Need help finding the issue.

Hey people,


im running multiple (60+) mobile CCTV towers (running on LTE) connected through wireguard on a rented server to my central monitoring software that gets sent any alarm streams from these towers.
Connection works fine 98% of the time, but then all of a sudden I only recieve the empty alarm stream without any video material (only lasts for a couple seconds to maybe 2-3 minutes), as if the VPN connection completly drops. This is not the case, as atleast the data "hey, theres something going on here" is being sent.

Wireguard log shows keys being destroyed, sometimes (rarely) keepalive being sent and recieved.

MTU was tested on 1200/1384/1450.

Keepalive was tested on 10/15/25

UDP Port is forwarded on both sides, incoming and outgoing.

allocated ip xx/32 - allowed ip xx/24

allowed ips on towers is showing to the central monitoring only, so they dont try to communicate with each other at all.

This happens every 2-3 hours and im going nuts. Been trying to figure something out for the past 2 weeks.

Any ideas? Anything I could test?

iptables -t nat -A POSTROUTING -s xx.xx.xx.xx/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;

This is the post up noscript im running.

Any help is welcome, thanks!

https://redd.it/1r8hbp4
@r_wireguard

Gold standard for homelab app-only access + max security + seamless transition?

I'm trying to nail down the absolute best way to expose only specific apps like nextcloud, jellyfin and immich to the outside world. My setup is a bare metal pfsense, bare metal proxmox (Apps are running here) and bare metal truenas. I have a dynamic public ipv4 from my ISP.

Strict rule: I need absolutely zero admin access from outside. This is only for apps access from "outside". If I need to admin, I'll do it from home.

The goal is maximum security combined with seamless comfort. If i am coming home from work, switching 5G to our wifi, the nextcloud auto-upload and jellyfin streams should just keep working without anyone having to manually toggle a vpn on or off.

I am totally fine with renting a cheap vps for a few bucks a year if it's the best way. I've looked at all the options and am stuck:

1. Opening port 443 on pfsense to a local reverse proxy like haproxy or npm with strict geoblocking.
2. Renting a vps, putting the reverse proxy on the vps, and routing traffic through a wireguard tunnel back to my pfsense so my home ip stays completely hidden and no ports are open at home.
3. Cloudflare tunnels, though I hate the tls decryption part and the media upload limits for nextcloud/jellyfin.
4. Tailscale or plain wireguard, but that breaks the seamless comfort for non tech family members and makes sharing links a pain.

What is the actual gold standard right now for this exact scenario? Is a vps with a tunnel back home significantly safer than just opening 443 on a locked down pfsense? And how do you guys handle the seamless transition between 5G and home wifi elegantly without hairpin nat issues?

Thanks!

https://redd.it/1r7z3bi
@r_wireguard

Wireguard blocked

I have a family member who is living in a country where a lot of western social media websites are restricted. They have to use many different VPNs to bypass this. I gave them access to home my network through Wireguard VPN running on PiVPN. I was expecting that because this is not a widely used VPN, they would not block it. To my surprise, within a day, they can no longer use it. I now understand ISPs can see when clients are using a VPN. Is there a way to bypass this? Day by day more vpns are getting blocked and I want to make their life easy.

https://redd.it/1r7je8g
@r_wireguard

Ping works between host and client, but no websites can be accessed. Very little data received

I have wg-easy running in a docker container on a Ubuntu host machine. When I activate a client they can't reach any websites neither remote nor local. When i look in the admin dashboard, the client can easily send data, but hardly anything is received. However I can ping the client from the host machine and the host machine from the client. This is the only way I can get the data received to increase.
I have:
\- Opened port 51820
\- Checked that i can ping external and local websites from the wg-easy container

I simply can't figure out, why I can't get wireguard working.

https://redd.it/1r7ijh8
@r_wireguard

Recent issue with iOS

Hi, all! After the recent upgrade to iOS 26.3, my on-demand connection is acting funny.

My set up is using the WireGuard iOS app and set for on-demand for both cellular and wifi networks with excluded networks.

Whenever I move from cellular to a wifi network, the device won’t switch to wifi unless I toggle the VPN off/on in the WireGuard iOS app. When I go to my wifi connections before toggling the VPN off, the network shows connected but displays a “No Internet Connection” warning. As soon as I toggle the VPN off, the wifi connects immediately. I can then turn the toggle back on and everything works fine until the next transition from cellular to wifi.

