100% connection
Just curious, how many of you run wireguard all the time on particular devices that are mobile? iPhone, Android, Mac OS or Windows. Or do you use it only when you need it?
https://redd.it/1q1qkww
@r_wireguard
Just curious, how many of you run wireguard all the time on particular devices that are mobile? iPhone, Android, Mac OS or Windows. Or do you use it only when you need it?
https://redd.it/1q1qkww
@r_wireguard
Reddit
From the WireGuard community on Reddit
Explore this post and more from the WireGuard community
wg-easy works on my TrueNAS machine but not my Alpine machine
As far as I can tell, I have the exact same setup for wg-easy on both of these devices: Nginx Proxy Manager has a proxy host called
But when I set my router to port forward to the TrueNAS host and try the client on that, it works, but not if I do the same for the Alpine host. What could I be missing here?
I've pasted my docker-compose files in this Pastebin. I'm unable to see a docker-compose file for the instance of Nginx Proxy Manager running on my TrueNAS system, since it's the one from the app catalogue.
https://redd.it/1q2bwyv
@r_wireguard
As far as I can tell, I have the exact same setup for wg-easy on both of these devices: Nginx Proxy Manager has a proxy host called
wireguard.[machine].mydomain.com pointing at port 51821, and within the wg-easy admin panel the connection host is set to that URL and the port to 51820.But when I set my router to port forward to the TrueNAS host and try the client on that, it works, but not if I do the same for the Alpine host. What could I be missing here?
I've pasted my docker-compose files in this Pastebin. I'm unable to see a docker-compose file for the instance of Nginx Proxy Manager running on my TrueNAS system, since it's the one from the app catalogue.
https://redd.it/1q2bwyv
@r_wireguard
Pastebin
########## TrueNAS wg-easy ##########networks: wg: drive - Pastebin.com
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
I would like to communicate with device in another site connected to hosted network using wireguard, but it does not work
https://redd.it/1q2b5w4
@r_wireguard
https://redd.it/1q2b5w4
@r_wireguard
Wireguard clients cannot connect to outside resources when using Technitium DNS
[](https://www.reddit.com/r/selfhosted/?f=flair_name%3A%22Need%20Help%22)Hi there, I am currently running two containers that are of concern right now. I have Technitium DNS, which is running in the host network mode, and acting as a recursive DNS resolver. This works wonderfully, and is the DNS for my entire network.
My second container is what has been stumping me, though. I have tried wg-easy, wireguard from linuxserver, and even tailscale. However, the result is the same. While initiating a wireguard connection to my server, if I use technitium DNS as the DNS server for clients (using 192.168.1.x) I can only connect to local services. However, using [1.1.1.1](http://1.1.1.1) works just fine. How have you guys been able to wireguard into your devices and use your own DNS server for it?
https://redd.it/1q2inhr
@r_wireguard
[](https://www.reddit.com/r/selfhosted/?f=flair_name%3A%22Need%20Help%22)Hi there, I am currently running two containers that are of concern right now. I have Technitium DNS, which is running in the host network mode, and acting as a recursive DNS resolver. This works wonderfully, and is the DNS for my entire network.
My second container is what has been stumping me, though. I have tried wg-easy, wireguard from linuxserver, and even tailscale. However, the result is the same. While initiating a wireguard connection to my server, if I use technitium DNS as the DNS server for clients (using 192.168.1.x) I can only connect to local services. However, using [1.1.1.1](http://1.1.1.1) works just fine. How have you guys been able to wireguard into your devices and use your own DNS server for it?
https://redd.it/1q2inhr
@r_wireguard
Reddit
Self-Hosted Alternatives to Popular Services
A place to share, discuss, discover, assist with, gain assistance for, and critique self-hosted alternatives to our favorite web apps, web services, and online tools.
Wireguard config Japan
Does anyone have or can help me fix a config for Japan ?
Regard J
https://redd.it/1q2qlnr
@r_wireguard
Does anyone have or can help me fix a config for Japan ?
Regard J
https://redd.it/1q2qlnr
@r_wireguard
Reddit
From the WireGuard community on Reddit
Explore this post and more from the WireGuard community
Windows client connected once and dropped connection shortly after
The issue in short: One linux host (Deb 13) running wireguard, one windows 11 client (gui wireguard). Keys are fine, endpoints resolve and are fine, addresses look fine (at least to me, I'll paste all the config stuff below), yet for some reason, it was only able to handshake once for about 30 seconds before it dropped the connection, and has since been unable to handshake, even when using a new client priv/pub key and a new address.
