Reply
Established Member
Posts: 1,618
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

I don't think 50.26.116.1 is your WAN public ip addr. That is your gateway addr which is not the same thing.

Established Member
Posts: 1,618
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

In some earlier post I told you to create a masq rule for wg, your rule 5001. I now realize that was wrong. Delete it.

 

udp does not require the masq rule whereas tcp does. This is because tcp requires reply packets to have the same source ip addr as was the dest on the original packet, namely the wan ip addr that gets dnat'd. This is to protect the integrity of the tcp bidirectional stream. But udp is unidirectional and makes no such checks.

 

I don't think it should cause a problem however it is unnecessary and causes additional processing.

New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

@karog

Thanks for the follow up, are you saying to just remove the masquerade from rule 5001, or completely delete rule 5001 as my hairpin altogether? 

 

I havent had a chance to correct the WAN public IP on my phones Config yet, I wish I could find out that address without having to be home but I’ll have to wait until late tonight and do it after work. Just for clarification, the address I am looking for is the one I would get if I turned off PIA and went to a site such as whatsmyip.com correct? 

 

I know this may be a slow process, but I am finally starting to make some sense of how packets flow and the source and destination rules that they must abide by. The whole inter workings of a VPN is pretty awesome when you really look up close and realize that there is just highways of packets flowing through the internet and it’s just a matter of telling them what exit to take. A month or so ago I would have taken much of this process for granted and wouldn’t have a clue, so thank you for that. 

Established Member
Posts: 1,618
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

masquerade is the type of rule 5001 (a subset of source nat rules) and you cannot just delete a rule's type. Yes, delete the entire rule. Sometime you should real up on hairpin. Ubiquity has a document on it which is where I figured it out. You always need a DNAT rule on which ever interfaces have the subnets for the clients. You need the masquerade rule in addition whenever the client is on the same subnet as the target and the protocol is tcp or if there is some special bidirectional udp service that matches packet ips but that udp case is few and far between.

 

You can get the wan public ip address from the GUI dashboard line WAN (don't include the CIDR tail) or via ifconfig eth0 (or whatever interface is your WAN) and look for the line beginning inet addr:

 

Yes, thinking about packet flows is the bedrock of routing.

 

I upgraded my ERL firmware today to 1.10.8 and my wg stopped working when I was on my home WiFi but continued to work on LTE. I have diagnosed it to the fact that my phone is now failing to resolve my endpoint domain name when I am on WiFi which makes no sense because that domain resolves just fine on other machines on the same subnet. If I change to ip addr it works. Then my phone started updating about 15 apps and I didn't want to break that by fooling with wg. That finallly finished so now back to figuring out the domain resolution problem.

New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

@karog

So last night I tried another attempt to get wg working on my phone, but for some reason once again when I enable the vpn on my app I lose internet access. First I checked what my public IP was and entered that as my endpoint on the wg app. Restarted the service on my phone and on the server but I couldn’t get a handshake or ping my phone from the server. I then deleted the rule 5001 from my ERL, restarted everything again, and again got the same results. I was starting to wonder if it was just an issue with the phone app so I downloaded wg on my Mac and created and made that as a new peer on my server Config. Although I still wasn’t getting a handshake, when I pinged 10.86.5.111 (my server) I did get a response, but there was 50% packet loss. 

 

I’m not really too sure what else could be the problem here. Did you ever figure out what went wrong on your end after updating your firmware?

 

New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

@karog

I did a little bit of tinkering on some of my config settings and found that when I changed my AllowedIPs on my iPhone from 0.0.0.0/0 to 10.86.0.0/24, I was able to get internet connection while the VPN was enabled. It appears that I have internet on both LTE and home wifi, but for some reason I still dont see a handshake on my server with that peer. Also, when I ping 10.86.5.112 (iPhone) I get stats saying 0 packets transmitted and +292768 errors. 

Highlighted
Established Member
Posts: 1,618
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

Not sure what was happening with my phone. I don't think it had anything to do with my ERL firmware upgrade but rather a coincidence in timing..

 

When trying to solve problems, simplify. I changed the endpoint on my phone to the local server ip so that when on WiFI it would connect directly without any need for DNAT or hairpin. That worked (of course, it would not on LTE). So then I changed the endpoint to my WAN ip addr rather than the domain name I normally use. And that worked. So then I changed back to the domain name and that worked. Beats me why it kept failing before despite server wg restart and phone reboot. I did change the port from 500 to 443. That alone did not fix the problem but maybe it played a role. You might try that port instead of 500.

 

I would advise you to try the server ip while on WiFi and see how that works. If it does not, then it is likely a wg config problem. If it does, then try WAN public ip. If that fails, then it is some routing or DNAT problem.

 

I use android so I can't speak to the robustness of the iPhone app.

 

Changing the AllowedIPs to 10.85.0.0/24 gave you internet because any ip addr not in that subnet (eg all the internet) would not even try the wg tunnel so just went out normally. When on WiFi I'd bet it went to PIA and on LTE thru your wireless carrier.

