Is it possible to split a config command over multiple lines instead of one long string? E.g.

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

When using more commands the line gets very long and unreadable. I would like to split it so that I can use one line per command. Something like:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; \
   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The man page says it's based on the ini format but has no help on this topic.

Using the https://github.com/angristan/wireguard-install project I configured a server. Which produced the following server config file at /etc/wireguard/wg0.conf:

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 51202
PrivateKey = ***************
PostUp = iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

### Client chris
[Peer]
PublicKey = ***************
PresharedKey = ****************
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128,209.250.230.114/32

And the following client file:

[Interface]
PrivateKey = ******************
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = 94.140.14.14,94.140.15.15

[Peer]
PublicKey = 8ZF6U0mHKvMtVw2A4jha4mZR+a0GP5W85unV05zJIyw=
PresharedKey = **************************
Endpoint = 192.248.162.216:51202
AllowedIPs = 0.0.0.0/0,::/0

This is the file I have in the client. Running wg-quick up server on the client results in:

root@vultr:~# wg-quick up server
[#] ip link add server type wireguard
[#] wg setconf server /dev/fd/63
[#] ip -4 address add 10.66.66.2/32 dev server
[#] ip -6 address add fd42:42:42::2/128 dev server
[#] ip link set mtu 1420 up dev server
[#] resolvconf -a tun.server -m 0 -x
[#] wg set server fwmark 51820
[#] ip -6 route add ::/0 dev server table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev server table 51820
[#] ip -4 rule add not fwmark 51820 table 51820

After which I loose network connectivity with the client (I mean my prior SSH connection). On the server I see the following debug logs:

Feb 14 18:14:21 car kernel: wireguard: wg0: Packet has unallowed src IP (209.250.230.114) from peer 1 (209.250.230.114:56584)
Feb 14 18:14:22 car kernel: wireguard: wg0: Sending keepalive packet to peer 1 (209.250.230.114:56584)
Feb 14 18:14:23 car kernel: wireguard: wg0: Packet has unallowed src IP (209.250.230.114) from peer 1 (209.250.230.114:56584)
Feb 14 18:14:26 car kernel: wireguard: wg0: Packet has unallowed src IP (209.250.230.114) from peer 1 (209.250.230.114:56584)
Feb 14 18:14:33 car kernel: wireguard: wg0: Sending keepalive packet to peer 1 (209.250.230.114:56584)

Surely AllowedIPs = 0.0.0.0/0,::/0 allows any ip? Why am I getting the error about the IP not being allowed? --- I tried adding the client ip (209.250.230.114) to the AllowedIps under [Peer] in the server config at /etc/wireguard/wg0.conf + restarting the wireguard systemd service - slight change in behavior now - seems to keep recreating the keypair + sending the handshake:

Feb 14 18:27:15 car kernel: wireguard: wg0: Sending handshake response to peer 2 (209.250.230.114:46777)
Feb 14 18:27:15 car kernel: wireguard: wg0: Keypair 40 destroyed for peer 2
Feb 14 18:27:15 car kernel: wireguard: wg0: Keypair 41 created for peer 2
Feb 14 18:27:20 car kernel: wireguard: wg0: Receiving handshake initiation from peer 2 (209.250.230.114:46777)
Feb 14 18:27:20 car kernel: wireguard: wg0: Sending handshake response to peer 2 (209.250.230.114:46777)
Feb 14 18:27:20 car kernel: wireguard: wg0: Keypair 41 destroyed for peer 2
Feb 14 18:27:20 car kernel: wireguard: wg0: Keypair 42 created for peer 2
Feb 14 18:27:25 car kernel: wireguard: wg0: Receiving handshake initiation from peer 2 (209.250.230.114:46777)
Feb 14 18:27:25 car kernel: wireguard: wg0: Sending handshake response to peer 2 (209.250.230.114:46777)
Feb 14 18:27:25 car kernel: wireguard: wg0: Keypair 42 destroyed for peer 2
Feb 14 18:27:25 car kernel: wireguard: wg0: Keypair 43 created for peer 2

---- Here is some packet logs output from tshark -i any on the client after running wg-quick up.... Please note the IPs are now different from earlier in my question (tried to set this up from scratch again - hence new ips).