To preface, I am very, very, very new to networking. beyond knowing the basics like how some protocols work, subnets, etc, I've had no real deep-dive exposure to this kind of thing. to fix this, I am building a home server which I would like to be reasonably accessible from outside my LAN, supporting ssh, upload/download (obviously), http etc, with a stack that could at some point support an Android app and website (wayy off into the future from now). My "server" right now is just an old revived HP Z420 with a headless Debian 13 install. my home ipv4 is unfortunately behind a CGNAT, so my plan so far has been to use the server's global ipv6 (through a ddns which is updated by the server every 5 minutes) over Wireguard. It may be worth mentioning that the server is too far to be connected by ethernet to the router, so I'm using a USB network adapter. I don't think this is the root cause because I feel like I would get at least more than one handshake every now and then. idk.
I guess to recap what exactly I've done and tried so far: My router ipv6 firewall has been updated to allow UDP traffic on 51820 to the entire 2001... /64 subnet (I know this is probably really suboptimal, but it seems to be okay at least until my ISP rotates). My configs look like this. Again, I promise you the keys are fine:
```
// For the SERVER
[Interface\]
Address = 10.0.0.1/8
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = #
[Peer\]
PublicKey = #
AllowedIPs = 10.0.0.2/32
Endpoint = [my laptop temp ipv6\]:58281 <-- (the port changes with the laptop reactivation btw)
// for the CLIENT
[Interface\]
PrivateKey = #
Address = 10.0.0.2/8
[Peer\]
PublicKey = #
AllowedIPs = 10.0.0.1/32
Endpoint = [my ddns\]:51820
PersistentKeepalive = 25
```
For what its worth, ill also paste in my shoddy windows 11 firewall rules that i tried. i previously had the host on an ipv6 address internally too before i changed them to ipv4 in the tunnel. these are from when it was ipv6 so its probably not this. also, this same issue happened on ipv6, then when i switched and readded the client, it did the same problem i described.
```
Name : {idk if this has to be redacted lol (probably not)}
DisplayName : Allow WireGuard IPv6
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {idk if this has to be redacted lol (probably not 2)}
DisplayName : Allow WireGuard SSH
Denoscription
The issue in short: One linux host (Deb 13) running wireguard, one windows 11 client (gui wireguard). Keys are fine, endpoints resolve and are fine, addresses look fine (at least to me, I'll paste all the config stuff below), yet for some reason, it was only able to handshake once for about 30 seconds before it dropped the connection, and has since been unable to handshake, even when using a new client priv/pub key and a new address.
To preface, I am very, very, very new to networking. beyond knowing the basics like how some protocols work, subnets, etc, I've had no real deep-dive exposure to this kind of thing. to fix this, I am building a home server which I would like to be reasonably accessible from outside my LAN, supporting ssh, upload/download (obviously), http etc, with a stack that could at some point support an Android app and website (wayy off into the future from now). My "server" right now is just an old revived HP Z420 with a headless Debian 13 install. my home ipv4 is unfortunately behind a CGNAT, so my plan so far has been to use the server's global ipv6 (through a ddns which is updated by the server every 5 minutes) over Wireguard. It may be worth mentioning that the server is too far to be connected by ethernet to the router, so I'm using a USB network adapter. I don't think this is the root cause because I feel like I would get at least more than one handshake every now and then. idk.
I guess to recap what exactly I've done and tried so far: My router ipv6 firewall has been updated to allow UDP traffic on 51820 to the entire 2001... /64 subnet (I know this is probably really suboptimal, but it seems to be okay at least until my ISP rotates). My configs look like this. Again, I promise you the keys are fine:
```
// For the SERVER
[Interface\]
Address = 10.0.0.1/8
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = #
[Peer\]
PublicKey = #
AllowedIPs = 10.0.0.2/32
Endpoint = [my laptop temp ipv6\]:58281 <-- (the port changes with the laptop reactivation btw)
// for the CLIENT
[Interface\]
PrivateKey = #
Address = 10.0.0.2/8
[Peer\]
PublicKey = #
AllowedIPs = 10.0.0.1/32
Endpoint = [my ddns\]:51820
PersistentKeepalive = 25
```
For what its worth, ill also paste in my shoddy windows 11 firewall rules that i tried. i previously had the host on an ipv6 address internally too before i changed them to ipv4 in the tunnel. these are from when it was ipv6 so its probably not this. also, this same issue happened on ipv6, then when i switched and readded the client, it did the same problem i described.
