apper.charles/WireGuardSetup-Troubleshoot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
WireGuardSetup-Troubleshoot/ErrorSummary.md

217 lines
8.1 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# WireGuard Server Setup Error Summary
This document summarizes the errors encountered while setting up a WireGuard VPN server on an EC2 instance, along with their causes and resolutions. The issues primarily relate to handshake failures between the client and server, stemming from configuration mismatches and network setup problems.
## Error 1: Handshake Failure Due to Incorrect Peer Public Key
### Description
The WireGuard tunnel failed to establish a handshake between the client and the EC2 server.
### Cause
- The server's `[Peer]` section in the configuration (`/etc/wireguard/wg0.conf`) contained an incorrect public key (`4lr6dNMU0mFsBPVmuTUt3mRkbavaPRlm0pCFRe8aghQ=`) that did not match the client's actual public key (`f5oE/Nam9wRhk18zqa3nM43p1UlDggMi4ExLz37aEFo=`), generated from the client's private key (`+HdWG/o+XJJpzE6UH4GMNCsynnU/aUlG4EnCP0GwX2M=`).
- This mismatch prevented the server from authenticating the client's handshake attempts.
### Resolution
- Verified the client's public key using:
```bash
echo "+HdWG/o+XJJpzE6UH4GMNCsynnU/aUlG4EnCP0GwX2M=" | wg pubkey
```
- Updated the server's configuration to use the correct client public key:
```ini
[Peer]
PublicKey = f5oE/Nam9wRhk18zqa3nM43p1UlDggMi4ExLz37aEFo=
AllowedIPs = 10.0.0.10/32
```
- Restarted the WireGuard service:
```bash
sudo wg-quick down wg0
sudo wg-quick up wg0
```
## Error 2: Incorrect Network Interface in tcpdump
### Description
Attempting to capture packets using `tcpdump` resulted in an error:
```
tcpdump: eth0: No such device exists
```
### Cause
- The EC2 instance's primary network interface was not `eth0` (likely `ens5` or similar, common in modern Ubuntu AMIs on AWS).
- The incorrect interface name prevented verification of whether client handshake packets were reaching the server.
### Resolution
- Recommended identifying the correct network interface using:
```bash
ip link
```
- Suggested rerunning `tcpdump` with the correct interface (e.g., `ens5`):
```bash
sudo tcpdump -i ens5 udp port 51820
```
- This step is pending confirmation of the correct interface name from the user.
## Error 3: Incorrect Peer Configuration in Server
### Description
The server's configuration included a `[Peer]` section with its own public key and client-like settings:
```ini
[Peer]
PublicKey = W3WWqz6ZnMafvut1jqkgOb+JTHFxq8TpzKpZjlJWHkY=
AllowedIPs = 10.0.0.10/32, 192.168.8.0/24
Endpoint = 63.176.104.56:51820
PersistentKeepalive = 25
```
### Cause
- The peer `PublicKey` matched the server's own public key, which is invalid (a server cannot be its own peer).
- The `Endpoint` and `PersistentKeepalive` settings are typically client-side, indicating a mix-up between client and server roles.
- This configuration caused handshake failures because the server was misconfigured to connect to itself or an incorrect peer.
### Resolution
- Removed the incorrect `[Peer]` section and replaced it with the correct client public key (`f5oE/Nam9wRhk18zqa3nM43p1UlDggMi4ExLz37aEFo=`).
- Removed `Endpoint` and `PersistentKeepalive` from the server configuration, as they are not needed unless the server initiates connections to another peer.
- Provided a corrected server configuration:
```ini
[Interface]
PrivateKey = OC73dpFa7AfcYksjnbupJJUTyWtOQ70+2d9Q/t/jIFg=
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = f5oE/Nam9wRhk18zqa3nM43p1UlDggMi4ExLz37aEFo=
AllowedIPs = 10.0.0.10/32
```
## Error 4: Potential Endpoint IP Mismatch
### Description
The client configuration specified an endpoint of `34.243.156.239:51820`, while one of the server configurations referenced `63.176.104.56:51820`, indicating a potential mismatch in the server's public IP.
### Cause
- If the EC2 instance's public IP is not `34.243.156.239`, the client cannot reach the server, leading to handshake failures.
- The discrepancy between the two IPs suggests uncertainty about the server's actual public IP.