80 30.827763166 87.246.7.226  192.248.154.136 TCP 76 [TCP Retransmission] 57034  25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=342868104 TSecr=0 WS=128
   81 30.827859690 192.248.154.136  87.246.7.226 TCP 56 25  57034 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   82 33.439281276 192.248.154.136  192.248.152.91 UDP 192 59054  58338 Len=148
   83 36.811164287 192.248.154.136  108.61.73.244 NTP 92 NTP Version 4, client
   84 38.146118476 87.246.7.243  192.248.154.136 TCP 76 6076  25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=211747651 TSecr=0 WS=1024
   85 38.146182173 192.248.154.136  87.246.7.243 TCP 56 25  6076 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   86 38.559280480 192.248.154.136  192.248.152.91 UDP 192 59054  58338 Len=148
   87 38.852121979 87.246.7.226  192.248.154.136 TCP 76 [TCP Retransmission] 57034  25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=342876128 TSecr=0 WS=128
   88 38.852220458 192.248.154.136  87.246.7.226 TCP 56 25  57034 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   89 39.146306580 87.246.7.243  192.248.154.136 TCP 76 [TCP Retransmission] 6076  25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=211748652 TSecr=0 WS=1024
   90 39.146388276 192.248.154.136  87.246.7.243 TCP 56 25  6076 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   91 41.150763667 87.246.7.243  192.248.154.136 TCP 76 [TCP Retransmission] 6076  25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=211750656 TSecr=0 WS=1024
   92 41.150880444 192.248.154.136  87.246.7.243 TCP 56 25  6076 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   93 41.630158997 212.70.149.54  192.248.154.136 TCP 76 46658  25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=42893859 TSecr=0 WS=1024
   94 41.630236617 192.248.154.136  212.70.149.54 TCP 56 25  46658 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   95 41.811177910 192.248.154.136  108.61.73.243 NTP 92 NTP Version 4, client
   96 42.630885040 212.70.149.54  192.248.154.136 TCP 76 [TCP Retransmission] 46658  25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=42894860 TSecr=0 WS=1024
   97 42.630953128 192.248.154.136  212.70.149.54 TCP 56 25  46658 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   98 43.353963530 fe:00:03:35:d7:65               ARP 44 Who has 192.248.154.136? Tell 104.238.168.72
   99 43.354021247 56:00:03:35:d7:65               ARP 44 192.248.154.136 is at 56:00:03:35:d7:65
  100 43.679313102 192.248.154.136  192.248.152.91 UDP 192 59054  58338 Len=148
  101 44.634917692 212.70.149.54  192.248.154.136 TCP 76 [TCP Retransmission] 46658  25 [SYN] Seq=0 Win=29200 Len

I have a very basic wireguard connection that routes all traffic through a VPN.

[Interface]
PrivateKey = 
Address = 
DNS = 

[Peer]
PublicKey = 
AllowedIPs = 0.0.0.0,::0/0
Endpoint =

I've imported and enabled it with NetworkManager using nmcli connection import type wireguard file $conf. My problem is I have a scheduled process that I would like to _not_ go through the wireguard tunnel, _(ie come from my home IP address)_. And I'd rather not carve out an exception in the wireguard config. The solution I've tried is to setup a network namespace which is linked to eth0. That way I could bypass the wireguard connection with sudo ip netns exec clearnet. But I can't link the namespace directly to eth0 or else everything else looses access to eth0 and the internet in general. This is turning out very convoluted though because I've got to do something like eth0 -> br0 -> veth0 -> veth1 -> ns1

sudo ip netns add clearnet # create namespace
sudo ip link add veth0 type veth peer name veth1 # create veth pair
sudo ip link set veth1 netns clearnet # link the veth1 to the clearnet
sudo ip link add br0 type bridge # create bridge
sudo ip link set eth0 master br0 # connect eth0 to the bridge (lose internet here)
sudo ip link set veth0 master br0 # connect veth0 to the bridge

# turn everything on
sudo ip link set br0 up
sudo ip link set veth0 up
sudo ip netns exec clearnet ip link set veth1 up

nmcli connection up br0 # restore internet

# give the bridge an IP address
sudo ip addr add 192.168.100.1/24 dev br0
sudo ip addr add 192.168.100.1/24 dev veth0

# give the namespace and IP address
sudo ip netns exec ip addr add 192.168.100.2/24 dev veth1

# tell the namespace to route via the bridge's IP
sudo ip netns exec ip route add default via 192.168.100.1

At this point I still don't have internet access via clearnet, much less DNS, and I'm convinced I'm doing this the _hard way_. Something like NetworkManager, systemd (which schedules the process), or docker (which executes the process) should have a short cut. Or is what I'm seeking really this complicated?

I'm trying to connect my Laptop (which is running fedora or manjaro) to connect all the time to my raspberry Pi with PiVPN. I have set up the IP tables and also port forwarding. I can access my Pi under 10.6.0.1 but not my normal subnet 192.168.0.0/24. On my mobile phone I can access my Local Lan from other networks, but not from my laptop. I've generated the wg0.conf wireguard file from PiVPN and put it under /etc/wireguard. And it is working. But I can't access the Lan. It should route all traffic through the Pi. I've tried adding more to the Allowed IPs but this did'nt helped either. I also added IP Tables in the conf file. Is it a problem with the OS or Wireguard? I also can ping 10.6.0.1 (PI) from another network while being connected over WireGuard, but when I try to ping 196.168.178.35 (LAN PI) it says couldn't reach host. Conf files: Pi Server: [Interface] PrivateKey = Address = 10.6.0.1/24 MTU = 1420 ListenPort = PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = PresharedKey = AllowedIPs = 10.6.0.4/32 Client: [Interface] PrivateKey = Address = 10.6.0.4/24 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE DNS = 10.6.0.1 [Peer] PublicKey = PresharedKey = Endpoint = : AllowedIPs = 0.0.0.0/0 PersistentKeepalive=30