```
Name : {idk if this has to be redacted lol (probably not)}
DisplayName : Allow WireGuard IPv6
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {idk if this has to be redacted lol (probably not 2)}
DisplayName : Allow WireGuard SSH
Denoscription
:
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {this one had a different hash (its a hash right?)}
DisplayName : Allow WireGuard SSH
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {}
DisplayName : WG Allow ICMPv6 In
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {}
DisplayName : WG Allow ICMPv6 Out
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Outbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
```
i was trying to get pings to work, i guess i thought that icmpv6 was blocked. not sure if it matters, but im forcing debian to use the legacy ipstables instead of nft-iptables
i notice some people have dns in their configs, but im not sure if thats causing it. i had a dns attr during the ipv6 "era", then omitted it when the guide i watched more recently omitted it. It seems obvious to me that the server and client see each other, because when i reactivate the client, the server catches it immediately. i have "watch wg show wg0" on another monitor (while im ssh-ed on the
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {this one had a different hash (its a hash right?)}
DisplayName : Allow WireGuard SSH
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {}
DisplayName : WG Allow ICMPv6 In
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {}
DisplayName : WG Allow ICMPv6 Out
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Outbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
```
i was trying to get pings to work, i guess i thought that icmpv6 was blocked. not sure if it matters, but im forcing debian to use the legacy ipstables instead of nft-iptables
i notice some people have dns in their configs, but im not sure if thats causing it. i had a dns attr during the ipv6 "era", then omitted it when the guide i watched more recently omitted it. It seems obvious to me that the server and client see each other, because when i reactivate the client, the server catches it immediately. i have "watch wg show wg0" on another monitor (while im ssh-ed on the
server via LAN on my laptop).
i genuinely dont know if i left out anymore appropriate information or if this is even the most appropriate place to ask for help. its super late at night right now so ill be going to bed, but please please please any help is appreciated. i can answer any questions if more context is needed. i would post the logs too but my dumbass left the tunnel open so its just been failing handshakes for the last 4 hours causing me to lose the handshake log.
https://redd.it/1q2snx4
@r_wireguard
i genuinely dont know if i left out anymore appropriate information or if this is even the most appropriate place to ask for help. its super late at night right now so ill be going to bed, but please please please any help is appreciated. i can answer any questions if more context is needed. i would post the logs too but my dumbass left the tunnel open so its just been failing handshakes for the last 4 hours causing me to lose the handshake log.
https://redd.it/1q2snx4
@r_wireguard
Reddit
From the WireGuard community on Reddit
Explore this post and more from the WireGuard community
WireGuard (wg-easy) not working in Docker with Pi-hole
Hi I'm trying to setup WireGuard with wg-easy and make it so it uses my Pi-hole container. Pi-hole works fine, but WireGuard in clients is dead, but the web UI works fine. The logs on the clients read
I've tried to setup both on them in the same network in docker but idk anymore. It works perfectly without docker, and using pivpn instead of wg-easy.
Here's the full docker-compose.yml file: https://pastebin.com/RShqmDxW
If anyone knows how to fix this, thanks a lot! I'm kinda new to Docker so maybe I'm screwing it up without noticing.
https://redd.it/1q2vqzi
@r_wireguard
Hi I'm trying to setup WireGuard with wg-easy and make it so it uses my Pi-hole container. Pi-hole works fine, but WireGuard in clients is dead, but the web UI works fine. The logs on the clients read
Handshake timeout after 5 seconds all the time.I've tried to setup both on them in the same network in docker but idk anymore. It works perfectly without docker, and using pivpn instead of wg-easy.