Is anyone else running into this issue? Any ideas?

Update: it turns out something on my config was messed up. Moved it to split tunnel and that fixed my issue

https://redd.it/1r7ag3c
@r_wireguard

Cannot RDP into Pi from local Windows machine after installing Wireguard.

Hi everyone, apologies if this is not the correct place to post this. However, as the issue occurred after installing Wireguard, I figured WG was the culprit.

 

Setup and problem:
 

I have a headless RP4 running Pi OS and pretty much nothing else. I installed WG so I could access my local network remotely, mostly just for streaming. That aspect of it works perfect. No issues there. However, since the install I am unable to access the Pi from my local Windows machine. In the past I would just type in the IP of the Pi, connect, and a moment later see the Pi desktop. After installing WG I am no longer able to do that. It times out and throws a generic error (check IP, make sure machine is available etc).

 

What I have tried so far:
 

Pinging the Pi from my desktop - ping is fine, replies normally, with or without WG running.

Following various guides online for adjusting MTU, images will show 1420, however I've tried 1380 and 1320, neither make a difference.

Adding my desktop local IP address under the 'allowed IP's' section - doesn't allow my connection, but does occasionally break the whole setup depending on the formatting I use to add the IP. My local is 192.168.1.2, which I've tried adding as 192.168.1.2/24 (or 32) although my local network is a /24 subnet. I've tried allowing all IP's with 0.0.0.0/32, which broke everything.

Reinstalling WG and following the setup again to ensure I did not make any silly mistakes (this is still quite possible as I'm somewhat new to Linux based systems).

Adding the POST UP and POST DOWN lines - this was in one of the many troubleshooting guides I followed, it hasn't fixed it but hasn't broken anything (obvious at least), I've left it there purely for troubleshooting images.

Disabling WG service to connect to Pi without it - does not seem to actually disable WG, even after manually stopping the service. Still prevents RDP, the only way I've managed to RDP is removing WG completely.

The usual update, upgrade, reboot, clean process.

 

Other notes:
 

I don't *think* my desktop is causing the problem, although M$ does love to break things with updates so I'm not ruling it out completely. But it connects to other devices and has had no changes since RDP worked. (Windows 10 latest updates).

If you need any other configs or info, please ask. As I said, I'm new to Linux so there may be debug info I am not aware of.

It's likely that the problem is quite obvious and I'm having a 'can't see the forest for the trees' moment. You know how it is after several hours of troubleshooting. Everything is IP's and .conf files.

Thank you in advance, if you think I should cross post this on /r/raspberry_pi I will do.

[Configs here.](https://imgur.com/a/eVSzby0)

 

*UPDATE - Thank you all for the advice and time you've given me.*

I have finally got it working. As it annoys me when people resolve something and don't update their post, here is what I ended up doing. I am not exactly sure which step resolved it, as I only tested once I'd done all of them but perhaps someone with more knowledge than me can confirm.

Step 1. Completely removed WG, cleaned temp files / cache.
 

Step 2. Reset / restored routing tables.
 

Step 3. Reinstalled WG. As WG states in the manual, it pulls info it needs from Pihole, so I thought I'd check those config files.
 

Step 4. Noticed in the configs that pivpnDNS1 was still set to WG, not to Pihole as it should have automatically done. Updated the IP. (I *think* this might be what fixed it).
 

Step 5. WG didn't seem to like the POSTUP / DOWN code that I added manually. It's entirely possible I made an error, but after running debug on various things it added it back in automatically and seemed exactly the same.
 

Step 6. Ran PiVPN -d to confirm any issues. Once this reported everything was good, I tested and I could access the Pi from my local Windows machine with RDP. I did reinstall xrdp but no changes were made.

 

*Second unrelated issue I encountered with RDP and PiConnect that I resolved for anyone that runs into this in the future.*
 

Because I got sick of switching my monitor from the Pi to my desktop, I started using PiConnect so I could use both simultaneously. However, once I got RDP working, PiConnect would not work. This is an issue with the Pi needing Wayland software (X11 protocols?) for RDP to work and labwc for PiConnect to work.
 

I don't really need PiConnect as my goal was just to access it locally, but it got the better of me that both weren't working. Here is what I did to fix it.
 

Step 1. Added line "wayland=on" to /boot/firmware/cmdline.txt. Add it at the end with a space. Found [here.](https://www.raspberrypi.com/documentation/computers/configuration.html) I am running the latest OS so whether this makes a difference I cannot confirm, but thought it couldn't hurt.
 

Step 2. I also followed the steps found [here.](https://forums.raspberrypi.com/viewtopic.php?t=378592) In the last post by 'chris'. I have no idea if that works or not, but I decided to do it anyway. I could always remove it if something broke.
 

Step 3. Test and see if that works. Some people report (various forums I browsed) selecting X11 will allow both to work, but for me it didn't. I had to select W2 Wayfire. There is a slight delay in loading RDP or PiConnect but only a matter of a second or two extra than having it running off one type.

 

So once again, thank you to everyone who provided help. While I'm not exactly sure which action resolved each problem (yes I know, I should have done one, tested, done the next etc, but who's got time for that) I learnt a lot along the way. I am still very much a Linux amateur but it's resolving issues like this that help me improve. I am also aware that some of what I did may be entirely unnecessary, so feel free to point that out. Cheers everyone.

https://redd.it/1r6x24k
@r_wireguard

NetBird – Open-Source Mesh VPN (Self-Hostable WireGuard Alternative to Tailscale)

https://redd.it/1raryul
@r_wireguard

Facebook messenger blocked on WireGuard connection

I searched and see others have the same issue but could not find any resolution.

I run all mobile device traffic through a WireGuard VPN tunnel back home to my router and pi-hole on a raspberry pi before exiting to the internet.

Every so often, Facebook messenger doesn’t like that. Outgoing messages are stuck pending sending, incoming ones load only partially.

This seems to clearly be a WireGuard issue as turning off the tunnel and using cellular data straight to the internet resolves the problem. Turning off the pi-hole filtering makes no difference.

Any suggestions? Thanks.

https://redd.it/1rberso
@r_wireguard

Qrvpn: run WireGuard server on any device including smartphones and behind NAT/FW

Hi, I am a developer of a free tool called qrvpn (currently in beta). It is a WireGuard-based VPN app.

It allows you to run a WireGuard server on any device and environment with just a few clicks and connect with a native WireGuard client. It’s available on Windows, iPhone/Mac, Android and Linux! No public IP or open ports needed.

Here is a super easy illustrated instruction: https://qrvpn.com/wireguard/

And this video https://www.youtube.com/watch?v=eLC3dIUL2ME demonstrated how to run WireGuard server on Android and connect from Windows with a native client. The app shares the same UI across all platforms.

I believe the app could be useful for users who do not want to deal with WG settings or who would like to run it on a restricted device. Also, it is very convenient for ad hoc scenarios.

Under the hood, to bypass NAT/FW, we use a relay server that accepts opaque WG packets from the client and server and forwards them between the peers.

Any feedback is highly appreciated!

https://redd.it/1rg9nly
@r_wireguard

Wiregaurd on portable router questions

Disclaimer I am very new to wiregaurd I normally just use my providers app


Hi all, I've recently picked up a Cudy TR3000 to use on public WiFi and my office WiFi to keep all my devices logged in without needing to redo the captive portal per device.

The only issue I'm having is when I turn on the VPN it just says disconnected.

I set this up and used the config file provided by surfshark and confirmed this worked on my home WiFi but in the office it just won't connect.

I've left it alone for 10 mins to see if it eventually connects with no luck.

Do I need a new wiregaurd profile per WiFi connection or am I missing something



https://redd.it/1rg320r
@r_wireguard

Nested/chain VPN question

I have a Windows Server machine running a Wireguard server. Now I need this Wireguard server to subsequently VPN to a router. The router supports PPTP, OpenVPN and IPSec protocols. What would be the best way to accomplish this?

https://redd.it/1rfwtgt
@r_wireguard

What could be a reason one client can connect but another cant?