I am trying to install wireguard on Ubuntu 18.04 64 bit, following one of the video tutorials. Step systemctl start wg-quick@wg0.service finishes with Job for wg-quick@wg0.service failed because the control process exited with error code. See "systemctl status wg-quick@wg0.service" and "journalctl -xe" for details. Running systemctl status wg-quick@wg0.service gives: ● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 Loaded: loaded (/lib/systemd/system/wg-quick@.service; indirect; vendor preset: enabled) Active: failed (Result: exit-code) since Sat 2023-03-11 00:02:48 UTC; 7min ago Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 Process: 18984 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=1/FAILURE) Main PID: 18984 (code=exited, status=1/FAILURE) Mar 11 00:02:48 my-vps.name systemd: Starting WireGuard via wg-quick(8) for wg0... Mar 11 00:02:48 my-vps.name wg-quick: [#] ip link add wg0 type wireguard Mar 11 00:02:48 my-vps.name wg-quick: RTNETLINK answers: Operation not supported Mar 11 00:02:48 my-vps.name wg-quick: Unable to access interface: Protocol not supported Mar 11 00:02:48 my-vps.name wg-quick: [#] ip link delete dev wg0 Mar 11 00:02:48 my-vps.name wg-quick: Cannot find device "wg0" Mar 11 00:02:48 my-vps.name systemd: wg-quick@wg0.service: Main process exited, code=exited, status=1/FAILURE Mar 11 00:02:48 my-vps.name systemd: wg-quick@wg0.service: Failed with result 'exit-code'. Mar 11 00:02:48 my-vps.name systemd: Failed to start WireGuard via wg-quick(8) for wg0. Running journalctl -xe shows: Mar 10 23:46:27 my-vps.name wg-quick: [#] ip link add wg0 type wireguard Mar 10 23:46:27 my-vps.name wg-quick: RTNETLINK answers: Operation not supported Mar 10 23:46:27 my-vps.name wg-quick: Unable to access interface: Protocol not supported Mar 10 23:46:27 my-vps.name wg-quick: [#] ip link delete dev wg0 Mar 10 23:46:27 my-vps.name wg-quick: Cannot find device "wg0" My wg0.conf looks like: [Interface] PrivateKey = myprivatekeyhere Address = 10.0.0.1/24 ListenPort = 51830 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE modprobe wireguard says: modprobe: FATAL: Module wireguard not found in directory /lib/modules/4.15.0 ls /lib/modules returns: 4.15.0 4.15.0-206-generic uname -r shows: 4.15.0 Rebooting did not help. Searching did not help.

Mar 07 12:10:16 nixos kernel: wireguard: wg0: Handshake for peer 1 (192.248.152.91:58338) did not complete after 5 seconds, retrying (try 3) Mar 07 12:10:16 nixos kernel: wireguard: wg0: Sending handshake initiation to peer 1 (192.248.152.91:58338) This seems to work correctly if I set allowed IPs to something other than 0.0.0.0 - my understanding is it will only send connections to these ips via the wireguard VPN.

networking.firewall = {
      enable = false;
    };

  # Enable Wireguard
  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.66.66.2/32" ];
      listenPort = 58338; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      privateKey= "************************";

      peers = [

        {
          publicKey = "***************";
          presharedKey = "*****************";

          allowedIPs = [ "0.0.0.0/0" ];
          #allowedIPs = [ "10.66.66.1" "94.130.178.87" ];

          endpoint = "192.248.152.91:58338"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing  https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 

          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
      ];
    };
  };

I've read through https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577/4 however even after adding an ip route with ip route add 192.248.152.91 via 10.66.66.1 dev wg0 it does not seem to have any change in behaviour.

root@nixos> ip route                                                                                                ~
default dev wg0 scope link 
default via 10.0.2.2 dev eth0 proto dhcp src 10.0.2.15 metric 202 
10.0.2.0/24 dev eth0 proto dhcp scope link src 10.0.2.15 metric 202 
192.248.152.91 via 10.66.66.1 dev wg0

I’m trying to route all my PS4 traffic through a VPS-hosted VPN (using WireGuard), with the MacBook acting as the gateway. ✅ The Setup So Far * VPS (Ubuntu): Set up successfully using Algo VPN. WireGuard server running without issue. * Client (macOS, M1): Using laptop.conf from Algo. WireGuard connects and works fine on the MacBook. * Internet Sharing: macOS is set to share internet from Wi-Fi (en0) to Ethernet (en8). This is how I physically connect the Mac to the PS4. * PS4 gets an IP like 192.168.137.x (automatically via DHCP from the Mac). 📡 Interface Overview * utun4 is the WireGuard tunnel. * en0 is Wi-Fi (internet source). * en8 is the Ethernet adapter (PS4 is physically connected here). * macOS Internet Sharing assigns 192.168.137.1 to en8. 🔧 pf.conf (macOS NAT) I’ve enabled IP forwarding and configured NAT using /etc/pf.conf:

set skip on lo0
nat on utun4 from 192.168.137.0/24 to any -> (utun4)
pass in all
pass out all

Applied and loaded with sudo pfctl -ef /etc/pf.conf – no errors. Verified that pfctl -sr shows the rules correctly. 🔍 What Works * MacBook itself has full internet access via WireGuard ✅ * PS4 receives an IP from the Mac ✅ * PS4 test shows: * ✅ IP address assigned * ❌ Internet connection fails * ❌ PSN sign-in fails * ❌ NAT Type cannot be determined If I set DNS manually (like 8.8.8.8 or 192.168.137.1) on the PS4, it does resolve domains correctly (dig shows valid results when tested). 🚫 What I’ve Tried So Far * DNSMasq forwarding to 8.8.8.8 → no success * Tried different NAT statements: utun4, en0, etc. * Confirmed IP routing is enabled on macOS * Used tcpdump to check traffic – some packets go out, unsure if responses return * Reinstalled and reconfigured Algo/WireGuard multiple times * Flushed pf rules and re-applied minimal config * Disabled macOS firewall completely 🤯 Suspected Issue The PS4 gets an IP via DHCP but seems unable to properly route traffic back through the VPN tunnel, or maybe responses don’t get NAT’d correctly. Might also be a return path problem or DNS issue, but unclear why it’s isolated to the PS4. ❓Looking for Help With * Debugging pf/NAT config (especially macOS-specific issues) * Ideas for improving NAT/routing behavior on macOS * Alternative methods for routing all traffic from en8 through utun4 * Any known issues with macOS Internet Sharing + WireGuard + game consoles? 🙏 Thanks in Advance Any help or ideas would be appreciated! I’ve been deep in this for days and hit a wall. If someone has successfully routed console traffic via WireGuard on macOS, I’d love to hear how you did it. Let me know if I should post configs, logs, or test outputs.

