wireguard not work

1

Hello, I want to create my own VPN and use the repository GitHub - wg-easy/wg-easy: The easiest way to run WireGuard VPN + Web-based Admin UI.

After deploy, i can log in into web ui and create configs for clients, but after connection via wireguard ios app with newly created config i can’t access to internet (no connection)

Can you please help me, may be I made a mistake in fly.toml or somewhere else

My Dockerfile:

# There's an issue with node:20-alpine.
# Docker deployment is canceled after 25< minutes.

FROM docker.io/library/node:18-alpine AS build_node_modules

# Copy Web UI
COPY src/ /app/
WORKDIR /app
RUN npm ci --omit=dev

# Copy build result to a new image.
# This saves a lot of disk space.
FROM docker.io/library/node:18-alpine
COPY --from=build_node_modules /app /app

# Move node_modules one directory up, so during development
# we don't have to mount it in a volume.
# This results in much faster reloading!
#
# Also, some node_modules might be native, and
# the architecture & OS of your development machine might differ
# than what runs inside of docker.
RUN mv /app/node_modules /node_modules

# Enable this to run `npm run serve`
RUN npm i -g nodemon

# Install Linux packages
RUN apk add --no-cache \
    dpkg \
    dumb-init \
    iptables \
    iptables-legacy \
    wireguard-tools

# Use iptables-legacy
RUN update-alternatives --install /sbin/iptables iptables /sbin/iptables-legacy 10 --slave /sbin/iptables-restore iptables-restore /sbin/iptables-legacy-restore --slave /sbin/iptables-save iptables-save /sbin/iptables-legacy-save

# Expose Ports
EXPOSE 51820/udp
EXPOSE 51821/tcp

# Set Environment
ENV DEBUG=Server,WireGuard

# Run Web UI
WORKDIR /app
CMD ["/usr/bin/dumb-init", "node", "server.js"]

fly.toml:

app = 'app-name'
primary_region = 'ams'

[build]

[env]
  PASSWORD = 'password_for_web_ui'
  WG_HOST = 'app-name.fly.dev'
  WG_MTU = '1420'

[http_service]
  internal_port = 51821
  force_https = true
  auto_stop_machines = false
  auto_start_machines = true
  min_machines_running = 1
  processes = ['app']

[[vm]]
  cpu_kind = 'shared'
  cpus = 1
  memory_mb = 256
2

via desktop wireguard app also can’t access to internet with switched on vpn

3

I have tried

echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
echo net.ipv4.conf.all.src_valid_mark=1 >> /etc/sysctl.conf

and

sysctl net.ipv4.ip_forward=1
sysctl net.ipv4.conf.all.src_valid_mark=1

But it did not help

4

Hi… You will need a [[services]] block in your fly.toml and a dedicated IPv4 address to expose the UDP port to the public Internet.

(Right now, only your TCP traffic is being passed along.)

Be sure to also read the caveats about UDP on Fly, because there are some, :dragon:.

Hope this helps a little!

5

Hello, thanks for your help!

Do I understand correctly that my fly.toml should look like this? Do I have to connect dedicated ipv4 instead of shared ipv4? WG_HOST should be exactly the same as I wrote in new fly.toml?

new fly.toml:

app = 'app-name'
primary_region = 'ams'

[build]

[env]
  PASSWORD = 'password_for_web_ui'
  WG_HOST = 'app-name.fly.dev'
  WG_MTU = '1420'

[http_service]
  internal_port = 51821
  force_https = true
  auto_stop_machines = false
  auto_start_machines = false
  min_machines_running = 1
  processes = ['app']

[[services]]
  internal_port = 51820
  protocol = "udp"

  [[services.ports]]
    port = "51820"

[[vm]]
  cpu_kind = 'shared'
  cpus = 1
  memory_mb = 256
6

That does look pretty good… Typically the secrets vault would instead be the place entrusted with the PASSWORD, to prevent leaks. (This is sort of like a huge, super-convenient password manager that Fly maintains for you[r Machines].)

Right. Dedicated IPv4 is needed for UDP (on Fly).

IPv6 is unfortunately not supported, and with shared IPv4 they wouldn’t have any idea who incoming packets were intended for.

That looks consistent with the examples in the wg-easy project’s README. With your new settings, port 51820 will be passed along when the general public transmits to app-name.fly.dev.

I don’t see an environment variable that will get UDP bound to fly-global-services inside your Machine, though. If you’re still having trouble connecting, that might be it…

7

Ok, how can I bind UDP to fly-global-services?

8

I did give the impression that I knew how to do that above, but I don’t in reality…

(Sorry!)

What I meant was more of a debugging heuristic: I didn’t see thing X that would prevent bad thing Y from happening.

Doing a quick search now, it appears that the fly-global-services aspect is not particularly obvious with WireGuard:

https://community.fly.io/t/binding-udp-with-wireguard-running-on-fly/5697

I don’t use this style of WG myself, so I can’t offer anything that I know will definitely succeed. However, I suspect that some combination of the following could eventually made to work:

  1. A userland repeater that binds to fly-global-services in the normal way and then just forwards packets.

  2. A network namespace that contains a veth carrying only the intended address.

  3. Static network address translation.

None of these particularly comport with the “easy” in wg-easy; maybe one of the WireGuard experts here knows better…

9

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.