This was manually solved, I didn’t check any other comment till the issue was fixed.
Take a look at my comment.
Thank you all for helping!
Hello.
I have wireguard set but the second it runs, services like ssh (22) and smb (455/445?) stop working.
nmap thinks my system is down.
Here is my config, I followed debian’s guide since my server is Deb12:
[Interface]
Address = 192.168.1.120/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlp1s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlp1s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = XXX
[Peer]
PublicKey = xxx
AllowedIPs = 192.168.1.230/32
Endpoint = 192.168.1.230:50104
No extra config was made.
Could be your routing rules? Here’s what I use and it routes to anything inside my home network:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Just be sure to replace eth0 with the name of your adapter before you try it.
Edit:
Almost forgot, I’ve also enabled routing on my server as well; here are the steps I took to enable that:
To configure forwarding, open the /etc/sysctl.conf file on your Wireguard Server using nano or your preferred editor:
sudo nano /etc/sysctl.conf
If you are using IPv4 with WireGuard, add the following line at the bottom of the file:
net.ipv4.ip_forward=1
If you are using IPv6 with WireGuard, add this line at the bottom of the file:
net.ipv6.conf.all.forwarding=1
If you are using both IPv4 and IPv6, ensure that you include both lines. Save and close the file when you are finished.
To read the file and load the new values for your current terminal session, run:
sudo sysctl -p
Output:
net.ipv6.conf.all.forwarding = 1 net.ipv4.ip_forward = 1
Now your WireGuard Server will be able to forward incoming traffic from the virtual VPN ethernet device to others on the server and its LAN (if the LAN subnet is included in the AllowedIPs in the Wireguard config)
Unfortunely that didn’t work.
The WG server is also servicing SSH and SMB.
Perhaps your samba system isn’t listening on your Wireguard IP?
Hey, you just shared your private key to the world. You should remove it from your example and immediately rotate it.
And fourth, because you may think of I’m so obscure noone will ever find me, but https://www.google.com/search?q=ipv4+scan+time
I am not sure but your AllowedIPs and Endpoint should be in separate subdomain right?
Solved:
IP Table: Server : 192.168.1.120 / wg0 : 10.0.0.1 Client : 192.168.1.230 / wg0 :10.0.0.2
Server:
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -t nat -I POSTROUTING -o wlp1s0 -j MASQUERADE
PostUp = ip rule add table 200 from 192.168.1.230
PostUp = ip route add table 200 default via 192.168.1.1
PreDown = iptables -t nat -D POSTROUTING -o wlp1s0 -j MASQUERADE
PreDown = ip rule delete table 200 from 192.168.1.230
PreDown = ip route delete table 200 default via 192.168.1.1
ListenPort = 51820
PrivateKey = XXX
[Peer]
PublicKey = yyy
AllowedIPs = 0.0.0.0/0
Client:
[Interface]
Address = 10.0.0.2/24
PrivateKey = YYY
[Peer]
AllowedIPs = 10.0.0.0/24
Endpoint = 192.168.1.120:51820
PublicKey = xxx
Why is this needed? I have the minimal config for both server and client and smb and ssh bith work without issue.
Would you mind sharing the config (without keys)?
This is my first time using WG.
There is nothing special about the config, it’s the most basic config you can have as shown in the example at the bottom of this page.
https://docs.opnsense.org/manual/how-tos/wireguard-client.html
The part that was a bit complex is the ‘server’ setting. My server is on my router (opnsense) so you need to opnsense specific settings.
I suspect the reason you need the extra stuff is because of how the Debian server is setup so that stuff will vary if you ever try to run another ‘server’ node. (I put server in quotes because wireguard doesn’t actually have server and client as a concept)