I am desperately trying to get my Wireguard-VPN-Setup up and running as my Internet Connection has been switched to IPV6 (DS-lite). **My Setup(raw):** - NetCup VPS (acting as IPv4 contact point for my mobile devices out of the Internet) - Internal Wireguard Server (acting as the Gateway between internal and external network) - Iphone with Wireguard Client installed connected via mobile network only **Current Status:** - VPN Tunnel up and running between VPS and internal Wireguard Server as well as VPS and Mobile Client - VPS (VPN Address 192.168.1.10) able to ping both peers (192.168.1.1 and 192.168.1.15) - Internal Wireguard Server(192.168.1.1) able to ping VPS (192.168.1.10) but not able to reach Mobile Client (192.168.1.15) --> ICMP: Destination Host unreachable. - tcpdump on VPS Server does not show any ICMP-Request coming in from my internal Wireguard Server when trying to ping 192.168.1.15 - Mobile Client (192.168.1.15) able to ping VPS (192.168.1.10) via VPN-Tunnel but not able to reach Internal Wireguard Server (192.168.1.1) For me it seems to be a routing issue on the internal Gateway Server. Routes are set by wg-quick as follows: default via 192.168.2.1 dev enp0s10 proto static metric 100 169.254.0.0/16 dev enp0s10 scope link metric 1000 192.168.1.0/24 dev wg0 proto kernel scope link src 192.168.1.1 192.168.2.0/24 dev enp0s10 proto kernel scope link src 192.168.2.2 metric 100 IP-Forwarding is active. Any Ideas on what I could have missed? Any assistance is well appreciated!

I'm trying to get a "simple" VPN working between two Linux boxes using Wireguard. Unfortunately, existing tutorials I've found weren't that helpful, because they usually A) only set up IPv4 and B) usually use IP masquerading ... Config of machine A:

[Interface]
Address = 192.168.10.2/24
ListenPort = 51820
 
[Peer]
AllowedIPs = 192.168.10.0/24, 172.16.0.0/24, fdbb:bbbb:bbbb::/48, 2001:db8:bbbb:0000::/64
Endpoint = [2001:db8:bbbb:0000:1234:56ff:fe78:90ab]:51820
PersistentKeepalive = 20

Config of machine B:

[Interface]
Address = 192.168.10.1/24
ListenPort = 51820

[Peer]
AllowedIPs = 192.168.10.2/32, 10.0.0.0/16, fdaa:aaaa:aaaa::/48, 2001:db8:aaaa:0000::/64
Endpoint = [2001:db8:aaaa:0000:ba09:87ff:fe65:4321]:51820
PersistentKeepalive = 20

(Leaving out the keys because the tunnel itself is passing traffic so I know these are correct). So, simple config, in theory. Machine A has no local firewall (only a typical consumer router with its built-in firewall, with UDP/51820 opened), machine B has ip(6)tables but only for all the Docker rules, and the default policies are set to Accept. Both machines have net.ipv4.ip_forward=1 and net.ipv6.conf.all.forwarding=2. That config didn't work, because Wireguard apparently tries to route **its own wireguard traffic** through the tunnel itself because the Endpoint IPv6 is included in the AllowedIPs network. Why would that not be excluded by default... I tried to get around that by adding a fixed route to send traffic for that endpoint through the normal interface, not wg0:

PostUp = /usr/sbin/ip -6 route add 2001:db8:aaaa:0000:ba09:87ff:fe65:4321/128 via fe80::1 dev enp1s0
PreDown = /usr/sbin/ip -6 route del 2001:db8:aaaa:0000:ba09:87ff:fe65:4321/128 via fe80::1 dev enp1s0

With that setup (on both sides), the peers can ping eachother A) through the WG peer addresses (192.168.10.X), B) through their local IPv4 (10.0.X.X or 172.16.X.X), and C) through their ULA addresses. However, I still have two issues with my tunnel: A) Because I had to add that IPv6 route to the endpoint, that means traffic to the other peer's public IPv6 address does not go through the WG tunnel but travels directly over the internet. The peers cannot ping eachother using their public GUA IPv6 addresses. I would need something like that IP route I added using the PostUp parameter, but for that to only apply to the tunnel itself, not for traffic going through the tunnel. Like an IPv6 route where I can say "route UDP/51820 over this route (directly to the internet), but other traffic to that same IP over that route (wg0)". B) I can't get everything to work from other machines in my network (over IPv4). On another machine on network A, I added a static route to the other network's IPv4: 172.16.0.0/24 via 10.0.1.25 dev enp7s0 metric 100. When I now do a traceroute, the 1st hop is the wireguard machine (10.0.1.25), and the 2nd hop is the WG peer's address of the remote machine (192.168.10.1) (so it does go through the tunnel!), but after that, boom, that's it. No third hop with the actual destination (even though the other side's default gateway does have a static route to route 10.0.0.0/8 to that side's wireguard machine. I do not want to do IP masquerading which is the "solution" I found multiple times using Google. I want the other machines on the other network see exactly where the requests are coming from - a machine on the other side of the tunnel. Over IPv6, using the ULAs, everything is fine. Added an IPv6 route on the gateway to route the other side's ULAs to the wireguard machine, and done. I just need to find a solution for the GUAs, probably with radvd on the wireguard machine announcing a route to that network. TL;DR: Wireguard connection between two peers works, but A) how do I send non-Wireguard traffic to the wireguard endpoint IP over the tunnel as well, and B) why does IPv6 ULA routing work and IPv4 routing doesn't even though they're set up the same.

