Sample Header Ad - 728x90

WireGuard VPN on Raspberry Pi 4 connects but iPhone has no internet access

0 votes
0 answers
44 views
raspberry-pi vpn wireguard
**Issue Summary** **WireGuard VPN on Raspberry Pi 4 connects from client (iPhone), shows handshake and Rx/Tx, but VPN clients have no internet access.** ## ✅ **Setup** ### Network & Hardware * **Virgin Media Hub 3 in modem mode** * **TP-Link AX55 router** as main router * **Raspberry Pi 4 (4GB)** running Raspberry Pi OS (64-bit) via Wi-Fi * Static IP: 192.168.0.207 reserved via router (DHCP reservation) * DuckDNS domain in use: MYCUSTOMDNS.duckdns.org * Port forwarding: UDP 51820 → 192.168.0.207 ### WireGuard Server (on Raspberry Pi) Installed via PiVPN: * Interface: wg0 * Address: 10.100.0.1/24 * ListenPort: 51820 * NAT: via iptables (see below) * IP forwarding: enabled in /etc/sysctl.conf ## **iptables Rules (final tested)** 
sudo iptables -t nat -F
sudo iptables -F
sudo iptables -X

sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -A FORWARD -o wlan0 -j ACCEPT

sudo netfilter-persistent save
Also tested with subnet-specific NAT: 
sudo iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE
## **Client (iPhone WireGuard App)** 
[Interface]
PrivateKey = ...
Address = 10.100.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = ...
PresharedKey = ...
Endpoint = MYCUSTOMDNS.duckdns.org:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
## ✅ **What Works** * iPhone connects to VPN, tunnel turns green * Handshake confirmed via sudo wg show * Rx/Tx values increase * DuckDNS resolves * Port forwarding works ## ❌ **What Fails** * No internet access on the device * Pages like https://1.1.1.1 , bbc.co.uk, etc. never load * tcpdump on wlan0 shows: * Local Pi traffic (DNS, PTR queries) * **No traffic from 10.100.0.2 (VPN client) exiting via wlan0** ## **Verified** * cat /proc/sys/net/ipv4/ip_forward returns 1 * ip route get 1.1.1.1 from 10.100.0.2 iif wg0 returns: 
1.1.1.1 from 10.100.0.2 via 192.168.0.1 dev wlan0
* ip link show wg0: UP, LOWER_UP, POINTOPOINT * sudo wg show: valid handshake + active transfer *Wireguard config looks like this:* [Interface] PrivateKey = ################## Address = 10.100.0.1/24 ListenPort = 51820 MTU = 1420 Table = off # NAT + Forwarding rules PostUp = iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE PostUp = iptables -A FORWARD -i %i -o wlan0 -j ACCEPT PostUp = iptables -A FORWARD -i wlan0 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT PostDown = iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -o wlan0 -j ACCEPT PostDown = iptables -D FORWARD -i wlan0 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT I have tested many things, rebooted, used the phone on 5g and a different WIFI (not my home one) to test the VPN. Everything seems to be working except for the internet on my phone. Has anyone seen anything like this? AI did not give me other solutions. *UPD* ip-table-save returns: # Generated by iptables-save v1.8.9 (nf_tables) on Thu May 15 22:22:41 2025 *filter :INPUT ACCEPT [7800:5661901] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4771:393678] -A FORWARD -i wg0 -o wlan0 -j ACCEPT -A FORWARD -i wlan0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wg0 -j ACCEPT COMMIT # Completed on Thu May 15 22:22:41 2025 # Generated by iptables-save v1.8.9 (nf_tables) on Thu May 15 22:22:41 2025 *nat :PREROUTING ACCEPT [2662:224849] :INPUT ACCEPT [2647:223463] :OUTPUT ACCEPT [60:4394] :POSTROUTING ACCEPT [60:4394] -A POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE -A POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE COMMIT # Completed on Thu May 15 22:22:41 2025 and sudo iptables-save returns: # Generated by iptables-save v1.8.9 (nf_tables) on Thu May 15 22:22:41 2025 *filter :INPUT ACCEPT [7800:5661901] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4771:393678] -A FORWARD -i wg0 -o wlan0 -j ACCEPT -A FORWARD -i wlan0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wg0 -j ACCEPT COMMIT # Completed on Thu May 15 22:22:41 2025 # Generated by iptables-save v1.8.9 (nf_tables) on Thu May 15 22:22:41 2025 *nat :PREROUTING ACCEPT [2662:224849] :INPUT ACCEPT [2647:223463] :OUTPUT ACCEPT [60:4394] :POSTROUTING ACCEPT [60:4394] -A POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE -A POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE COMMIT
Asked by Datacrawler (101 rep)
May 13, 2025, 04:48 PM
Last activity: May 15, 2025, 09:31 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "raspberry-pi"
More questions tagged "vpn"
More questions tagged "wireguard"
Footer Ad - 728x90