Here's the full docker-compose.yml file: https://pastebin.com/RShqmDxW
If anyone knows how to fix this, thanks a lot! I'm kinda new to Docker so maybe I'm screwing it up without noticing.
https://redd.it/1q2vqzi
@r_wireguard
Pastebin
WireGuard (wg-easy) not working in Docker with Pi-hole - Pastebin.com
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Windows client connected once and dropped connection shortly after
The issue in short: One linux host (Deb 13) running wireguard, one windows 11 client (gui wireguard). Keys are fine, endpoints resolve and are fine, addresses look fine (at least to me, I'll paste all the config stuff below), yet for some reason, it was only able to handshake once for about 30 seconds before it dropped the connection, and has since been unable to handshake, even when using a new client priv/pub key and a new address.
To preface, I am very, very, very new to networking. beyond knowing the basics like how some protocols work, subnets, etc, I've had no real deep-dive exposure to this kind of thing. to fix this, I am building a home server which I would like to be reasonably accessible from outside my LAN, supporting ssh, upload/download (obviously), http etc, with a stack that could at some point support an Android app and website (wayy off into the future from now). My "server" right now is just an old revived HP Z420 with a headless Debian 13 install. my home ipv4 is unfortunately behind a CGNAT, so my plan so far has been to use the server's global ipv6 (through a ddns which is updated by the server every 5 minutes) over Wireguard. It may be worth mentioning that the server is too far to be connected by ethernet to the router, so I'm using a USB network adapter. I don't think this is the root cause because I feel like I would get at least more than one handshake every now and then. idk.
I guess to recap what exactly I've done and tried so far: My router ipv6 firewall has been updated to allow UDP traffic on 51820 to the entire 2001... /64 subnet (I know this is probably really suboptimal, but it seems to be okay at least until my ISP rotates). My configs look like this. Again, I promise you the keys are fine:
```
// For the SERVER
[Interface\]
Address = 10.0.0.1/8
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = #
[Peer\]
PublicKey = #
AllowedIPs = 10.0.0.2/32
Endpoint = [my laptop temp ipv6\]:58281 <-- (the port changes with the laptop reactivation btw)
// for the CLIENT
[Interface\]
PrivateKey = #
Address = 10.0.0.2/8
[Peer\]
PublicKey = #
AllowedIPs = 10.0.0.1/32
Endpoint = [my ddns\]:51820
PersistentKeepalive = 25
```
For what its worth, ill also paste in my shoddy windows 11 firewall rules that i tried. i previously had the host on an ipv6 address internally too before i changed them to ipv4 in the tunnel. these are from when it was ipv6 so its probably not this. also, this same issue happened on ipv6, then when i switched and readded the client, it did the same problem i described.
```
Name : {idk if this has to be redacted lol (probably not)}
DisplayName : Allow WireGuard IPv6
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {idk if this has to be redacted lol (probably not 2)}
DisplayName : Allow WireGuard SSH
Denoscription
The issue in short: One linux host (Deb 13) running wireguard, one windows 11 client (gui wireguard). Keys are fine, endpoints resolve and are fine, addresses look fine (at least to me, I'll paste all the config stuff below), yet for some reason, it was only able to handshake once for about 30 seconds before it dropped the connection, and has since been unable to handshake, even when using a new client priv/pub key and a new address.
To preface, I am very, very, very new to networking. beyond knowing the basics like how some protocols work, subnets, etc, I've had no real deep-dive exposure to this kind of thing. to fix this, I am building a home server which I would like to be reasonably accessible from outside my LAN, supporting ssh, upload/download (obviously), http etc, with a stack that could at some point support an Android app and website (wayy off into the future from now). My "server" right now is just an old revived HP Z420 with a headless Debian 13 install. my home ipv4 is unfortunately behind a CGNAT, so my plan so far has been to use the server's global ipv6 (through a ddns which is updated by the server every 5 minutes) over Wireguard. It may be worth mentioning that the server is too far to be connected by ethernet to the router, so I'm using a USB network adapter. I don't think this is the root cause because I feel like I would get at least more than one handshake every now and then. idk.