I have pihole in rootless podman on port 1053 and wireguard, openvpn servers (not in podman) on the same host (Debian bookworm). Trying to redirect port 53 to 1053. It works for another hosts in lan, but doesn't work for wg and openvpn clients. Tried: 1) sudo iptables -w -t nat -A PREROUTING -d 192.168.1.100 -p udp --dport 53 -j REDIRECT --to-ports 1053 From another host in lan: dig @192.168.1.100 google.com # ok. From wg client (ip 10.10.0.2): dig @192.168.1.100 -p 1053 google.com # ok; dig @192.168.1.100 google.com # connection time out; nc -v -n -u 192.168.1.100 53 # nothing. 2) sudo socat UDP4-LISTEN:53,reuseaddr,fork,su=nobody UDP4:192.168.1.100:1053,reuseaddr From another host in lan - all ok. From wg client: dig # the same results as above. nc -v -n -u 192.168.1.100 53 # Connection succeeded.

I recently upgraded from linux mint 21.0 to 21.3. After upgrading Networkmanager has seem to imported my existing wireguard connections (*/etc/wireguard/wg0.conf*) which results in it being displayed in the tray icon. This results in not seeing if I am connected to a wifi or previously if I am connected to a vpn. I tried the following: 1 Removing the connection nmcli connection delete wg0 2 Add the following to */etc/NetworkManager/NetworkManager.conf* [keyfile] unmanaged-devices=interface-name:wg0 After a restart the wg0 connection reappears in the tray icon. I bring up my wg0.conf via a systemd unit file and I don't want Networkmanager to manage or display my wireguard connections. How to accomplish this?

I'm trying to install amneziawg (wireguard) on VPS server with debian 11 When it starting I get this error Starting WireGuard via wg-quick(8) for awg0... [#] ip link add awg0 type amneziawg RTNETLINK answers: Operation not supported Unable to access interface: Protocol not supported [#] ip link delete dev awg0 Cannot find device "awg0" awg-quick@awg0.service: Main process exited, code=exited, status=1/FAILURE During installation there was one command I couldn't do **sudo apt-get install linux-headers-$(uname -r)**: E: Unable to locate package linux-headers-4.19.0 E: Couldn't find any package by glob 'linux-headers-4.19.0' E: Couldn't find any package by regex 'linux-headers-4.19.0' (I did reboot) Some commands I've tried: **sudo modprobe amneziawg**: modprobe: FATAL: Module amneziawg not found in directory /lib/modules/4.19.0 **uname -a**: Linux example.com 4.19.0 #1 SMP Wed Jul 12 12:00:44 MSK 2023 x86_64 GNU/Linux **dir /lib/modules/**: 4.19.0 5.10.0-33-amd64 5.10.0-33-rt-amd64 **sudo apt-get install linux-headers-5.10.0-33-amd64**: linux-headers-5.10.0-33-amd64 is already the newest version (5.10.226-1). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. As you might have guessed, I have no idea what I'm doing or how to resolve this issue. It seems to me that problem is with 4.19.0 modules folder Can I somehow switch it to 5.10.0 version if it's NAT VPS service? It probably has one kernel for every virtual server or something like that... sudo apt-get update sudo apt-get upgrade sudo apt-get dist-upgrade reboot Doesn't do anything **What do I do? Any suggestions are welcome.**

I have a WireGuard virtual network. Three hosts on the network: A, B and R. Only the host R has a static public IP, so both hosts A and B connect to the host R to connect to the virtual network. Hosts A and R are directly connected, but hosts A and B are not — the packets have to be routed through the host R. ### Problem I want to route packets from host A through the host B, without configuring the routing table of the host R. Example: To send a packet from host A to public host with IP 1.1.1.1: Host A -> Host R -> Host B -> (through B's public interface) -> 1.1.1.1 One possible solution is to create another WireGuard network between the hosts A and B, inside the original virtual network, and then route the same way I would route from host A through R, but that looks redundant. Are there other solutions? Thank you. ### What I have tried Assume VPN subnet: 10.78.1.0/24 Host R: 10.78.1.1 Host A: 10.78.1.2 Host B: 10.78.1.3 VPN interface on host A: wg I tried adding a route on host A (also addings AllowedIPs in wireguard config):

ip route add 1.1.1.1 via 10.78.1.3 dev wg

But the packets never reach host B: the packets are routed according to the routing table of host R, and that is to route immediately through the host R's public interface. I presume that is because host R does not receive any information about the preferred next route. Is there any way to give host R such information?

