Forum Stats

  • 3,722,383 Users
  • 2,244,297 Discussions
  • 7,849,820 Comments

Discussions

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

WireGuard

User_1RRR1
User_1RRR1 Member Posts: 1 Green Ribbon

Hello friends!

Who are try use Oracle cloud like WireGuard server?

I have some trouble with settings.... I tried use Ubuntu and oracle linux. configure manually and automatically with script. but it's not work. I think the problem in the network settings.

who knows where to pay attention?

Comments

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,785 Employee

    Your source port range needs to be All, with the destination port set to whatever WireGuard is listening to. The client can connect from any port.

    User_1RRR1
  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,785 Employee

    And you don't need ICMP echo support for this, but you may have it for something else.

  • User_1RRR1
    User_1RRR1 Member Posts: 1 Green Ribbon

    thank you!

    now connection is well, but i don't have access to internet...

    in file wg0.conf i use next configuration

    PostUp = iptables -A FORWARD -i %i -j ACCEPT;
    PostDown = iptables -D FORWARD -i %i -j ACCEPT;
    

    in file /etc/sysctl.conf I wrote

    kernel.unknown_nmi_panic = 1
    net.ipv4.ip_forward = 1
    net.ipv6.conf.default.forwarding = 1
    net.ipv6.conf.all.forwarding = 1
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.conf.default.proxy_arp = 0
    net.ipv4.conf.default.send_redirects = 1
    net.ipv4.conf.all.send_redirects = 0
    

    can it problem?

    did I make a mistake somewhere? or I need change something in VCN

    Ps - now i try it in oracle Linux 8

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,785 Employee

    You don't need to change the VCN, but you do need to change your wg0.conf to enable masquerading:

    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
    

    You'll need to double-check your NIC name and replace ens3 if necessary.

    For sysctl, I recommend creating /etc/sysctl.d/99-wireguard.conf with the following content:

    ## Turn on bbr ##
    net.core.default_qdisc = fq
    net.ipv4.tcp_congestion_control = bbr
    
    ## for IPv4 ##
    net.ipv4.ip_forward = 1
    
    ## Turn on basic protection/security ##
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.tcp_syncookies = 1
    
  • User_1RRR1
    User_1RRR1 Member Posts: 1 Green Ribbon

    No, it didn't help. and yes i am shure NIC name

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
          valid_lft forever preferred_lft forever
       inet6 ::1/128 scope host
          valid_lft forever preferred_lft forever
    2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 1000
       link/ether 02:00:17:00:13:aa brd ff:ff:ff:ff:ff:ff
       inet 10.0.0.3/24 brd 10.0.0.255 scope global dynamic ens3
          valid_lft 57685sec preferred_lft 57685sec
       inet6 fe80::17ff:fe00:13aa/64 scope link noprefixroute
          valid_lft forever preferred_lft forever
    3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8920 qdisc noqueue state UNKNOWN group default qlen 1000
       link/none
       inet 172.0.0.3/24 scope global wg0
          valid_lft forever preferred_lft forever
       inet6 fd42:42:42::1/64 scope global
          valid_lft forever preferred_lft forever
    
  • User_1RRR1
    User_1RRR1 Member Posts: 1 Green Ribbon

    Avil, what do you think - is it good idia if I creat file in /etc/sysconfig/network-scripts for example ifcfg-wg0 with parameters:

    NAME="wg0"
    DEVICE="wg0"
    ONBOOT=yes
    NETBOOT=yes
    IPADDR=172.0.0.3
    NETMASK=255.255.255.0
    NETWORK=172.0.0.0
    BOOTPROTO=dhcp
    TYPE=Ethernet
    


  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,785 Employee

    You do not need that file (and in fact, it's not corret). The wg0 interface is created when the [email protected] service starts.

    What is the output of systemctl status [email protected] on that machine?