I guess to recap what exactly I've done and tried so far: My router ipv6 firewall has been updated to allow UDP traffic on 51820 to the entire 2001... /64 subnet (I know this is probably really suboptimal, but it seems to be okay at least until my ISP rotates). My configs look like this. Again, I promise you the keys are fine:
```
// For the SERVER
[Interface\]
Address = 10.0.0.1/8
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = #
[Peer\]
PublicKey = #
AllowedIPs = 10.0.0.2/32
Endpoint = [my laptop temp ipv6\]:58281 <-- (the port changes with the laptop reactivation btw)
// for the CLIENT
[Interface\]
PrivateKey = #
Address = 10.0.0.2/8
[Peer\]
PublicKey = #
AllowedIPs = 10.0.0.1/32
Endpoint = [my ddns\]:51820
PersistentKeepalive = 25
```
For what its worth, ill also paste in my shoddy windows 11 firewall rules that i tried. i previously had the host on an ipv6 address internally too before i changed them to ipv4 in the tunnel. these are from when it was ipv6 so its probably not this. also, this same issue happened on ipv6, then when i switched and readded the client, it did the same problem i described.
```
Name : {idk if this has to be redacted lol (probably not)}
DisplayName : Allow WireGuard IPv6
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {idk if this has to be redacted lol (probably not 2)}
DisplayName : Allow WireGuard SSH
Denoscription
:
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {this one had a different hash (its a hash right?)}
DisplayName : Allow WireGuard SSH
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {}
DisplayName : WG Allow ICMPv6 In
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {}
DisplayName : WG Allow ICMPv6 Out
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Outbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
```
i was trying to get pings to work, i guess i thought that icmpv6 was blocked. not sure if it matters, but im forcing debian to use the legacy ipstables instead of nft-iptables
i notice some people have dns in their configs, but im not sure if thats causing it. i had a dns attr during the ipv6 "era", then omitted it when the guide i watched more recently omitted it. It seems obvious to me that the server and client see each other, because when i reactivate the client, the server catches it immediately. i have "watch wg show wg0" on another monitor (while im ssh-ed on the
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {this one had a different hash (its a hash right?)}
DisplayName : Allow WireGuard SSH
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {}
DisplayName : WG Allow ICMPv6 In
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
Name : {}
DisplayName : WG Allow ICMPv6 Out
Denoscription :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Outbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :
```
i was trying to get pings to work, i guess i thought that icmpv6 was blocked. not sure if it matters, but im forcing debian to use the legacy ipstables instead of nft-iptables
i notice some people have dns in their configs, but im not sure if thats causing it. i had a dns attr during the ipv6 "era", then omitted it when the guide i watched more recently omitted it. It seems obvious to me that the server and client see each other, because when i reactivate the client, the server catches it immediately. i have "watch wg show wg0" on another monitor (while im ssh-ed on the
server via LAN on my laptop).
i genuinely dont know if i left out anymore appropriate information or if this is even the most appropriate place to ask for help. its super late at night right now so ill be going to bed, but please please please any help is appreciated. i can answer any questions if more context is needed. i would post the logs too but my dumbass left the tunnel open so its just been failing handshakes for the last 4 hours causing me to lose the handshake log.
https://redd.it/1q2snx4
@r_wireguard
i genuinely dont know if i left out anymore appropriate information or if this is even the most appropriate place to ask for help. its super late at night right now so ill be going to bed, but please please please any help is appreciated. i can answer any questions if more context is needed. i would post the logs too but my dumbass left the tunnel open so its just been failing handshakes for the last 4 hours causing me to lose the handshake log.
https://redd.it/1q2snx4
@r_wireguard
Reddit
From the WireGuard community on Reddit
Explore this post and more from the WireGuard community
mDNS through WireGuard
Hey everyone,
I’ve been trying to get mDNS name resolution working through WireGuard for a while, and I finally found a solution that works for me. It is probably not the most elegant setup, but since I couldn’t find a satisfying solution online, I wanted to share my approach.
**TL;DR:**
WireGuard clients send `.local` lookups as DNS queries when a DNS server is configured. I run [avahi2dns](https://github.com/LouisBrunner/avahi2dns) and [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) on the WireGuard server:
* dnsmasq handles all DNS requests
* only `.local` queries are forwarded to avahi2dns
* avahi2dns translates them to mDNS and back - mDNS hostnames are now resolved over WireGuard.
————
My use case: I wanted my phone to access my home network through WireGuard and be able to resolve devices via mDNS.