I'd like to move away from tailscale (which works fine but drains my iPhone battery) and use a regular Wireguard tunnel to benefit from my home Pihole when "on the go". Raspberry Pi running Pihole LAN IP: 192.168.0.190 iPhone LAN IP (home Wifi): 192.168.0.81 My external IP is dynamic, so I use a Synology QuickConnect DDNS. Pihole wg "server" config:

[Interface]
Address = 10.100.0.1/24, fd08:4711::1/64
ListenPort = 47111
PrivateKey = yKk0wyqxxxxxxxxxxx #obfuscated
[Peer]
PublicKey = TlZXuFuTJmPGEye0+i3cxvQxrKrNiJxQRqb9T3rwaC8=
PresharedKey = 1wS3KE3xxxxxxxxxxxxx  #obfuscated
AllowedIPs = 10.100.0.2/32, fd08:4711::2/128

And wg config pushed to my iPhone:

[Interface]
Address = 10.100.0.2/32, fd08:4711::2/128
DNS = 10.100.0.1
PrivateKey = uHTYEVLFEQHxxxxxxxxxxx #obfuscated
[Peer]
AllowedIPs = 10.100.0.1/32, fd08:4711::1/128
Endpoint = xxxxxxx.direct.quickconnect.to:47111
PersistentKeepalive = 25
PublicKey = w7wzMDYNDoUPUSptexhIG4a7c9eT9Sqlk4o2mqv9cH8=
PresharedKey = 1wS3KE3QCpOYbQxxxxxxxxxxx #obfuscated

On my home router, I have setup port forwarding as follows:

External port: 47111
Internal port: 47111
Internal IP: 192.168.0.190 (also tried 10.100.0.1)
Protocol: UDP (also tried BOTH)

When at home, DNS goes through my Pihole: blocked sites are indeed blocked, and 10.100.0.2 shows trafic. Can you please help me troubleshoot my Wireguard config? Thank you!

I’ve set up a WireGuard VPN server on a rented virtual server running Debian. The configuration is as follows: - List item - Server OS: Debian (12) - VPN: WireGuard - DNS: Pi-hole running on the same server, configured as the DNS for VPN clients - Domain: I’ve registered vpn.myname.com and pointed it to my server’s IP Clients: -iPhone phone -Windows PC -GL.iNet travel router (e.g., Slate, Mango, etc.) When I connect from my phone or Windows PC using the WireGuard configuration, everything works as expected: VPN connection is successful -All traffic is routed through the VPN -whatismyip.com shows the server’s IP DNS resolution works (via Pi-hole) However, when I import the same .conf into my GL.iNet router (which uses the WireGuard client), the VPN tunnel shows as connected, but there’s no internet access on devices connected to the router. The router itself doesn’t appear to be routing traffic through the VPN correctly. Things I’ve checked: - The same config works perfectly on other devices - The router shows "Connected" in the WireGuard status - DNS seems to be set correctly to Pi-hole (same as other clients) - AllowedIPs is set to 0.0.0.0/0, ::/0 - IP forwarding and masquerading are enabled on the server What I’m looking for: Any ideas why the GL.iNet router establishes a WireGuard connection but cannot access the internet, even though other devices work fine with the same config? Are there special considerations for WireGuard on GL.iNet routers? Any help is appreciated!

**Issue Summary** **WireGuard VPN on Raspberry Pi 4 connects from client (iPhone), shows handshake and Rx/Tx, but VPN clients have no internet access.** ## ✅ **Setup** ### Network & Hardware * **Virgin Media Hub 3 in modem mode** * **TP-Link AX55 router** as main router * **Raspberry Pi 4 (4GB)** running Raspberry Pi OS (64-bit) via Wi-Fi * Static IP: 192.168.0.207 reserved via router (DHCP reservation) * DuckDNS domain in use: MYCUSTOMDNS.duckdns.org * Port forwarding: UDP 51820 → 192.168.0.207 ### WireGuard Server (on Raspberry Pi) Installed via PiVPN: * Interface: wg0 * Address: 10.100.0.1/24 * ListenPort: 51820 * NAT: via iptables (see below) * IP forwarding: enabled in /etc/sysctl.conf ## **iptables Rules (final tested)**

sudo iptables -t nat -F
sudo iptables -F
sudo iptables -X

sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -A FORWARD -o wlan0 -j ACCEPT

sudo netfilter-persistent save

Also tested with subnet-specific NAT:

sudo iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE

## **Client (iPhone WireGuard App)**

[Interface]
PrivateKey = ...
Address = 10.100.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = ...
PresharedKey = ...
Endpoint = MYCUSTOMDNS.duckdns.org:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

## ✅ **What Works** * iPhone connects to VPN, tunnel turns green * Handshake confirmed via sudo wg show * Rx/Tx values increase * DuckDNS resolves * Port forwarding works ## ❌ **What Fails** * No internet access on the device * Pages like https://1.1.1.1 , bbc.co.uk, etc. never load * tcpdump on wlan0 shows: * Local Pi traffic (DNS, PTR queries) * **No traffic from 10.100.0.2 (VPN client) exiting via wlan0** ## **Verified** * cat /proc/sys/net/ipv4/ip_forward returns 1 * ip route get 1.1.1.1 from 10.100.0.2 iif wg0 returns:

1.1.1.1 from 10.100.0.2 via 192.168.0.1 dev wlan0

* ip link show wg0: UP, LOWER_UP, POINTOPOINT * sudo wg show: valid handshake + active transfer *Wireguard config looks like this:* [Interface] PrivateKey = ################## Address = 10.100.0.1/24 ListenPort = 51820 MTU = 1420 Table = off # NAT + Forwarding rules PostUp = iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE PostUp = iptables -A FORWARD -i %i -o wlan0 -j ACCEPT PostUp = iptables -A FORWARD -i wlan0 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT PostDown = iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -o wlan0 -j ACCEPT PostDown = iptables -D FORWARD -i wlan0 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT I have tested many things, rebooted, used the phone on 5g and a different WIFI (not my home one) to test the VPN. Everything seems to be working except for the internet on my phone. Has anyone seen anything like this? AI did not give me other solutions. *UPD* ip-table-save returns: # Generated by iptables-save v1.8.9 (nf_tables) on Thu May 15 22:22:41 2025 *filter :INPUT ACCEPT [7800:5661901] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4771:393678] -A FORWARD -i wg0 -o wlan0 -j ACCEPT -A FORWARD -i wlan0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wg0 -j ACCEPT COMMIT # Completed on Thu May 15 22:22:41 2025 # Generated by iptables-save v1.8.9 (nf_tables) on Thu May 15 22:22:41 2025 *nat :PREROUTING ACCEPT [2662:224849] :INPUT ACCEPT [2647:223463] :OUTPUT ACCEPT [60:4394] :POSTROUTING ACCEPT [60:4394] -A POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE -A POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE COMMIT # Completed on Thu May 15 22:22:41 2025 and sudo iptables-save returns: # Generated by iptables-save v1.8.9 (nf_tables) on Thu May 15 22:22:41 2025 *filter :INPUT ACCEPT [7800:5661901] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4771:393678] -A FORWARD -i wg0 -o wlan0 -j ACCEPT -A FORWARD -i wlan0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wg0 -j ACCEPT COMMIT # Completed on Thu May 15 22:22:41 2025 # Generated by iptables-save v1.8.9 (nf_tables) on Thu May 15 22:22:41 2025 *nat :PREROUTING ACCEPT [2662:224849] :INPUT ACCEPT [2647:223463] :OUTPUT ACCEPT [60:4394] :POSTROUTING ACCEPT [60:4394] -A POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE -A POSTROUTING -s 10.100.0.0/24 -o wlan0 -j MASQUERADE COMMIT

### Environment This is a vps Ubuntu server 22.04.5. Wireguard use tuntap instead of kernel mod. ### Script /etc/wireguard/gw0.sh can start wireguard correctly if run from command line:

# cleanup
echo "$(date) - cleanup"
/usr/sbin/ip link del gw0 2>&1
/usr/sbin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o venet0 -j MASQUERADE 2>&1

# setup
echo "$(date) - setup"
#/usr/sbin/ip tuntap add dev gw0 mode tun
/usr/bin/wireguard gw0 2>&1
/usr/sbin/ip a add 10.0.0.1/24 dev gw0
/usr/bin/wg set gw0 listen-port 12345
/usr/bin/wg set gw0 private-key /etc/wireguard/gw0.key
# wg0
/usr/bin/wg set gw0 peer  allowed-ips 10.0.0.2/32
# wg1
/usr/bin/wg set gw0 peer  allowed-ips 10.0.0.3/32

# start
echo "$(date) - start"
/usr/sbin/ip link set gw0 up 2>&1
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -j MASQUERADE 2>&1

# end
echo "$(date) - end"

exit 0

Output:

# /etc/wireguard/gw0.sh
Thu Dec  5 10:03:32 EST 2024 - cleanup
Cannot find device "gw0"
Thu Dec  5 10:03:32 EST 2024 - setup
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/            │
│                                                      │
└──────────────────────────────────────────────────────┘
Thu Dec  5 10:03:32 EST 2024 - start
Thu Dec  5 10:03:33 EST 2024 - end

### Systemd Service /etc/systemd/system/gw0.service:

[Unit]
Description = Start Wireguard gw0
After = network-online.target
Wants = network-online.target
[Service]
Type = oneshot
ExecStart = /usr/bin/bash -c "/etc/wireguard/gw0.sh >> /tmp/gw0.log"

[Install]
WantedBy=multi-user.target

Starting the service will always result in time out error, and no wireguard process:

# systemctl start gw0.service
Job for gw0.service failed because a timeout was exceeded.
See "systemctl status gw0.service" and "journalctl -xeu gw0.service" for details.

# systemctl status gw0.service
× gw0.service - Start Wireguard gw0
     Loaded: loaded (/etc/systemd/system/gw0.service; disabled; vendor preset: enabled)
     Active: failed (Result: timeout) since Thu 2024-12-05 10:12:07 EST; 34s ago
    Process: 95515 ExecStart=/usr/bin/bash -c /etc/wireguard/gw0.sh >> /tmp/gw0.log (code=exited, status=0/SUCCESS)
   Main PID: 95515 (code=exited, status=0/SUCCESS)

Dec 05 10:10:37 mybox systemd: Starting Start Wireguard gw0...
Dec 05 10:12:07 mybox systemd: gw0.service: State 'stop-sigterm' timed out. Killing.
Dec 05 10:12:07 mybox systemd: gw0.service: Failed with result 'timeout'.
Dec 05 10:12:07 mybox systemd: Failed to start Start Wireguard gw0.

