[Problem] freetz client wireguard

keny

Neuer User
Mitglied seit
24 Okt 2021
Beiträge
9
Punkte für Reaktionen
0
Punkte
1
hello, can someone help me with it ? sorry for english language, but i can't speak german, but only german people can help me ;(

now i have something like this, when i use
ip route add 165.22.xxx.xxx/32 dev dsl
ip route del default dev dsl
ip route add default dev wg0
aktualne.jpg

without use ip route i still have provider ip on my fritz, and dont have internet on my pc, only access to lan - 192.168.188.xxx.

i want to get connection like this
oczekiwane.jpg
can someone help me with configuration? i want to have vps ip on all my devices in network and acces from vpn to 192.168.188.xxx
ip route without wireguard
iproute without wireguard.jpg

ip route when connected to wireguard server
iproute with wireguard.jpg
ip route when connected to wireguard server + modified ip routes
iproute with wireguard + ip route.jpg
freetz client wireguard
freetz client conf.jpg
wireguard digitalocean vps server
wireguard server.jpg

please help, you can write in german language, i'll translate it
 
Why is 192.168.188.0 part of the list of allowed Networks in the freetz client? This should be in the VPS.
Why has the freetz [Interface] section no Address entry?
Is there a reason for this 0.0.0.0/1 and 128.0.0.0/1 entries? You have already 0.0.0.0/0 included.
Why has the VPS config the same Endpoint entry as in freetz? So his local one? This makes absolutely no sense.
Why is 0.0.0.0/0 in the list of the allowed networks on the VPS? Default route on both sides of a tunnel is dangerous. I hope you have an alternative way logging in on your VPS without nework. it is possible you disconnect your VPS from the internet if the tunnel becomes active.

Me feeling is, you have absolutely no clue about wireguard and its working principles. Maybe we can tune the configs that they are working as you expect. But this is dangerous, when you are not understanding, what you are doing. Slight modifications may destroy the setup or - even more serious - cause massive security leaks.
 
I tried everything to find the problem, because of this, more addresses are in the configuration., it's not possible to add address to [interface] on freetz, i added it on configuration on site.
 
Ok, and whats happening now? And please past the configs again?
 
freetz conf:
settings -> IPv4 address: 10.6.0.2/24
Code:
[Interface]
PrivateKey = <key>

[Peer]
PublicKey = <key>
PresharedKey = <key>
Endpoint = 165.22.xxx.xxx:51820
AllowedIPs = 0.0.0.0/0, ::0/0

wireguard serv:
Code:
[Interface]
PrivateKey = <key>
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 51820


[Peer]
PublicKey = <key>
PresharedKey = <key>
AllowedIPs = 10.6.0.2/32, 192.168.188.0/24

fritz has internet provider ip, devices in network have internet, fritz can ping 10.6.0.1, vps can ping 10.6.0.2, but can't ping 192.168.188.1
when i use
Code:
ip route add 165.22.xxx.xxx/32 dev dsl
ip route del default dev dsl
ip route add default dev wg0
only fritz has internet access + vps ip, i can still ssh 165.22.xxx.xxx on my pc despite the lack of internet, but can't even ping 8.8.8.8, i can restore it by write
Code:
ip route del default dev wg0
ip route add default dev dsl
 
vps can ping 10.6.0.2, but can't ping 192.168.188.1
Can you find out which source address the VPS is using in case he is pinging 192.168.188.1? Maybe it is not 10.6.0.1, and then the freetz client does not know where to route the answer. Maybe you can use tcpdump on the VPS.
And please check the routes of the VPS: Is there a subnet route for 192.168.188.0/24 pointing to wg0?

only fritz has internet access + vps ip, i can still ssh 165.22.xxx.xxx on my pc despite the lack of internet, but can't even ping 8.8.8.8
The VPS has to do NAT for the 192.168.188.0/24 net. But first of all the access to 192.168.188.0/24 from the VPS has to work flawlessly.
 
