1 yr. ago • 93%

[Solved] Wireguard blocks ssh/smb :(

https:// www.digitalocean.com /community/tutorials/how-to-set-up-wireguard-on-ubuntu-22-04

This was manually solved, I didn't check any other comment till the issue was fixed.

Take a look at my comment.

Thank you all for helping!

Hello.

I have wireguard set but the second it runs, services like ssh (22) and smb (455/445?) stop working.

nmap thinks my system is down.

Here is my config, I followed debian's guide since my server is Deb12:

[Interface]
Address = 192.168.1.120/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlp1s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlp1s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = XXX

[Peer]
PublicKey = xxx
AllowedIPs = 192.168.1.230/32
Endpoint = 192.168.1.230:50104

No extra config was made.

14 comments

Hey, you just shared your private key to the world. You should remove it from your example and immediately rotate it.

23
- Second this
  
  4
  
  What the hell and third
  
  6
Solved:

IP Table: Server : 192.168.1.120 / wg0 : 10.0.0.1 Client : 192.168.1.230 / wg0 :10.0.0.2

Server:

[Interface] Address = 10.0.0.1/24 SaveConfig = true PostUp = iptables -t nat -I POSTROUTING -o wlp1s0 -j MASQUERADE PostUp = ip rule add table 200 from 192.168.1.230 PostUp = ip route add table 200 default via 192.168.1.1 PreDown = iptables -t nat -D POSTROUTING -o wlp1s0 -j MASQUERADE PreDown = ip rule delete table 200 from 192.168.1.230 PreDown = ip route delete table 200 default via 192.168.1.1 ListenPort = 51820 PrivateKey = XXX [Peer] PublicKey = yyy AllowedIPs = 0.0.0.0/0

Client:

[Interface] Address = 10.0.0.2/24 PrivateKey = YYY [Peer] AllowedIPs = 10.0.0.0/24 Endpoint = 192.168.1.120:51820 PublicKey = xxx
4
- Why is this needed? I have the minimal config for both server and client and smb and ssh bith work without issue.
  
  2
  
  Would you mind sharing the config (without keys)?
  
  This is my first time using WG.
  
  1
Could be your routing rules? Here's what I use and it routes to anything inside my home network:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Just be sure to replace eth0 with the name of your adapter before you try it.

Edit:

Almost forgot, I've also enabled routing on my server as well; here are the steps I took to enable that:

To configure forwarding, open the /etc/sysctl.conf file on your Wireguard Server using nano or your preferred editor: sudo nano /etc/sysctl.conf

If you are using IPv4 with WireGuard, add the following line at the bottom of the file: net.ipv4.ip_forward=1

If you are using IPv6 with WireGuard, add this line at the bottom of the file: net.ipv6.conf.all.forwarding=1

If you are using both IPv4 and IPv6, ensure that you include both lines. Save and close the file when you are finished.

To read the file and load the new values for your current terminal session, run: sudo sysctl -p

Output: net.ipv6.conf.all.forwarding = 1 net.ipv4.ip_forward = 1

Now your WireGuard Server will be able to forward incoming traffic from the virtual VPN ethernet device to others on the server and its LAN (if the LAN subnet is included in the AllowedIPs in the Wireguard config)
3
- Unfortunely that didn't work.
  
  The WG server is also servicing SSH and SMB.
  
  1
  
  are your services accessible through the wg interface on the server ? Try with nmap -Pn -A -T4 -p CHANGEME_TO_SSH_OR_SMB IPADDR_OF_WG_NIC
  
  1
I am not sure but your AllowedIPs and Endpoint should be in separate subdomain right?

2
Perhaps your samba system isn't listening on your Wireguard IP?

1

You've viewed 14 comments.

[Solved] Wireguard blocks ssh/smb :(

Thank you all for helping!

Edit: