I have tried to use Wireguard following two guides :
- From this forum thread, without succes: Guide: Install Wireguard On Raspberry latest releases
- From this blog article, without succes as well: Installing and Configuring WireGuard on Raspberry Pi OS (August 2020)
Updated (last with iptables): Installing and Configuring WireGuard on Raspberry Pi OS (September 2021)
This can be used as well to generate wireguard peers configurations + QR codes: Wireguard Tools
=> no successfull handshake between server (raspberry) and peers (Android and Windows 10).
Configuration
Server:
$ sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.99.1/24
ListenPort = 58280
PrivateKey = gNVxJe7Se842IiOR5GsXeM4sHcacGhPATIdQCgqP8Wa=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = OQmmvh9/8PDWFIpOEzVWzOZ1HXQ48+10vONFlUNb0ia=
AllowedIPs = 192.168.99.2/32
[Peer]
PublicKey = N9VPXnH8hip4sJGGWm4ziLFWD5ZAveoj7H5oH8OgsHa=
AllowedIPs = 192.168.99.3/32
Peer 1:
$ cat ~/wg_config/users/client1/client.conf
[Interface]
Address = 192.168.99.2/24
PrivateKey = 6OfJPX1ZQCFu08fTy2uU6JdgUf/qXgzBoTtX/tCYX3a=
[Peer]
PublicKey = b6kqDH4pjAdK0LqPrEF4Fc9d4XxR0Eb3kSk9rzdEKma=
AllowedIPs = 192.168.99.1/32, 192.168.1.0/24
Endpoint = adress.ddns.net:58280
Peer 2:
$ cat ~/wg_config/users/client2/client.conf
[Interface]
Address = 192.168.99.3/24
PrivateKey = uB+g5H0kbyI07kHdAajcQUE8VqMTaNqqiu0yj6BrH1a=
[Peer]
PublicKey = b6kqDH4pjAdK0LqPrEF4Fc9d4XxR0Eb3kSk9rzdEKma=
AllowedIPs = 192.168.99.1/32, 192.168.1.0/24
Endpoint = adress.ddns.net:58280
Troubleshooting
12/10/2020
UDP correctly forwarded
I verified UDP port was correctly forwarded by my ISP modem/router, following Test whether UDP port is open: simple UDP server and client
Server side:
$ nc -l -u -p 58280
Client side:
$ nc -u servname_or_ip 58280
Checking if packets arrive to server
Listening on specific interface and on precise port of the server:
$ sudo tcpdump -i eth0 'port 58280'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:56:36.474701 IP 92.88.90.88.56188 > 192.168.1.201.58280: UDP, length 148
20:56:36.476725 IP 192.168.1.201.58280 > 92.88.90.88.56188: UDP, length 92
20:57:34.066017 IP 92.88.90.88.51673 > 192.168.1.201.58280: UDP, length 148
20:57:34.070037 IP 192.168.1.201.58280 > 92.88.90.88.51673: UDP, length 92
Here I tried two times to connect a peer to the server while pinging Wireguard server IP (192.168.99.1) from peer.
17/10/2020
Recording packets using tcpdump on both client and server sides
CLIENT: in a country potentially blocking VPN stuff
SERVER: in France, probably not blocking anything
I have generated another peer configuration. This time it is not a windows, not an android, but an openwrt router using same .
I have fixed the port in use for the wireguard client on openwrt in order to listen WAN interface on 51820.
What is observed on CLIENT openwrt side:
root@OpenWrt:~# tcpdump -i eth1 'port 51820'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:37:45.906247 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:37:46.025023 IP raspberry.abo.wanadoo.fr.58280 > 192.168.1.102.51820: UDP, length 92
14:37:46.038821 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 32
14:38:11.087567 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 32
14:38:36.687153 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 32
14:39:02.286884 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 32
14:39:27.887315 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 32
14:39:53.487145 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 32
14:39:53.498819 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:39:59.257666 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:40:04.377588 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:40:10.138437 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:40:15.257703 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:40:21.017550 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:40:26.782109 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:40:31.897640 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:40:37.659644 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:40:42.777571 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:40:48.537585 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:40:54.298502 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:41:00.057651 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:41:05.177582 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:41:10.937544 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:41:16.697736 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:41:22.457569 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:41:28.220105 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:41:33.977597 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:41:39.097547 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
14:42:04.697538 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 148
^C
29 packets captured
29 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~# wg
interface: WG0
public key: OQmmvh9/8PDWFIpOEzVWzOZ1HXQ48+10vONFlUNb0ia=
private key: (hidden)
listening port: 51820
peer: b6kqDH4pjAdK0LqPrEF4Fc9d4XxR0Eb3kSk9rzdEKma=
endpoint: raspberry.abo.wanadoo.fr:58280
allowed ips: 192.168.99.1/32
latest handshake: 32 minutes, 12 seconds ago
transfer: 92 B received, 40.80 KiB sent
persistent keepalive: every 25 seconds
root@OpenWrt:~#
- Only first two captured packets were seen by SERVER side.
- These two captured packets are enough to declare successful handshake on CLIENT side.
