from xavier666@lemmy.umucat.day to selfhosted@lemmy.world on 30 Apr 05:42
https://lemmy.umucat.day/post/1054239
Dear selfhosted community,
I have recently setup Wireguard (WG) and I am encountering some weird behaviour, which I assume is due to my lack of understanding. I’ll describe my current network setup, the devices i’m using in this setup, the issues that I’m facing, and finally my requirements from the WG installation. This might be slightly wrong but I intend to give as much information as possible.
Network setup
I am attempting to use WG from multiple locations. I am using the wg-easy docker image with OOTB settings.
- Location 0 (L0) = My home where WG is hosted (Internal IP
192.168.30.0/24and ISP A) - Location 1 (L1) = Using my android phone hotspot (Internal IP
10.19.79.0/24using ISP B/mobile data plan) - Location 2 (L2) = My friend’s home (Internal IP
192.168.1.0/24with ISP C) (Edit 2: My dum friend set/16instead of/24after I checked the router. Major problem is fixed)
Devices & Services
For the sake of this example, I have two devices from which I use WG; an Android phone and a Linux laptop.
I have a couple of self-hosted services at L0 which I access using local DNS entries. So if my devices can connect to my DNS server, I can access my local services (jellyfin.server.lan).
All my WG profiles use full-tunneling, i.e., all traffic is sent to my WG server.
Interesting scenarios
Case 1
When I use WG via L1 (both the phone and my laptop), everything works fine. It always reports ISP A which is correct.
Case 2A
When I connect to WG from my phone, everything works fine.
Case 2B
When I go to L2 and use my laptop + WG, the result is mixed. I can use the internet via WG but I cannot access my local services. I observed that I cannot even ping my devices even though I can use the internet. I verified this by checking ifconfig.io and I could see ISP A.
Case 2C
I tried being a bit creative and manually added a route on my laptop
sudo ip route add 192.168.30.0/24 dev laz-wg
Once I did this, I could ping my devices at L0. But the strange thing is I cannot use my local DNS entries; only direct IP connections were working which indicates my DNS queries were answered by someone else.
Case 3
Another funny observation; if I use my phone at L2 but I use the hotspot facility, i.e., I repeat the signal of my friend’s WiFi, and connect my laptop to it AND THEN turn on WG on my laptop, everything works fine (Internet and local DNS entries). I double checked using ifconfig.io and it’s reporting ISP A.
Note: I turned off mobile data on my phone before trying the repeater mode, so ISP B is not in the picture in this example.
Case 4 (Repeat of Case 1)
I used another WG profile on my friend’s Amazon Firestick (at L2) and I could access my Jellyfin server from it
In summary
- Case 1 => Laptop @ any location + WG + phone hotspot via ISP B = Working
- Case 3 => Laptop @ L2 + WG + phone hotspot via ISP C = Working
- Case 2A => Phone @ L2 + WG via ISP C = Working
- Case 2B => Laptop @ L2 + WG via ISP C = Only internet working, self-hosted services at L0 not reachable
- Case 4 => Amazon firestick + WG via ISP C = Working
So what do I want?
First of all, why this discrepancy between Android and Linux?
I want a WG setup where if I share a WG profile with anyone, I expect
- The user does not have to tinker with the setup
- Local DNS entries should work OOTB
- Should work the same on Windows/Android/Linux
I am prepared to configure everything server side but with minimal change on the client-side. So what is wrong and what should I do to fix it?
Edit: I fixed the numbering with the Case numbers
threaded - newest
I am by no means an advanced user when it comes to this kind of stuff but just mentioning Tailscale as an option if it fits your use case. It effectively gives you site to site tunneling with the option of zero trust controls, and is extremely simple to configure to work in what I believe is your intended use case.
I’d give it a read through and see if it works for you.
Are you sure L2 is
192.168.1.0/24and not something larger that includes192.168.30.0, e.g.:192.168.0.0/16?What does
ip routeshow before and after connecting to WG?Are you testing DNS via
dig @<nameserver>? or just withping? Are you runningsystemd-resolved?Bro/Mam/Sir! Bravo!
You absolutely fixed it in one line. My friend stupidly set the netmask as
/16even though he doesn’t need such a large IP pool. I changed it and now WG is working.There is only one issue remaining, that is my local DNS queries are not being answered on my laptop (On phone + WG, it’s working). But it’s working when I direct my
digqueries.dig server.lan= not workingdig @dns.lan server.lan= workingBut
ping dns.lanis working. I suspect my DNS IP has not properly percolated to my laptop.Thanks a lot!!
I’m not clear about your setups at all sites. In the details for case 4 there’s a Firestick (customized Android) connected to WG but in your summary there’s a laptop in case 4 and the Firestick isn’t mentioned.
I suspect at least part of the problem is that Android does not tunnel hotspot client traffic. It provides Internet but not WG connectivity. Only the phone’s apps will be able to connect through the WG tunnel.
I’m terribly sorry. I have fixed the case numbers with the item numbers.
On android, it works fine in all scenarios. The Linux laptop is causing issues. I checked another case (Case 5). If the client is Windows, everything works fine. I’ll try to replicate this on another linux machine and check.
I had to search a lot but I found a client which works on the first gen Firestick. Check airvpn.org. They still release a compatible WG client on the ancient android/Amazon device.
What are the tunnel subnets? Are you using a reverse proxy to access local devices, or DNS rewrites?
I’d start by looking for subnet overlap somewhere.