New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

@karog

I am really getting stumped on this whole WG situation. I have read conutless tutorials and it is such a simple process to configure, but I dont understand why it is not working. I tried to completely reconfigure my WG server with a new IP of 10.100.100.1/24, and my iphone as 10.100.100.4/32, Macbook as 10.100.100.3/32. With my phone on wifi I set my endpoint to 50.26.119.9:443 and allowed IPs to 0.0.0.0/0. No internet connection, cannot ping my phone or Macbook from the server. I have tried to change my allowed IPs on my phone to the WG IP server address and tried changing the endpoint to the server address, and still I get no handshake and cannot ping my device from the server. This is what I see when I try to ping my phone..

Spoiler
kevin@home-server:~$ ping -c1 10.100.100.4
PING 10.100.100.4 (10.100.100.4) 56(84) bytes of data.
From 10.100.100.1 icmp_seq=1 Destination Host Unreachable

--- 10.100.100.4 ping statistics ---
0 packets transmitted, 0 received, +1 errors

Ill post a copy of my /etc/wireguard/wg0.conf again in case I am missing something

Spoiler
[Interface]
Address = 10.100.100.1/24
SaveConfig = false
ListenPort = 443
PrivateKey = [hidden]
[Peer] PublicKey = [hidden] AllowedIPs = 10.100.100.4/32 PersistentKeepalive = 25 [Peer] PublicKey = [hidden] AllowedIPs = 10.100.100.3/32 PersistentKeepalive = 25

In many tutorials I have seen people including the post up and post down iptable rules in their wireguard config, but anytime that I have tried to inlcude it in mine I get an error. Maybe because I already have these setup in iptables for PIA? I will also post another config from my ERL, maybe I missed something when I was doing the changes that you suggested in previous posts.

 

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify OPENVPN_ROUTE {
        rule 10 {
            action modify
            description PIA
            destination {
                port 1198
            }
            modify {
                table 1
            }
            protocol udp
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 22 {
            action accept
            description Wireguard
            destination {
                address 10.86.1.111
            }
            log disable
            protocol udp
            source {
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 50 {
            action accept
            description PIA
            destination {
                port 1198
            }
            log enable
            protocol udp
        }
        rule 51 {
            action accept
            description Wireguard
            destination {
                port 443
            }
            log disable
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.86.1.1/24
        description Local
        duplex auto
        firewall {
            in {
                modify OPENVPN_ROUTE
            }
        }
        speed auto
        vif 10 {
            address 10.86.10.1/24
            description "Guest VLAN"
        }
    }
    ethernet eth2 {
        address 10.86.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    static {
        route 0.0.0.0/1 {
            next-hop 10.86.1.111 {
            }
        }
        route 128.0.0.0/1 {
            next-hop 10.86.1.111 {
            }
        }
        table 1 {
            route 0.0.0.0/0 {
                next-hop 50.26.116.1 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Guest_VLAN {
            authoritative disable
            subnet 10.86.10.0/24 {
                default-router 10.86.10.1
                dns-server 10.86.1.1
                dns-server 1.1.1.1
                lease 86400
                start 10.86.10.100 {
                    stop 10.86.10.254
                }
            }
        }
        shared-network-name Home {
            subnet 10.86.1.0/24 {
                default-router 10.86.1.1
                dns-server 10.86.1.1
                dns-server 1.1.1.1
                start 10.86.1.100 {
                    stop 10.86.1.254
                }
            }
        }
        shared-network-name LAN1 {
            authoritative enable
            disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 10.86.1.1
                dns-server 1.1.1.1
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.254
                }
                static-mapping home-server {
                    ip-address 192.168.1.111
                    mac-address 70:85:c2:86:06:c0
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 10.86.1.1
                dns-server 1.1.1.1
                lease 86400
                start 192.168.2.100 {
                    stop 192.168.2.254
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            listen-on vtun0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description WG500
            destination {
                group {
                    address-group ADDRv4_eth0
                }
                port 443
            }
            inbound-interface eth0
            inside-address {
                address 10.86.1.111
                port 443
            }
            log disable
            protocol udp
            type destination
        }
        rule 2 {
            description hairpin500
            destination {
                group {
                    address-group ADDRv4_eth0
                }
                port 443
            }
            inbound-interface eth1
            inside-address {
                address 10.86.1.111
                port 443
            }
            log disable
            protocol udp
            type destination
        }
        rule 5000 {
            description WAN
            log disable
            outbound-interface eth0
            protocol all
            source {
            }
            type masquerade
New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

@karog

So last night an odd thing happened. I was looking at my ERL configs some more, still trying to figure out WG and noticed that my old DHCP server for LAN1 (192.168.1.0), even though disabled, was still showing my home-server mapped as a static device. I thought maybe this could be an issue so I deleted the mapping from it and made sure to map it to my Home Lan (10.86.1.0). Around the same time I had also upgraded my firmware to 1.10.8. But the strange thing is that now if I have the static ports 0.0.0.0/1 and 128.0.0.0/01 enabled for PIA, the internet goes down again for all devices, including the server. Once I disable them, internet works again for all devices. I have confirmed that PIA is working on the home-server as the traceroute is still going to us-texas, but again, once I enable the static ports on the ERL everything disconnects.  

Reply