thanks for quick reply.
vps not using wireguard net to ping 192.168.188.1
Code:
root@debian-01:~# tcpdump -i any host 192.168.188.1
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
14:42:00.487375 eth0  Out IP 165.22.xxx.xxx > 192.168.188.1: ICMP echo request, id 28415, seq 18, length 64
14:42:01.511348 eth0  Out IP 165.22.xxx.xxx > 192.168.188.1: ICMP echo request, id 28415, seq 19, length 64
14:42:02.535373 eth0  Out IP 165.22.xxx.xxx > 192.168.188.1: ICMP echo request, id 28415, seq 20, length 64
...
i added route
Code:
root@debian-01:~# ip route add 192.168.188.0/24 dev wg0
root@debian-01:~# ip route
default via 165.22.xxx.1 dev eth0 onlink
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1
10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.5
10.114.0.0/20 dev eth1 proto kernel scope link src 10.114.0.2
165.22.xxx.0/20 dev eth0 proto kernel scope link src 165.22.xxx.xxx
192.168.188.0/24 dev wg0 scope link
now
Code:
root@debian-01:~# tcpdump -i any host 192.168.188.1
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
14:46:50.996830 IP 10.6.0.1 > 192.168.188.1: ICMP echo request, id 8752, seq 1, length 64
14:46:50.996830 wg0   Out IP 10.6.0.1 > 192.168.188.1: ICMP echo request, id 8752, seq 1, length 64
14:46:51.997987 wg0   Out IP 10.6.0.1 > 192.168.188.1: ICMP echo request, id 8752, seq 2, length 64
14:46:51.997987 IP 10.6.0.1 > 192.168.188.1: ICMP echo request, id 8752, seq 2, length 64
14:46:52.999387 IP 10.6.0.1 > 192.168.188.1: ICMP echo request, id 8752, seq 3, length 64
14:46:52.999387 wg0   Out IP 10.6.0.1 > 192.168.188.1: ICMP echo request, id 8752, seq 3, length 64
...
and
Code:
root@debian-01:~# ping 192.168.188.1
PING 192.168.188.1 (192.168.188.1) 56(84) bytes of data.
From 10.6.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
...
 
1635088723146.png
when i try to add line:
Code:
Address=10.6.0.2/24
Code:
Line unrecognized: `Address=10.6.0.2/24'
Configuration parsing error
 
The key setup is correct for all cases? Private, Public and Pre-shared Keys on both sides? Maybe skip the preshared keys in the first step.
 
still the same, keys are correct. do you have idea how to do routes to use vps ip on another devices in network not only fritz?
 
do you have idea how to do routes to use vps ip on another devices in network not only fritz?
Sorry, I didn't get the question. What is the idea behind it? Do you want to use 10.19.0.0/16 or 10.114.0.0/20 IPs in your Fritz Network? Don't do that. Never.

The network was restarted on both sides after changing the configuration? Please type "wg" on the VPS and check if the tunnel is active.
 
Code:
interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: (hidden)
  allowed ips: 10.6.0.2/32, 192.168.188.0/24
i changed 0.0.0.0/0 to 0.0.0.0/1 to freetz client wireguard settings and transfer starts counting
Code:
interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: (hidden)
  endpoint: 78.88.xxx.xxx:58740
  allowed ips: 10.6.0.2/32, 192.168.188.0/24
  latest handshake: 9 seconds ago
  transfer: 4.21 KiB received, 92 B sent
now i can ping 192.168.188.1 from my vps but i dont have internet on devices connected to fritz, i want to hide ip my devices on network and i want to be able to ping another devices from vpn for example to reverse proxy without port forwarding on my router. my provider ip is - 78.88.xxx.xxx, but i want to have digitalocean vps ip on all devices connected to my fritzbox.
 
Zuletzt bearbeitet:
Maybe you should remove private information from the wg output, e.g. addresses and keys.

for example to reverse proxy without port forwarding on my router. my provider ip is - 78.88.xxx.xxx, but i want to have digitalocean vps ip on all devices connected to my fritzbox.
But in the end this makes no difference. Maybe you can create a setup to use the VPS IP for the internet connection of your fritz clients, but this does not solve the NAT problem. So in the end you have to setup NAT and port forwardings etc for your client devices - either in your router or in your VPS.
 
hidden, the most important for me is to set up ip vps on all home devices to hide my ip when i use the internet, but if it is possible to do this additionally without expose ports on my local router. it's not more secure "client -> cloudflare -> nginx proxy on vps -> wireguard tunnel -> home server" than "client ->cloudflare -> unlocked port on fritz -> home server"?
 
it's not more secure "client -> cloudflare -> nginx proxy on vps -> wireguard tunnel -> home server" than "client ->cloudflare -> unlocked port on fritz -> home server"?
It depends on the Proxy and on the server, which one is more secure. Its hard to estimate from outside.
 
Can you please show the output of
1. tcpdump -i wg0 on fritzbox
2. tcpdump -i wg0 on VPS
if you execute ping <internal ip of VPS> on fritzbox?
 
Holen Sie sich 3CX - völlig kostenlos!
Verbinden Sie Ihr Team und Ihre Kunden Telefonie Livechat Videokonferenzen

Gehostet oder selbst-verwaltet. Für bis zu 10 Nutzer dauerhaft kostenlos. Keine Kreditkartendetails erforderlich. Ohne Risiko testen.

3CX
Für diese E-Mail-Adresse besteht bereits ein 3CX-Konto. Sie werden zum Kundenportal weitergeleitet, wo Sie sich anmelden oder Ihr Passwort zurücksetzen können, falls Sie dieses vergessen haben.