As expected, mDNS does not get routed (TTL = 1), so the usual advice is to avoid mDNS and switch to DNS instead. The two obvious approaches didn’t work for me:
* Run a dedicated DNS server in the network:
* I did not want my local DNS requests to fail whenever the dedicated DNS server goes offline.
* Forward DNS requests to my router, which acts as DNS for the LAN:
* My router doesn’t have a DNS server. It only forwards queries to my ISP’s DNS.
I also tried [mdns-repeater](https://github.com/geekman/mdns-repeater) and the [avahi reflector](https://manpages.debian.org/unstable/avahi-daemon/avahi-daemon.conf.5.en.html#SECTION_%5BREFLECTOR%5D), but had no luck with them.
Then I noticed something interesting: when a DNS server is configured in the WireGuard client, it transforms mDNS lookups into DNS lookups. For example when running `ping host.local`, a standard DNS A-record is sent to the WireGuard server.
I am not sure if this is intended behaviour or a side effect, so if anyone knows more, I would love to hear an explanation.
Once I realized this, the rest was simple: convert incoming DNS `.local` queries to mDNS and send the result back as a DNS response. I found this repository [avahi2dns](https://github.com/LouisBrunner/avahi2dns) which converts DNS to mDNS.
Running it like this:
./avahi2dns -p 53 -a '0.0.0.0' -d 'local'
lets the WireGuard server resolve `.local` hostnames via mDNS.
To avoid having to start it manually after every reboot, I run avahi2dns as a systemd service on the WireGuard server.
But obviously, I don’t want *all* DNS queries to go to avahi2dns.
So I added [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) between WireGuard and avahi2dns.
I added `server=/local/127.0.0.1#5454` to the dnsmasq config and let avahi2dns run on port 5454 instead of 53.
This setup means:
* dnsmasq resolves normal DNS queries
* only `.local` queries get forwarded to avahi2dns
* WireGuard clients use dnsmasq as their DNS server
* mDNS names now resolve properly over the VPN
Bonus: dnsmasq also lets me add an adblocking list for my WireGuard clients.
If anyone has a cleaner approach or knows why WireGuard translates mDNS queries to normal DNS queries when a DNS server is set, I would be really interested.
Hope this helps someone!
Environment (for reference):
WireGuard client: WireGuard for Android v1.0.20260102
WireGuard server: Debian GNU/Linux 12 (bookworm) / WireGuard 1.0.0
avahi2dns: version 0.1.0
dnsmasq: version 2.90
https://redd.it/1q2yhw8
@r_wireguard
Hey everyone,
I’ve been trying to get mDNS name resolution working through WireGuard for a while, and I finally found a solution that works for me. It is probably not the most elegant setup, but since I couldn’t find a satisfying solution online, I wanted to share my approach.
**TL;DR:**
WireGuard clients send `.local` lookups as DNS queries when a DNS server is configured. I run [avahi2dns](https://github.com/LouisBrunner/avahi2dns) and [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) on the WireGuard server:
* dnsmasq handles all DNS requests
* only `.local` queries are forwarded to avahi2dns
* avahi2dns translates them to mDNS and back - mDNS hostnames are now resolved over WireGuard.
————
My use case: I wanted my phone to access my home network through WireGuard and be able to resolve devices via mDNS.
As expected, mDNS does not get routed (TTL = 1), so the usual advice is to avoid mDNS and switch to DNS instead. The two obvious approaches didn’t work for me:
* Run a dedicated DNS server in the network:
* I did not want my local DNS requests to fail whenever the dedicated DNS server goes offline.
* Forward DNS requests to my router, which acts as DNS for the LAN:
* My router doesn’t have a DNS server. It only forwards queries to my ISP’s DNS.
I also tried [mdns-repeater](https://github.com/geekman/mdns-repeater) and the [avahi reflector](https://manpages.debian.org/unstable/avahi-daemon/avahi-daemon.conf.5.en.html#SECTION_%5BREFLECTOR%5D), but had no luck with them.
Then I noticed something interesting: when a DNS server is configured in the WireGuard client, it transforms mDNS lookups into DNS lookups. For example when running `ping host.local`, a standard DNS A-record is sent to the WireGuard server.
I am not sure if this is intended behaviour or a side effect, so if anyone knows more, I would love to hear an explanation.