What is observed on SERVER raspberry pi side:
pi@raspberrypi:~ $ sudo tcpdump -i eth0 'port 58280'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:37:45.924082 IP 93.88.83.27.51820 > 192.168.1.201.58280: UDP, length 148
16:37:45.928019 IP 192.168.1.201.58280 > 93.88.83.27.51820: UDP, length 92
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
pi@raspberrypi:~ $ sudo wg
interface: wg0
public key: b6kqDH4pjAdK0LqPrEF4Fc9d4XxR0Eb3kSk9rzdEKma=
private key: (hidden)
listening port: 58280
peer: OQmmvh9/8PDWFIpOEzVWzOZ1HXQ48+10vONFlUNb0ia=
endpoint: 93.88.83.27:51820
allowed ips: 192.168.99.2/32
transfer: 888 B received, 552 B sent
pi@raspberrypi:~ $
- Only first two packets captured by CLIENT are seen as well on SERVER side.
- Handshake is not declared successful on SERVER side.
- Why SERVER is not seeing following packets ??? If I restart CLIENT, SERVER does not see packets for new handshake unless port used by CLIENT changes.
- Why SERVER is not seeing anything from this CLIENT packet: " 14:37:46.038821 IP 192.168.1.102.51820 > raspberry.abo.wanadoo.fr.58280: UDP, length 32 "
Trying to connect from local country
CLIENT: in a country potentially blocking VPN stuff Computer using Windows in France, probably not blocking anything
SERVER: in France, probably not blocking anything
pi@raspberrypi:~ $ ip route show table 42
default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.201 metric 202
192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.201 metric 202
192.168.99.0/24 dev wg0 proto kernel scope link src 192.168.99.1
pi@raspberrypi:~ $ sudo tcpdump -i eth0 'port 58280'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:58:01.734652 IP device.mobile.abo.orange.fr.51706 > 192.168.1.201.58280: UDP, length 148 # handshake
19:58:01.741670 IP 192.168.1.201.58280 > device.mobile.abo.orange.fr.51706: UDP, length 92 # handshake
19:58:01.781909 IP device.mobile.abo.orange.fr.51706 > 192.168.1.201.58280: UDP, length 96 # ping from client
19:58:01.782398 IP 192.168.1.201.58280 > device.mobile.abo.orange.fr.51706: UDP, length 96 # server answers
19:58:02.893737 IP device.mobile.abo.orange.fr.51706 > 192.168.1.201.58280: UDP, length 96 # ping from client
19:58:02.894315 IP 192.168.1.201.58280 > device.mobile.abo.orange.fr.51706: UDP, length 96 # server answers
19:58:03.822017 IP device.mobile.abo.orange.fr.51706 > 192.168.1.201.58280: UDP, length 96 # ping from client
19:58:03.822643 IP 192.168.1.201.58280 > device.mobile.abo.orange.fr.51706: UDP, length 96 # server answers
19:58:05.793794 IP device.mobile.abo.orange.fr.51706 > 192.168.1.201.58280: UDP, length 96 # ping from client
19:58:05.794394 IP 192.168.1.201.58280 > device.mobile.abo.orange.fr.51706: UDP, length 96 # server answers
19:58:15.839250 IP device.mobile.abo.orange.fr.51706 > 192.168.1.201.58280: UDP, length 32 # ???
19:58:51.032841 IP 192.168.1.201.58280 > device.mobile.abo.orange.fr.51706: UDP, length 128 # server pings client
19:58:51.123963 IP device.mobile.abo.orange.fr.51706 > 192.168.1.201.58280: UDP, length 128 # client answers
19:58:52.033771 IP 192.168.1.201.58280 > device.mobile.abo.orange.fr.51706: UDP, length 128 # server pings client
19:58:52.090988 IP device.mobile.abo.orange.fr.51706 > 192.168.1.201.58280: UDP, length 128 # client answers
19:58:53.035792 IP 192.168.1.201.58280 > device.mobile.abo.orange.fr.51706: UDP, length 128 # server pings client
19:58:53.135887 IP device.mobile.abo.orange.fr.51706 > 192.168.1.201.58280: UDP, length 128 # client answers
19:58:54.037607 IP 192.168.1.201.58280 > device.mobile.abo.orange.fr.51706: UDP, length 128 # server pings client
19:58:54.076616 IP device.mobile.abo.orange.fr.51706 > 192.168.1.201.58280: UDP, length 128 # client answers
[...]
[...]
[...]
pi@raspberrypi:~ $ sudo wg
interface: wg0
public key: b6kqDH4pjAdK0LqPrEF4Fc9d4XxR0Eb3kSk9rzdEKma=
private key: (hidden)
listening port: 58280
peer: xxMWH9tZDwCNXPbErQxBuDejgkxNU1QOm9vFezUBeSa=
endpoint: device.mobile.abo.orange.fr :51706
allowed ips: 192.168.99.6/32
latest handshake: 19 seconds ago
transfer: 564 B received, 476 B sent
=> It worked ! I conclude that wireguard is blocked in the country where the client is.
Interesting to read about how easy it is to block wireguard: Let's talk about obfuscation again