ::0/0

Once again, please keep in mind, that all phones connect and load without an issue. Your help is greatly appreciated, thanks a lot!

Are your phones Android or Apple? Does your vpn service starts without error? Are you shure your DNS is reachable for all clients?

1 Like

Android phones using the Wireguard App.
No errors on VPN startup.
Yes, the DNS is reachable for all clients. I checked if I can resolve dns (internal and external) using nslookup and that works reliably.

On another note, how can I enable propper logging for wireguard? The internet recommends sudo echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control, however sudo seems not allowed to access the directory?

$ sudo echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
bash: /sys/kernel/debug/dynamic_debug/control: Permission denied

sudo escalates user rights for the echo command, not for the pipe receiving part.

1 Like

your route to pontus seems to go via fritzbox, and it has obviously no routing path between those networks.

1 Like

Not sure about that, or if so, if it is a problem. I can still ping pontus.

$ traceroute pontus
traceroute to pontus (192.168.178.3), 30 hops max, 60 byte packets
1 10.186.15.1 (10.186.15.1) 14.058 ms 14.234 ms 14.242 ms
2 pontus.fritz.box (192.168.178.3) 14.911 ms !X 15.124 ms !X 15.089 ms !X

Ah and also ssh -v pontus shows that the handshake happens successfully, but afterwards, nothing happens anymore. But pontus seems to be able to kinda reach my PC. Just… very very slow? Is that a possible thing? So slow that everything times out?

!X shows that you have a firewall in the path to pontus that prohibits connection.

1 Like

Hm. But why? And where? Does it need to be firewall or could it be something different too? I turned of every firewall I could find. And also, my phone connects from the same network using the same VPN correctly. Why? I don’t know how to continue anymore.

It could also be the application itself. For example, you may configure a web server to respond not to 0.0.0.0 but limit respose to a specific subnet. I am still not clear about your setup. Are you trying to run vpn within your local LAN? What do you mean by reach my pc but slow? What is the metric here? If you ping your pc from pontus, does the ping show latency or packet loss?

1 Like

The webserver responds to everyone and I can’t ssh into it either, so that should not be the problem. In addition, my phone can access everything using the VPN, just my Linux machines cannot.
My setup:
A server sitting at my parent’s. My family is happy having the server in the local network, but I moved out to study and would like to still have access, obviously. I decided for a VPN. The VPN runs on a Raspberry Pi (PiVpn) which also runs Pi-hole. Pi-hole DNS is correctly configured for the local network. Their network is connected to the internet via an AVM router. I’m sitting in my apartment with a TP-Link router.

Since my phone works fine I suspect a Linux configuration on my PC and Laptop to be the problem.

Thank you for your continued effort in helping me out!

I used iperf and hat 40 kbit/s if I remember correctly. I can access pontus (the server) and the Pi using Tailscale but would like to have a VPN connection too.

That is puzzling. You say you run pivpn + pihole, but in which of your networks?
According to the resolv.conv you posted earlier that pi DNS is not used at all, you obviously use AVM router DNS. In order to get your clients to utilize your separate DNS you need to configure your DHCP to distribute the DNS setting to the clients, or how does that work?
How exactly do you connect your phone, is that hooked to your remote LAN via TP-Link router to the internet or via SIM card/G3,G4,G5?

1 Like

Sorry I should have mentioned that, the Pihole is used by the AVM router as DNS server, as it allows dynamic IP addresses inside the network for all devices and using their hostname as dns. It’s a handy solution I’ve put into place two years ago. The Pihole is blocking reliably and the AVM router is only allowed to query the Pihole for DNS, so nothing circumvents the block.

I was with the family today and we decided to use Tailscale which works flawless. Thank you a lot for your help, but in the end I gave up I guess :man_shrugging: Thank you, even though you were the only one, you tried helping me over many days and tried understanding me and my setup. I really appreciate it. Sorry that I couldn’t get it to work.

1 Like