I have a Wireguard Server Running on an old OpenWrt Router. My Windows PC can connect just fine. Another Router can not. Even if i copy the same config on both Clients. No, i did not try to connect at the same time. Is there a setting in Wireguard or in Firewall that would explain such a behavior? Do certain types of clients use a specific set of ports or other connection specifc things?

https://redd.it/1rfejrb
@r_wireguard

Setting up WireGuard on a Windows PC that is also running an Ubuntu Server VM

I don't think this is too difficult a question, but I'm not getting a clear answer when I google around. I want to set up WireGuard so that I can VPN into my home network from work/my phone. I have a Windows PC at my house that is running an Ubuntu Server VM. I'm new to Linux so it's been a learning experience getting things set up. I have a photo sharing service called Immich working on my server. I tried setting up WireGuard once and it broke everything. I'm sure I did something wrong. My question: Given my use case, should I be setting up Windows as the WireGuard Host and then make the Ubuntu VM a client? I started to get very confused during the WG installation on my VM and it broke even my LAN access to the VM. I don't need a complete breakdown, just need someone to point me in the right direction so I know what I should actually be searching for. Thanks!

https://redd.it/1rer0eh
@r_wireguard

WireGuard Peer Isolation: Laptop works fine, iPhone Handshakes but no LAN access (Pi 5 OpenWrt)

Hi everyone,

I’m running into a specific routing/peer issue on a Raspberry Pi 5 running the latest version of OpenWrt. I have a WireGuard server set up that is 100% functional for my laptop, but my iPhone is behaving inconsistently.

The Setup:

Server: Pi 5 (OpenWrt) acting as my Router

WG Subnet: 10.6.0.1/24

Peer A (Laptop): 10.6.0.2 — Works perfectly. Can ping and access the internet and all LAN devices

Peer B (iPhone 14 Pro Max): 10.6.0.3 — Partial success. Completes handshake, can ping 8.8.8.8, and can browse the internet, but cannot ping or access any LAN/VLAN resources (e.g., 192.168.x.1 fails to load).

What I’ve already verified/tried:

Firewall: Both peers are in the same WireGuard interface and firewall zone. Masquerading is enabled on the VPN zone. Forwarding is allowed from VPN to LAN.

Keys: Unique private/public key pairs for each device.

MTU: Tried auto and manually set to 1280 on the iPhone (no change).

Allowed IPs (Client): Tried both 0.0.0.0/0 and explicitly listing the LAN subnet (192.168.1.0/24, etc.).

Allowed IPs (Server): Verified 10.6.0.3/32 is correctly assigned to the iPhone peer on the Pi.

Keepalive: Set to 25 on the iPhone.

Handshake: wg show on the Pi shows a healthy handshake and data transfer, but the iPhone seems unable to receive replies from internal LAN addresses.

The Symptom:

The iPhone can route through the Pi to the internet, but packets destined for the Pi's own LAN interfaces or the internal VLANs seem to hit a "black hole." Since the laptop works with the exact same zone settings, I suspect an iOS-specific routing quirk or a subtle issue in how OpenWrt handles multiple peers on the same virtual interface.

Has anyone seen a case where one peer is correctly NATed/routed to the LAN but a second peer on the same interface is restricted to WAN-only? Thank you in advance!

https://redd.it/1re4zpz
@r_wireguard

confused about wg routing with AllowedIPs versus manual addition

Hello

I have a simple wireguard setup. router behind CGNAT <-> Internet host has a single wireguard tunnel set up on it.

If I include AllowedIPs=192.168.1.0/24 then the output of 'ip route' shows '192.168.1.0/24 dev wg0' and that network is reachable across the tunnel.

If I instead do not specify that network in AllowedIPs but instead bring up the tunnel and then manually enter 'ip route add 192.168.1.0/24 dev wg0' and verify the output of 'ip route' as the same as the above config, the connection doesn't work. Error is 'ping: sendmsg: Required key not available"

So this leads me to think there is some extra detail happening when the wg interface is brought up.

I thought the ip routing was completely separate from the establishing of a tunnel using the key pairs to/from the endpoint. Is that correct?

That is, I must use the wireguard config to add routes. Or at least add the routes in a different way to ensure the tunnel can see them.

If not I've just made some simple mistake..

Many thanks.

https://redd.it/1re3jtq
@r_wireguard

WG intermittently fails when using the same tunnel config on a dual-boot computer

I have what I think is an odd problem, and just wanted to hear if anyone else has seen it.

