Hello,
My Rocky 9.6 has kernel 6.11.7-1.el9.elrepo.x86_64
I have Asus router with WireGuard “Server” which produced following config (all IPs are changed in consistent manner from now on, domains redacted as well as keys).
[Interface]
PrivateKey = Redacted
Address = 10.6.0.3/32
DNS = 192.168.1.111
[Peer]
PublicKey = Redacted
AllowedIPs = 0.0.0.0/0
Endpoint = Redacted.no-ip.org:51820
PersistentKeepalive = 25
I am trying to configure Rocky 9 “client” to connect to the “server”.
What I did was (as a root user)
- dnf install wireguard-tools
- mkdir /etc/wireguard
- cp wg0.conf /etc/wireguard/
- chmod 600 /etc/wireguard/*
- systemctl enable --now wg-quick@wg0 || also wg-quick up wg0
No luck, it was complaining about DNS not working and not starting. Fixed that enabling systemd-resolved and adding in the Network Manager /etc/NetworkManager/NetworkManager.conf
[main]
dns=systemd-resolved
After that get the following output from wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.6.0.3/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
BUT it did not work after all despite wg show returning
peer: Redacted
endpoint: x.x.x.x:51820
allowed ips: 0.0.0.0/0
latest handshake: 21 seconds ago
transfer: 4.59 KiB received, 5.05 KiB sent
persistent keepalive: every 25 seconds
so I have checked routing ip r
default via 192.168.1.1 dev enp56s0u1u4 proto dhcp src 192.168.1.52 metric 100192.168.1.0/24 dev enp56s0u1u4 proto kernel scope link src 192.168.1.52 metric 100
and in result tried to add route with ip route add 0.0.0.0/0 dev wg0 to no luck again - the route was there but no success in connecting to the network behind the router.
So I looked at the firewall and added
firewall-cmd --new-policy dpolicy --permanent
firewall-cmd --reload
firewall-cmd --permanent --new-zone=ddd
firewall-cmd --zone=ddd --add-interface=wg0 --permanent
firewall-cmd --policy dpolicy --add-ingress-zone=ddd --permanent
firewall-cmd --policy dpolicy --add-egress-zone=public --permanent
firewall-cmd --policy dpolicy --set-target=ACCEPT --permanent
firewall-cmd --reload
again no luck.
Tried setenforce 0 and again no luck.
Tried manually run again sysctl -w net.ipv4.ip_forward=1 and guess what - NO LUCK
After all run again wg show
interface: wg0
public key: Redacted
private key: (hidden)
listening port: 52918
fwmark: 0xca6c
peer: Redacted
endpoint: Redacted:51820
allowed ips: 0.0.0.0/0
latest handshake: 4 minutes, 6 seconds ago
transfer: 86.70 KiB received, 27.63 GiB sent
persistent keepalive: every 25 seconds
which suggests something is being transmitted (transfer counter increased).
Tried to look at journalctl -u wg-quick@wg0 but got
– No entries –
I have also tried at every step trace routing my internal DNS (192.168.1.111) with the same result - NO LUCK. //facepalm
Please help as I am out of ideas and went “whole” Internet back and forth couple of times…
Cheers,
Piotr