Wireguard VPN not working between Android and PiHole

pwhite1989 · August 21, 2024, 3:31pm

Background

I am trying to connect devices to my home LAN via Wireguard, but am having trouble.

I have Pi-Hole set up and working fine on a Raspberry Pi with the latest OS and updates. The Pi also has Wireguard server installed on it.
I have an Android phone with wireguard installed, with the QR code config loaded in.
I appear to manage to do a handshake between phone and server, but nothing else will connect.

My setup:

Vodafone HomeHub Router at 192.168.1.1 with a static public ip address (lets say 111.222.333.444)
Pi-Hole running on a Raspberry Pi at 192.168.1.2
Wireguard server installed on the same Raspberry Pi

This is the Router config:

IPv4 Static Port Mapping with the following settings:

 Service | Local IPv4 Address | Protocol | Local Port | Public Port 	  	 
 wireguard |	192.168.1.2 | UDP |	47111 |	47111

DNS Server set to 192.168.1.2 (the address of the Pi)
DHCPv4 Server turned off

This is the Pi-Hole config:

DHCP server turned on with the following config:

Range of IP addresses to hand out:
 From 192.168.1.100
 To 192.168.1.199

DNS Settings:

 Allow only local requests turned on
 All other Advanced DNS settings turned off

sysctl net.ipv4.ip_forward:
```
net.ipv4.ip_forward = 1
```

This is the Wireguard Config:

root@raspberrypi:~# cat /etc/wireguard/wg0.conf

 [Interface]
 Address = 10.100.0.1/24, fd08:4711::1/128
 ListenPort = 47111
 PrivateKey = [key]=
 
  # phone
 [Peer]
 PublicKey = [key]=
 PresharedKey = [key]=
 AllowedIPs = 10.100.0.2/32, fd08:4711::201/128

root@raspberrypi:~# cat /etc/wireguard/phone.conf

 [Interface]
 Address = 10.100.0.2/32, fd08:4711::2/128
 DNS = 192.168.1.2
 PrivateKey = [key]=
 
 [Peer]
 PublicKey = [key]=
 PresharedKey = [key]=
 Endpoint = [public IP]:47111
 AllowedIPs = 0.0.0.0/0, ::/0
 PersistentKeepalive = 25

Expected Behaviour:

On Phone with and without wifi:

Navigating to 192.168.1.1 should connect
Navigating to bbc.co.uk should connect

Actual Behaviour:

On Phone with and without wifi:

Navigating to 192.168.1.1 does not connect
Navigating to bbc.co.uk does not connect

Logs:

Wireguard application logs on phone:

Show no errors

Raspberry Pi

wg:

 interface: wg0
 public key: [key]
 private key: (hidden)
 listening port: 47111
 
 peer: [key]=
 preshared key: (hidden)
 endpoint: [router_IP_address]:36233
 allowed ips: 10.100.0.2/32, fd08:4711::201/128
 latest handshake: 31 seconds ago
 transfer: 77.93 KiB received, 23.10 KiB sent

ip route:

default via 192.168.1.1 dev eth0 src 192.168.1.2 metric 202
10.100.0.0/24 dev wg0 proto kernel scope link src 10.100.0.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 metric 202

ip rule:

0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

iptables -t nat -L -v:

Chain PREROUTING (policy ACCEPT 31438 packets, 2456K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 30438 packets, 2342K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 19497 packets, 1401K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 20459 packets, 1513K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  any    eth0    10.6.0.0/24          anywhere             /* wireguard-nat-rule */

Final thoughts

If you got this far, thank you so much! I have been trying to do this by myself for so long now it seems. Please let me know if you need more information.

Solution

Accepted solution from Bucking_Horn worked. See my post here for extra detail for anyone else facing this issue.

smurf · August 21, 2024, 7:19pm

try changing your phone.conf DNS from 192.168.1.2 to 10.100.0.1 and see if that work

pwhite1989 · August 21, 2024, 9:18pm

Hi smurf thanks for the reply.

I changed the phone.conf to:

[Interface]
Address = 10.100.0.2/32, fd08:4711::2/128
DNS = 10.100.0.1 # <- change here
PrivateKey = [key]=

[Peer]
PublicKey = [key]=
PresharedKey = [key]=
Endpoint = [router_public_ip]:47111
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Then created a new qr code for the phone, and ran systemctl restart wg-quick@wg0.

This is the output of wg:

interface: wg0
  public key: [key]=
  private key: (hidden)
  listening port: 47111

peer: [key]=
  preshared key: (hidden)
  endpoint: 192.168.1.1:38284 # <- This seems to have changed
  allowed ips: 10.100.0.2/32, fd08:4711::201/128
  latest handshake: 1 minute, 21 seconds ago
  transfer: 241.89 KiB received, 23.30 KiB sent

I still don't have a connection to either my router IP address 192.168.1.1 or bbc.co.uk, either on mobile data or on wifi from my phone.

smurf · August 21, 2024, 9:42pm

My previous attempt of installing and configuring WG manually was a frustrating experience until I found PiVPN. Give it a try.

pwhite1989 · August 21, 2024, 9:57pm

Thanks, if I can't solve this I will give it a try.

In the meantime I would really love to get to the bottom of this, I hate not understanding what I'm doing wrong, and who knows - a solution may help someone in the future too

Bucking_Horn · August 21, 2024, 11:28pm

This looks like a Wireguard issue, rather than a Pi-hole one.
You should probably consider to also consult forums specialising in Wireguard.

That said:
From what I can glance from your configs, it seems you tell your phone peer to route all traffic via Wireguard:

However, on your Pi, you did not configure Wireguard to setup any rules that would route traffic from the Wireguard network to an interface with the required connectivity, as you are missing the appropriate PostUp/PostDown rules.

This would match a disclaimer from our Wireguard VPN guide:

The following assumes you have already prepared your Pi-hole for IP forwarding and enabled NAT. If this is not the case, follow the steps over there before continuing here.

If you haven't done this, your clients will apparently have no Internet connection whilst local connections may still work.

I'd recommend to have a read of aforementioned guide, or at least follow above links from the quote.

Please note that for Pi-hole to provide DNS via VPN, it would suffice to use your Pi-hole's Wireguard IP for DNS (in your phone.conf, DNS = 10.100.0.1), while only routing traffic to that DNS server via Wireguard (in your phone.conf, AllowedIPs = 10.100.0.1/32, fd08:4711::1/128).
In that config, only your phone's DNS request to 10.100.0.1 (or fd08:4711::1) would be sent into the VPN tunnel.
All other traffic would be routed through your phone's normal current connection (wifi or mobile).

This would allow your phone to benefit from Pi-hole's filtering while still enjoying the download speeds of your phone's connection (e.g. 150Mbit /s of mobile download speed).

You'd only need those additional PostUp/PostDown rules if you'd wanted to be able to access devices within your home network via VPN (like accessing your router at 192.168.1.1) or route all traffic via your home network.

Note that any traffic that has to be sourced via your VPN would have to be sent via your router's upstream link - and for most consumer plans, upstream speed is considerably lower than download.

Consequently, routing all traffic through a Wireguard tunnel may noticably slow down your phone (e.g. assuming 150 Mbit/s download for the phone's 4G mobile data vs. 10 Mbit/s for your home router's upload speed).
Routing DNS traffic only would be much less likely to be noticeable, as DNS packets are usually quite tiny and make up only a small fraction of overall traffic volume.

pwhite1989 · August 22, 2024, 7:51am

Thank you for taking the time to reply, I really appreciate it.

Please note that for Pi-hole to provide DNS via VPN, it would suffice to use your Pi-hole's Wireguard IP for DNS (in your phone.conf, DNS = 10.100.0.1), while only routing traffic to that DNS server via Wireguard (in your phone.conf, AllowedIPs = 10.100.0.1/32, fd08:4711::1/128).
In that config, only your phone's DNS request to 10.100.0.1 (or fd08:4711::1) would be sent into the VPN tunnel.
All other traffic would be routed through your phone's normal current connection (wifi or mobile).
This would allow your phone to benefit from Pi-hole's filtering while still enjoying the download speeds of your phone's connection (e.g. 150Mbit /s of mobile download speed).

Thank you for this, I have created two configs so I can switch between if I need.

I'd recommend to have a read of aforementioned guide, or at least follow above links from the quote.

You're absolutely right - I did the IP forwarding, but somehow missed the section on enabling NAT. I followed that article and added the nftables config. The VPN tunnel is now behaving as expected!

Thank you so much for your help, the extra detail you included has cleared up a whole bunch of things for me.

If anyone else reading this is having issues with the PostUp/PostDown rules, the given example didn't work for me, due to the word srncat not being recognised. As per the docs this can be substitued with 100, and it now works. Snippet below:

PostUp = nft add table ip wireguard; nft add chain ip wireguard wireguard_chain {type nat hook postrouting priority 100\; policy accept\;}; nft add rule ip wireguard wireguard_chain counter packets 0 bytes 0 masquerade; nft add table ip6 wireguard; nft add chain ip6 wireguard wireguard_chain {type nat hook postrouting priority 100\; policy accept\;}; nft add rule ip6 wireguard wireguard_chain counter packets 0 bytes 0 masquerade
PostDown = nft delete table ip wireguard; nft delete table ip6 wireguard

Additionally, in my phone.conf I changed DNS from 192.168.1.2 to 10.100.0.1

system · September 12, 2024, 7:52am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.