Development discussion of WireGuard
 help / color / mirror / Atom feed
* enabling WG0 allows telegram but impedes browsing
@ 2021-08-20 11:16 S Bauer
  2021-08-21 20:27 ` Roman Mamedov
  2021-08-23 17:38 ` Chris
  0 siblings, 2 replies; 4+ messages in thread
From: S Bauer @ 2021-08-20 11:16 UTC (permalink / raw)
  To: wireguard

Hello team,

Hoping you could help me out with a foggy situation.
The past week I have been struggling to get the Wireguard VPN working
smoothly. Everything seems to work on paper, except in a specific way
it doesn't. I am using Pop!_OS 21.04 (Ubuntu Hirsute).

SitRep;
I work as a freelance consultant and want to be careful about the
local networks' peeping tom when accessing sensitive work documents
from 'out of office', e.g. at a friend's place or at a hotel. So my
objective is to access my home network via PiHole and then continue
onward to access my work-related documents on a fileserver.
I was hoping this could be easily achieved with Wireguard.

Using the Wireguard VPN wg0 with wg-quick worked perfectly when I
connected to my brother's phone hotspot (4G). I could access our home
via VPN as expected and could work on my documents without any
problems.
The trouble is that I am now at a different location, working with a
fixed router from Ziggo NL. For some reason the WG0 still connects
perfectly, but after that a small mystery occurs. I did not make any
modifications to WG0.conf, so I remain stumped.
With WG active, I am no longer able to access any webpage. So no
access to protonmail\gmail, reddit or anything else. Telegram,
however, is still working fine. Internal machines on the home's local
network (IP-camera) can also be accessed directly.
Disabling the WG gives me full access to any webpage as usual. So
something is amiss that affects my browser only (Firefox 91.0).

I already did some troubleshooting. Starting with Uncomplicated
Firewall (UFW). I tried disabling UFW and rebooting, but this did not
change anything. I still lacked browser access when connected with
WG0, but Telegram still worked fine.
The output from sudo wg is;
interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: <portnumber>
  fwmark: 0xca6c

peer: (hidden)
  preshared key: (hidden)
  endpoint: >our_endpoint_name<.ddns.net:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 3 seconds ago
  transfer: 92 B received, 4.77 KiB sent

To be on the safe side, I added several rules to UFW (and reloaded UFW
each time) per advice from
https://jianjye.medium.com/how-to-fix-no-internet-issues-in-wireguard-ed8f4bdd0bd1
, leaving me with the following output from ufw status verbose. (But
like I said, the problem occurs even with UFW disabled.)
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere/udp on wg0        ALLOW IN    Anywhere/udp
<portnumber>/udp                  ALLOW IN    Anywhere
<portnumber>/udp                  ALLOW IN    Anywhere
<portnumber>/udp on wlp0s20f3     ALLOW IN    Anywhere
Anywhere/udp on wlp0s20f3  ALLOW IN    Anywhere/udp
<portnumber> on wlp0s20f3         ALLOW IN    Anywhere
Anywhere/udp (v6) on wg0   ALLOW IN    Anywhere/udp (v6)
<portnumber>/udp (v6)             ALLOW IN    Anywhere (v6)
<portnumber>/udp (v6)             ALLOW IN    Anywhere (v6)
<portnumber>/udp (v6) on wlp0s20f3 ALLOW IN    Anywhere (v6)
Anywhere/udp (v6) on wlp0s20f3 ALLOW IN    Anywhere/udp (v6)
<portnumber> (v6) on wlp0s20f3    ALLOW IN    Anywhere (v6)