I have a pfSense firewall at home, with a WG interface configuration. There are \~14 different peers defined. About a dozen or so are always connected

At my office, I'm dual-booting between Windows 11 and Fedora 43 on the same computer. I exported the WG tunnel config from Windows, and imported it in Fedora (so, same private key and peer config on both). There will never be a case where these "two different computers" will be connecting at the same time, and I don't use hibernation or anything like that.

Intermittently, the WG tunnel will randomly stop passing traffic (this has all been on the Windows side iirc). Deactivating and then activating the tunnel from the WG client on the Windows computer does nothing; but restarting the WG service on the pfSense, causes the tunnel to come back straight away. And by "intermittent," days pass before it happens again. The tunnel is "automatic" in each OS, and always connected as long as the OS is running.

I also have a separate tunnel config which I call "floater," which I use when testing Linux VMs on Proxmox. I have the same tunnel on all of the VMs (around 14 different ones), and there is never a case where two will be on at the same time. I'm using PCIe passthrough for an eGPU enclosure connected via Oculink to the Proxmox node for all of the VMs, so this would also prevent two of them from being inadvertently powered on at the same time. I haven't had the "no passing traffic" issue with any of these VMs. Each VM is never powered on for very long though, max an hour or two. I didn't feel the need to create a distinct tunnel config for each VM.

Does anyone have any theories on what's happening between the firewall and dual-boot computer to cause this?

https://redd.it/1re5rtu
@r_wireguard

Remote client help

I setup two remote clients for my kids places so they can get back to the NAS I have at home. I knew their IPs might change so only configured the tunnel peer in the config file and then pointed them to a hopto name that I setup for my home.

One of the kids recently moved to a new apartment and switched from Comcast to Verizon. I thought everything was working fine but recently discovered the tunnel from his place isn’t connecting. As I said, I thought I made everything pretty foolproof so can’t figure out why it’s not working now. Any suggestions of what to check?

https://redd.it/1rdihjd
@r_wireguard

Wireguard for proxmox

hey guys, so i basically have a server running proxmox for my homelab right now and i want to be able to access it from outside my home network. i’ve used tailscale for other things before but i wanted to try wire guard this time for my proxmox server. my question is do you guys think i should run it in a container or run it directly on my node? i can’t really find any good tutorials and was just wondering what you guys recommend in general for wireguard on proxmox. thanks

https://redd.it/1rhmq9w
@r_wireguard

Need help troubleshooting what's wrong with my VPS WireGuard setup

Hi,


I followed this guide: https://www.laroberto.com/remote-lan-access-with-wireguard/ (completely step-by-step, not changing much or anything really) and also followed the follow-up post.


The "server" for me is a VPS, the "router" for me is a raspberry pi, the "client" (for now, just testing purposes) is an android phone.

I can start WireGuard on my phone, it shows up as an active VPN. The internet works, but I cannot access the homepage of my home router from it (for me it's 10.0.1.X) - don't need to access this page often, just using it to test the connection to my home network for now.

Here are my configs for all the devices:

"Router config":

[Interface]

Address = `192.168.10.3/32`

PrivateKey = (censored)

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE



# Server

[Peer]

PublicKey = (censored)

Endpoint = (censored VPS public IP):51820

AllowedIPs = `192.168.10.0/24`

PersistentKeepalive = 25



"Server config":

[Interface]

Address = `192.168.10.1/32`

ListenPort = 51820

PrivateKey = (censored)

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enx5 ! -d `10.0.20.0/24` -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enx5 ! -d `10.0.20.0/24` -j MASQUERADE



# Router Peer

[Peer]

PublicKey = (censored)

AllowedIPs = 192.168.10.0/24, 10.0.20.0/24

# Client

[Peer]

PublicKey = (censored)

AllowedIPs = `192.168.10.2/32`


"Android config":

https://preview.redd.it/2xq9m7in6hmg1.png?width=371&format=png&auto=webp&s=055fa83236d84e9f6b4ce6e1294fd31fd5a20d0c





When it comes to network stuff, I am a complete beginner, so pardon me if something is extremely obvious and I am not seeing it.

As stated before, my home doesn't have 192.168.x.x, it uses 10.0.1.x for all devices, could that be a problem? I understand it's supposed to be somehow routed with how it's setup, but it doesn't seem to work.

I also don't understand why they setup "10.0.20.0" in the guide, that also escapes me.


Any help would be appreciated, I am slowly losing my sanity.



https://redd.it/1ri4pvo
@r_wireguard