I just finished setting up my Wireguard VPN “server”. In this post I want to spread some information, I could’ve found useful but which didn’t come up in most of the Wireguard tutorials.
If you aren’t interested in VPN or self hosting, this post is not for you. If you haven’t gotten around yet to try it out, I can only recommend doing it. Feels great being able to “phone home” from all over the world.
Alright, tricks and tips:
tcpdump
Wireguard will definitely not work first try. As Wireguard is a silent protocol, you won’t see too many error messages. Dropped packets are how you know that something’s off. tcpdump
is a great command line tool, that, despite it’s name, can also dump the precious UDP Wireguard packets. The tool will make you see how far your wireguard connection gets before the packets are dropped. Great for running on “server” and on clients.
ping
A classic tool. Helped me debugging some issues with DNS and Maximum Transfer Unit (MTU) size.
AllowedIPs
In a classic server-client situation, your clients should have AllowedIPs set to 0.0.0.0/0, ::/0
in their repecive configuration file. I found this pretty counterintuitive, but that seemingly is how it works.
IP Forwarding in sysctl
This one was by far the nastiest one to find out. Mainly because I’m not a linux or Debian expert. You need to tell sysctl to forward IP traffic, which ususally tutorials around the web will tell you to do like this: sysctl -w net.ipv4.ip_forward=1; sysctl -w net.ipv6.conf.all.forwarding=1
. What I foolishly assumed, that this write operation was permanent. It’s not. You need to edit /etc/sysctl.conf
for making it permanent. Else, after a reboot you won’t be able to connect to the internet. This took me a good amount of reconfigurations from scratch before I eventually found out these vars will reset on boot.
–
Maybe this helps some of you fellow Lemmings. If I stumble across further tips and tricks, I might update this post in the future. For now though, I think I’m done with my setup (philosophical question: are you ever done with setting up things?).
The “allowed host” on the client side is to put the networks in you would like to route to. If you want to use the VPN tunnel for your default route it’s when you use the 0.0.0.0/0
Yeah, if you’re just trying to reach your home devices and the other devices on the vpn you should specify both of those subnets.