Once I realized this, the rest was simple: convert incoming DNS `.local` queries to mDNS and send the result back as a DNS response. I found this repository [avahi2dns](https://github.com/LouisBrunner/avahi2dns) which converts DNS to mDNS.
Running it like this:
./avahi2dns -p 53 -a '0.0.0.0' -d 'local'
lets the WireGuard server resolve `.local` hostnames via mDNS.
To avoid having to start it manually after every reboot, I run avahi2dns as a systemd service on the WireGuard server.
But obviously, I don’t want *all* DNS queries to go to avahi2dns.
So I added [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) between WireGuard and avahi2dns.
I added `server=/local/127.0.0.1#5454` to the dnsmasq config and let avahi2dns run on port 5454 instead of 53.
This setup means:
* dnsmasq resolves normal DNS queries
* only `.local` queries get forwarded to avahi2dns
* WireGuard clients use dnsmasq as their DNS server
* mDNS names now resolve properly over the VPN
Bonus: dnsmasq also lets me add an adblocking list for my WireGuard clients.
If anyone has a cleaner approach or knows why WireGuard translates mDNS queries to normal DNS queries when a DNS server is set, I would be really interested.
Hope this helps someone!
Environment (for reference):
WireGuard client: WireGuard for Android v1.0.20260102
WireGuard server: Debian GNU/Linux 12 (bookworm) / WireGuard 1.0.0
avahi2dns: version 0.1.0
dnsmasq: version 2.90
https://redd.it/1q2yhw8
@r_wireguard
GitHub
GitHub - LouisBrunner/avahi2dns: Small DNS server which interface with avahi (perfect for Alpine Linux and musl)
Small DNS server which interface with avahi (perfect for Alpine Linux and musl) - LouisBrunner/avahi2dns
Linux Routing Table Trouble
I have a wireguard server configured so that connected peers have 192.168.2.x tunnel interface addresses and can access the server's "home" 192.168.0.0/24 network. With my phone, this works great - I have access to my local network while still having direct internet access. The only detail being that when connected to wifi and wireguard connected, 192.168.0.1 would be my server's gateway rather than the local wifi router.
When I tried to do the same with my Arch linux machine, however, the connection works for maybe 30 seconds, then no connection on 192.168.0.0/24 OR 192.168.2.0/24. Ping hangs, as does the
I have to
Here's the routing table (
>default via 192.168.0.1 dev eth0
>127.0.0.0/8 via 127.0.0.1 dev lo
>192.168.0.0/24 dev wg0 scope link
>192.168.2.0/24 dev wg0 proto kernel scope link src 192.168.2.
https://redd.it/1q317dy
@r_wireguard
I have a wireguard server configured so that connected peers have 192.168.2.x tunnel interface addresses and can access the server's "home" 192.168.0.0/24 network. With my phone, this works great - I have access to my local network while still having direct internet access. The only detail being that when connected to wifi and wireguard connected, 192.168.0.1 would be my server's gateway rather than the local wifi router.
When I tried to do the same with my Arch linux machine, however, the connection works for maybe 30 seconds, then no connection on 192.168.0.0/24 OR 192.168.2.0/24. Ping hangs, as does the
route command (though not ip r or netstat -nr.I have to
ip route del 192.168.0.0/24 dev wg0 for both the .0 and .2 networks to start working again. What could be going on?Here's the routing table (
ip r):>default via 192.168.0.1 dev eth0
>127.0.0.0/8 via 127.0.0.1 dev lo
>192.168.0.0/24 dev wg0 scope link
>192.168.2.0/24 dev wg0 proto kernel scope link src 192.168.2.
https://redd.it/1q317dy
@r_wireguard
Reddit
From the WireGuard community on Reddit
Explore this post and more from the WireGuard community
Wireguard clients cannot connect to outside resources when using Technitium DNS
[](https://www.reddit.com/r/selfhosted/?f=flair_name%3A%22Need%20Help%22)Hi there, I am currently running two containers that are of concern right now. I have Technitium DNS, which is running in the host network mode, and acting as a recursive DNS resolver. This works wonderfully, and is the DNS for my entire network.