# journalctl -xeu gw0.service
Dec 05 10:10:37 mybox systemd: Starting Start Wireguard gw0...
░░ Subject: A start job for unit gw0.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support 
░░
░░ A start job for unit gw0.service has begun execution.
░░
░░ The job identifier is 2611.
Dec 05 10:12:07 mybox systemd: gw0.service: State 'stop-sigterm' timed out. Killing.
Dec 05 10:12:07 mybox systemd: gw0.service: Failed with result 'timeout'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support 
░░
░░ The unit gw0.service has entered the 'failed' state with result 'timeout'.
Dec 05 10:12:07 mybox systemd: Failed to start Start Wireguard gw0.
░░ Subject: A start job for unit gw0.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support 
░░
░░ A start job for unit gw0.service has finished with a failure.
░░
░░ The job identifier is 2611 and the job result is failed.

However, /tmp/gw0.log shows the script completed:

Thu Dec  5 10:10:37 EST 2024 - cleanup
Thu Dec  5 10:10:37 EST 2024 - setup
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/            │
│                                                      │
└──────────────────────────────────────────────────────┘
Thu Dec  5 10:10:37 EST 2024 - start
Thu Dec  5 10:10:37 EST 2024 - end

### Question Anyone has clue how to make gw0.service work?

I frequently switch between different VPN configurations on Linux: - WireGuard (wg-quick up/down) - A corporate OpenVPN profile (sudo openvpn corp.ovpn, which prompts for a private key password) Right now I manually run all commands in the terminal: bringing interfaces up/down, entering passwords, setting DNS routes with resolvectl, etc. It works, but it's slow and clunky for daily workflow. I'm looking to: - Handle OpenVPN passwords securely (without storing them in plaintext on disk). - Quickly see VPN connection status (e.g., connected/disconnected) and minimize manual steps. **Question:** What are good practices or tools for this kind of VPN management on Linux? Would you recommend using systemd units, wrapper scripts, secret-tool (libsecret), or something else to make password input safer? I'd appreciate any examples, references, or your personal setups if you built something similar. Thanks!

I have a host machine and a guest VM. I am running a WireGuard VPN tunnel on the VM and would like to forward all traffic from the host to the VM and eventually through the VPN tunnel. The production setup will be more complex, but for now, I just want to make sure I am configuring the routes correctly on the host. On the host:

# ip route show table all
default via 10.0.0.1 dev enp1s0 table lan
default via 10.1.0.20 dev virbr0 metric 128
default via 10.0.0.1 dev enp1s0 proto dhcp src 10.0.0.100 metric 1024
10.0.0.0/24 dev enp1s0 proto kernel scope link src 10.0.0.100 metric 1024
10.0.0.1 dev enp1s0 proto kernel scope link src 10.0.0.100 metric 1024


# ip rule
0:      from all lookup local
32764:  from 10.1.0.0/24 lookup lan
32766:  from all lookup main
32767:  from all lookup default

# ip route get 1.1.1.1
1.1.1.1 via 10.1.0.20 dev virbr0 src 10.1.0.1 uid 0
    cache

# traceroute 1.1.1.1
1 _gateway (10.0.0.1) ...
...

So it appears that the result of ip route get 1.1.1.1 does not agree with the actual route chosen when I use traceroute 1.1.1.1. What might be the cause of this? --- **EDIT** It turns out ping 1.1.1.1 was quite helpful because I noticed the message "Redirect Host(New nexthop: 10.1.0.1)". This is part of IP that I was not familiar with, but apparently gateways will try to be efficient and send ICMP messages if there is a more direct route. The working configuration:

# ip route show table all
default via 10.0.0.1 dev enp1s0 table lan
10.0.0.1 dev enp1s0 table lan scope link
default via 10.1.0.20 dev virbr0 metric 128
default via 10.0.0.1 dev enp1s0 proto dhcp src 10.0.0.100 metric 1024
10.0.0.0/24 dev enp1s0 proto kernel scope link src 10.0.0.100 metric 1024
10.0.0.1 dev enp1s0 proto dhcp scope link src 10.0.0.100 metric 1024
10.1.0.0/24 dev virbr0 proto kernel scope link src 10.1.0.1

So it looks like the missing components were:

10.0.0.1 dev enp1s0 table lan scope link
10.1.0.0/24 dev virbr0 proto kernel scope link src 10.1.0.1

Although I'm still not sure why packets were routed to wrong gateway instead of being returned as unroutable. --- **EDIT 2** The configuration mistake was having ip rule add from 10.1.0.0/24 table lan instead of ip rule from 10.1.0.20 table lan. Because the host has the IP address 10.1.0.1 which is in 10.1.0.0/24, packets sent from the host were hitting that table. Still unsure of why 10.0.0.1 was not reported by ip route get. Maybe I needed to use ip route get from 10.0.0.100 to 1.1.1.1?

I want to import my vpn.conf file using nmcli and set **autoconnect to 0**, otherwise it defaults to 1 Apparently the correct way is by specifying **--autoconnect=false** flag, but this results in error. nmcli connection import file vpn.conf type wireguard --autoconnect=false Error: invalid extra argument '--autoconnect=false' I am aware I can run a second command after, but this is extraneous, it should be settable upon import and saves running multiple commands nmcli con mod connection.autoconnect no