Anywhere on eth0           ALLOW FWD   Anywhere on wg0
Anywhere on wg0            ALLOW FWD   Anywhere on eth0
Anywhere on wg0            ALLOW FWD   Anywhere on enp40s0
Anywhere on enp40s0        ALLOW FWD   Anywhere on wg0
Anywhere on wlp0s20f3      ALLOW FWD   Anywhere on wg0
Anywhere on wg0            ALLOW FWD   Anywhere on wlp0s20f3
Anywhere (v6) on eth0      ALLOW FWD   Anywhere (v6) on wg0
Anywhere (v6) on wg0       ALLOW FWD   Anywhere (v6) on eth0
Anywhere (v6) on wg0       ALLOW FWD   Anywhere (v6) on enp40s0
Anywhere (v6) on enp40s0   ALLOW FWD   Anywhere (v6) on wg0
Anywhere (v6) on wlp0s20f3 ALLOW FWD   Anywhere (v6) on wg0
Anywhere (v6) on wg0       ALLOW FWD   Anywhere (v6) on wlp0s20f3

Now all these rules may be barbaric overkill, and yes I will admit
that I have a limited understanding of what everything means and how
it affects my security. Though I am a linux newcomer and employ
duckduckgo to the best of my abilities the learning curve is still
pretty much in effect. That being said, do feel free to point out any
serious flaws I may have unwittingly introduced or simply push me
towards some longreads ;)

Any hints on solving this issue are appreciated.


Additional notes;
* the DDNS in wg0.conf is properly translated to an IP address each
time. So that seems to be no issue.
* I am currently using the Dutch Ziggo network, which already seems to
have a reputation concerning the use of VPN applications. Maybe the
issue lies herein?
* Should I consider this relevant? >
https://github.com/pop-os/pop/issues/773 I am a bit cautious about
doing more random stuff before actually understanding what is going
on.

Regards,
Sander

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: enabling WG0 allows telegram but impedes browsing
  2021-08-20 11:16 enabling WG0 allows telegram but impedes browsing S Bauer
@ 2021-08-21 20:27 ` Roman Mamedov
  2021-08-23 17:38 ` Chris
  1 sibling, 0 replies; 4+ messages in thread
From: Roman Mamedov @ 2021-08-21 20:27 UTC (permalink / raw)
  To: S Bauer; +Cc: wireguard

On Fri, 20 Aug 2021 13:16:34 +0200
S Bauer <sanderbauer@gmail.com> wrote:

> Hello team,
> 
> Hoping you could help me out with a foggy situation.
> The past week I have been struggling to get the Wireguard VPN working
> smoothly. Everything seems to work on paper, except in a specific way
> it doesn't. I am using Pop!_OS 21.04 (Ubuntu Hirsute).
> 
> SitRep;
> I work as a freelance consultant and want to be careful about the
> local networks' peeping tom when accessing sensitive work documents
> from 'out of office', e.g. at a friend's place or at a hotel. So my
> objective is to access my home network via PiHole and then continue
> onward to access my work-related documents on a fileserver.
> I was hoping this could be easily achieved with Wireguard.
> 
> Using the Wireguard VPN wg0 with wg-quick worked perfectly when I
> connected to my brother's phone hotspot (4G). I could access our home
> via VPN as expected and could work on my documents without any
> problems.
> The trouble is that I am now at a different location, working with a
> fixed router from Ziggo NL. For some reason the WG0 still connects
> perfectly, but after that a small mystery occurs. I did not make any
> modifications to WG0.conf, so I remain stumped.
> With WG active, I am no longer able to access any webpage. So no
> access to protonmail\gmail, reddit or anything else. Telegram,
> however, is still working fine. Internal machines on the home's local
> network (IP-camera) can also be accessed directly.
> Disabling the WG gives me full access to any webpage as usual. So
> something is amiss that affects my browser only (Firefox 91.0).

What's your MTU on the wg0 interface? Try reducing that to 1400, or if
that doesn't help, to 1280.