  • User_1RRR1
    User_1RRR1 Member Posts: 1 Green Ribbon
    [email protected] - WireGuard via wg-quick(8) for wg0
      Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
      Active: active (exited) since Mon 2021-03-15 14:35:38 GMT; 3h 56min ago
        Docs: man:wg-quick(8)
              man:wg(8)
               https://www.wireguard.com/
               https://www.wireguard.com/quickstart/
               https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
               https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
     Main PID: 1938 (code=exited, status=0/SUCCESS)
       Tasks: 0 (limit: 3988)
      Memory: 0B
      CGroup: /system.slice/system-wg\x2dquick.slice/[email protected]
    
    Mar 15 14:35:31 instance-20210307-1750 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
    Mar 15 14:35:32 instance-20210307-1750 wg-quick[1938]: [#] ip link add wg0 type wireguard
    Mar 15 14:35:33 instance-20210307-1750 wg-quick[1938]: [#] wg setconf wg0 /dev/fd/63
    Mar 15 14:35:33 instance-20210307-1750 wg-quick[1938]: [#] ip -4 address add 172.0.0.3/24 dev wg0
    Mar 15 14:35:33 instance-20210307-1750 wg-quick[1938]: [#] ip -6 address add fd42:42:42::1/64 dev wg0
    Mar 15 14:35:34 instance-20210307-1750 wg-quick[1938]: [#] ip link set mtu 8920 up dev wg0
    Mar 15 14:35:35 instance-20210307-1750 wg-quick[1938]: [#] ip -4 route add 10.0.0.4/32 dev wg0
    Mar 15 14:35:35 instance-20210307-1750 wg-quick[1938]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
    Mar 15 14:35:38 instance-20210307-1750 systemd[1]: Started WireGuard via wg-quick(8) for wg0.
    


  • andreas.dijkman
    andreas.dijkman Member Posts: 62 Bronze Badge

    @User_1RRR1 Do you have firewalld running on your Oracle-Linux-box? You can check with systemctl status firewalld. I had trouble in the past where I mixed iptables and firewalld and those two don't mix.

  • User_1RRR1
    User_1RRR1 Member Posts: 1 Green Ribbon

    @andreas.dijkman

    [[email protected] opc]# systemctl status firewalld
    ● firewalld.service - firewalld - dynamic firewall daemon
      Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
      Active: active (running) since Mon 2021-03-15 18:37:20 GMT; 38min ago
        Docs: man:firewalld(1)
     Main PID: 1311 (firewalld)
       Tasks: 2 (limit: 3988)
      Memory: 29.1M
      CGroup: /system.slice/firewalld.service
              └─1311 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
    
    Mar 15 18:37:13 instance-20210307-1750 systemd[1]: Starting firewalld - dynamic firewall daemon...
    Mar 15 18:37:20 instance-20210307-1750 systemd[1]: Started firewalld - dynamic firewall daemon.
    Mar 15 18:37:21 instance-20210307-1750 firewalld[1311]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a futur
    
  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,785 Employee

    Good catch, @andreas.dijkman. I added masquerading to my public zone too:

    $ firewall-cmd --permanent --zone=public --add-service=wireguard
    success
    $ firewall-cmd --permanent --zone=public --add-masquerade
    success
    $ firewall-cmd --reload
    success
    
    User_1RRR1
  • andreas.dijkman
    andreas.dijkman Member Posts: 62 Bronze Badge

    They also suggest in this article to add the interface wg0 to the public zone:

    firewall-cmd --add-interface=wg0 --zone=internal
    firewall-cmd --zone=internal --add-masquerade
    

    It could be that you need to replace the current PostUp-iptables-command in wg0 with the above two or add --permanent to make it effective. But I don't know how firewalld is managing non-existing interfaces so adding --permanent might not be that permanent after all.

    User_1RRR1
  • User_1RRR1
    User_1RRR1 Member Posts: 1 Green Ribbon

    now it's work!

    @Avi Miller-Oracle , @andreas.dijkman - thank you very much!!

  • andreas.dijkman
    andreas.dijkman Member Posts: 62 Bronze Badge
    edited March 16

    @User_1RRR1 Nice!!

    For reference, what did you change or add? I'm curious what exactly did the trick.

  • User_1RRR1
    User_1RRR1 Member Posts: 1 Green Ribbon

    @andreas.dijkman the first - I try this - it's dosn't help((

     122 firewall-cmd --permanent --zone=public --add-service=wireguard
     123 firewall-cmd --add-interface=wg0 --zone=internal
     124 firewall-cmd --zone=internal --add-masquerade
     125 firewall-cmd --reload
     126 reboot
    

    --add-service=wireguard - it's a strange but my system can't find service=wireguard

    after comand from Avi:

     127 firewall-cmd --permanent --zone=public --add-masquerad
     128 firewall-cmd --reload
    

    it's all.. I hope I help you

  • andreas.dijkman
    andreas.dijkman Member Posts: 62 Bronze Badge
Sign In or Register to comment.