My second container is what has been stumping me, though. I have tried wg-easy, wireguard from linuxserver, and even tailscale. However, the result is the same. While initiating a wireguard connection to my server, if I use technitium DNS as the DNS server for clients (using 192.168.1.x) I can only connect to local services. However, using [1.1.1.1](http://1.1.1.1) works just fine. How have you guys been able to wireguard into your devices and use your own DNS server for it?
https://redd.it/1q2inhr
@r_wireguard
[](https://www.reddit.com/r/selfhosted/?f=flair_name%3A%22Need%20Help%22)Hi there, I am currently running two containers that are of concern right now. I have Technitium DNS, which is running in the host network mode, and acting as a recursive DNS resolver. This works wonderfully, and is the DNS for my entire network.
My second container is what has been stumping me, though. I have tried wg-easy, wireguard from linuxserver, and even tailscale. However, the result is the same. While initiating a wireguard connection to my server, if I use technitium DNS as the DNS server for clients (using 192.168.1.x) I can only connect to local services. However, using [1.1.1.1](http://1.1.1.1) works just fine. How have you guys been able to wireguard into your devices and use your own DNS server for it?
https://redd.it/1q2inhr
@r_wireguard
Reddit
Self-Hosted Alternatives to Popular Services
A place to share, discuss, discover, assist with, gain assistance for, and critique self-hosted alternatives to our favorite web apps, web services, and online tools.
I would like to communicate with device in another site connected to hosted network using wireguard, but it does not work
https://redd.it/1q2b5w4
@r_wireguard
https://redd.it/1q2b5w4
@r_wireguard
Wireguard config Japan
Does anyone have or can help me fix a config for Japan ?
Regard J
https://redd.it/1q2qlnr
@r_wireguard
Does anyone have or can help me fix a config for Japan ?
Regard J
https://redd.it/1q2qlnr
@r_wireguard
Reddit
From the WireGuard community on Reddit
Explore this post and more from the WireGuard community
Looking for some assistance on how to install WIREGUARD on my TP-LINK AX3000 router.
The noscript pretty much sums it up. Was able to locate the area where to install the starts, just not sure how to get started. Thanks!
https://redd.it/1q38dcs
@r_wireguard
The noscript pretty much sums it up. Was able to locate the area where to install the starts, just not sure how to get started. Thanks!
https://redd.it/1q38dcs
@r_wireguard
Reddit
From the WireGuard community on Reddit
Explore this post and more from the WireGuard community
Wireguars tunnel in OPNSense
Hello ,
Im fairly new to OPNSense and VPN in general.
I have a Wireguards tunnel that I am using as part of a seedbox on my PC.
I now want to extend this to the whole household so I got a mini pc and put OPNSense on it as Wireguard is a plugin that works there.
Once I activate the tunnel though I am not getting access to the internet nor a handshake back.
I tried everything I found across reddit/google and CHAT Gpt to no avail.
Created the instance
Created the peer
Added the interface
Nothing.
Can someone who is smarter than me help.
Thank you
https://redd.it/1q3page
@r_wireguard
Hello ,
Im fairly new to OPNSense and VPN in general.
I have a Wireguards tunnel that I am using as part of a seedbox on my PC.
I now want to extend this to the whole household so I got a mini pc and put OPNSense on it as Wireguard is a plugin that works there.
Once I activate the tunnel though I am not getting access to the internet nor a handshake back.
I tried everything I found across reddit/google and CHAT Gpt to no avail.
Created the instance
Created the peer
Added the interface
Nothing.
Can someone who is smarter than me help.
Thank you
https://redd.it/1q3page
@r_wireguard
Reddit
From the WireGuard community on Reddit
Explore this post and more from the WireGuard community
Why no iOS/macOS updates for Wireguard? Android does get updates all the time...
Can you tell me, why iOS/macOS sees no updates for their systems (since nearly 3 years now)? On Android you will get updates all the time. see here: https://play.google.com/store/apps/details?id=com.wireguard.android
vs.
https://apps.apple.com/us/app/wireguard/id1451685025
https://redd.it/1q3tahy
@r_wireguard
Can you tell me, why iOS/macOS sees no updates for their systems (since nearly 3 years now)? On Android you will get updates all the time. see here: https://play.google.com/store/apps/details?id=com.wireguard.android
vs.
https://apps.apple.com/us/app/wireguard/id1451685025
https://redd.it/1q3tahy
@r_wireguard
Google Play
WireGuard - Apps on Google Play
WireGuard Secure VPN Tunnel