### Resolution
- Recommended verifying the EC2 instance's public IP:
```bash
curl ifconfig.me
```
- If the IP is `63.176.104.56`, update the client configuration:
```ini
Endpoint = 63.176.104.56:51820
```
- If the IP is `34.243.156.239`, keep the client configuration unchanged.
- This step is pending confirmation of the server's public IP from the user.
## Error 5: Missing PersistentKeepalive in Client Configuration
### Description
The client configuration lacked `PersistentKeepalive`, which is necessary when the client is behind a NAT (e.g., home or mobile network).
### Cause
- Without `PersistentKeepalive`, the client's NAT mapping may close, preventing the server from responding to handshake attempts.
### Resolution
- Added `PersistentKeepalive = 25` to the client configuration:
```ini
[Interface]
PrivateKey = +HdWG/o+XJJpzE6UH4GMNCsynnU/aUlG4EnCP0GwX2M=
Address = 10.0.0.10/24
DNS = 1.1.1.1, 8.8.8.8
[Peer]
PublicKey = W3WWqz6ZnMafvut1jqkgOb+JTHFxq8TpzKpZjlJWHkY=
AllowedIPs = 0.0.0.0/0
Endpoint = 34.243.156.239:51820
PersistentKeepalive = 25
```
- Instructed to update this in the WireGuard app.
## Error 6: Potential Firewall or Security Group Issues
### Description
The handshake failure could be due to packets not reaching the server, as `tcpdump` couldnt be tested on the correct interface.
### Cause
- The AWS security group or local firewall (e.g., `ufw` or `iptables`) may be blocking UDP port `51820`.
- The incorrect interface name (`eth0`) prevented verification of incoming packets.
### Resolution
- Recommended ensuring the AWS security group allows inbound UDP traffic on port `51820`:
- Type: Custom UDP
- Protocol: UDP
- Port Range: `51820`
- Source: `0.0.0.0/0` (or a specific IP range)
- Suggested allowing UDP `51820` in the local firewall:
```bash
sudo ufw allow 51820/udp
```
Or with `iptables`:
```bash
sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
```
- Pending confirmation of firewall settings and correct interface for packet capture.
## Error 7: Missing IP Forwarding and NAT Configuration
### Description
The client uses `AllowedIPs = 0.0.0.0/0` for full-tunnel routing, but the server may not be configured to forward traffic.
### Cause
- Without IP forwarding and NAT, the server cannot route the client's traffic to the internet, potentially affecting connectivity post-handshake.
### Resolution
- Enabled IP forwarding:
```bash
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
```
- Configured NAT (assuming interface `ens5`):
```bash
sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
sudo apt-get install iptables-persistent
sudo dpkg-reconfigure iptables-persistent
```
- Noted that the correct interface (e.g., `ens5`) needs to be confirmed via `ip link`.
## Additional Notes
- **Pending Information**: The handshake status (`sudo wg show`), server public IP (`curl ifconfig.me`), and correct network interface (`ip link`) are still needed to confirm resolution of network-related issues.
- **Testing Recommendations**:
- After applying the corrected configurations, check the handshake:
```bash
sudo wg show
```
- Test connectivity from the client:
```bash
ping 10.0.0.1
curl ifconfig.me
```
- **Debugging Steps**: If issues persist, capture packets on the correct interface and check WireGuard logs:
```bash
sudo tcpdump -i ens5 udp port 51820
sudo journalctl -u wg-quick@wg0 -f
```
## Final Configurations
### Client Configuration (`wg-client.conf`)
```ini
[Interface]
PrivateKey = +HdWG/o+XJJpzE6UH4GMNCsynnU/aUlG4EnCP0GwX2M=
Address = 10.0.0.10/24
DNS = 1.1.1.1, 8.8.8.8
[Peer]
PublicKey = W3WWqz6ZnMafvut1jqkgOb+JTHFxq8TpzKpZjlJWHkY=
AllowedIPs = 0.0.0.0/0
Endpoint = 63.176.104.56:51820
PersistentKeepalive = 25
```
### Server Configuration (`wg0.conf`)
```ini
[Interface]
PrivateKey = OC73dpFa7AfcYksjnbupJJUTyWtOQ70+2d9Q/t/jIFg=
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = f5oE/Nam9wRhk18zqa3nM43p1UlDggMi4ExLz37aEFo=
AllowedIPs = 10.0.0.10/32
```
This summary captures all identified errors and their resolutions, providing a clear path to a functional WireGuard VPN setup.
Reference in New Issue View Git Blame Copy Permalink