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: enabling WG0 allows telegram but impedes browsing
  2021-08-20 11:16 enabling WG0 allows telegram but impedes browsing S Bauer
  2021-08-21 20:27 ` Roman Mamedov
@ 2021-08-23 17:38 ` Chris
       [not found]   ` <CA+MSESmGoAuQJX3rn-a3aucV8YoD+pnrVtTVDaMu9EFuS=-mqg@mail.gmail.com>
  1 sibling, 1 reply; 4+ messages in thread
From: Chris @ 2021-08-23 17:38 UTC (permalink / raw)
  To: S Bauer, wireguard

If I understand it right, everything seems fine BUT once wg is up you cannot 
reach e.g. other websites.
Therefore you you try to track the route to say reddit. Command line:

mtr -n reddit.com

and then you will see at what point the data transport to reddit gets stuck.

Also check (command line)

host -v reddit.com

to check on the correct DNS working.

Chris


On 20/08/2021 13:16, S Bauer wrote:
> Hello team,
>
> Hoping you could help me out with a foggy situation.
> The past week I have been struggling to get the Wireguard VPN working
> smoothly. Everything seems to work on paper, except in a specific way
> it doesn't. I am using Pop!_OS 21.04 (Ubuntu Hirsute).
>
> SitRep;
> I work as a freelance consultant and want to be careful about the
> local networks' peeping tom when accessing sensitive work documents
> from 'out of office', e.g. at a friend's place or at a hotel. So my
> objective is to access my home network via PiHole and then continue
> onward to access my work-related documents on a fileserver.
> I was hoping this could be easily achieved with Wireguard.
>
> Using the Wireguard VPN wg0 with wg-quick worked perfectly when I
> connected to my brother's phone hotspot (4G). I could access our home
> via VPN as expected and could work on my documents without any
> problems.
> The trouble is that I am now at a different location, working with a
> fixed router from Ziggo NL. For some reason the WG0 still connects
> perfectly, but after that a small mystery occurs. I did not make any
> modifications to WG0.conf, so I remain stumped.
> With WG active, I am no longer able to access any webpage. So no
> access to protonmail\gmail, reddit or anything else. Telegram,
> however, is still working fine. Internal machines on the home's local
> network (IP-camera) can also be accessed directly.
> Disabling the WG gives me full access to any webpage as usual. So
> something is amiss that affects my browser only (Firefox 91.0).
>
> I already did some troubleshooting. Starting with Uncomplicated
> Firewall (UFW). I tried disabling UFW and rebooting, but this did not
> change anything. I still lacked browser access when connected with
> WG0, but Telegram still worked fine.
> The output from sudo wg is;
> interface: wg0
> public key: (hidden)
> private key: (hidden)
> listening port: <portnumber>
> fwmark: 0xca6c
>
> peer: (hidden)
> preshared key: (hidden)
> endpoint: >our_endpoint_name<.ddns.net:51820
> allowed ips: 0.0.0.0/0, ::/0
> latest handshake: 3 seconds ago
> transfer: 92 B received, 4.77 KiB sent
>
> To be on the safe side, I added several rules to UFW (and reloaded UFW
> each time) per advice from
> https://jianjye.medium.com/how-to-fix-no-internet-issues-in-wireguard-ed8f4bdd0bd1
> , leaving me with the following output from ufw status verbose. (But
> like I said, the problem occurs even with UFW disabled.)
> Status: active
> Logging: on (low)
> Default: deny (incoming), allow (outgoing), deny (routed)
> New profiles: skip
>
> To Action From
> -- ------ ----
> Anywhere/udp on wg0 ALLOW IN Anywhere/udp
> <portnumber>/udp ALLOW IN Anywhere
> <portnumber>/udp ALLOW IN Anywhere
> <portnumber>/udp on wlp0s20f3 ALLOW IN Anywhere
> Anywhere/udp on wlp0s20f3 ALLOW IN Anywhere/udp
> <portnumber> on wlp0s20f3 ALLOW IN Anywhere
> Anywhere/udp (v6) on wg0 ALLOW IN Anywhere/udp (v6)
> <portnumber>/udp (v6) ALLOW IN Anywhere (v6)
> <portnumber>/udp (v6) ALLOW IN Anywhere (v6)
> <portnumber>/udp (v6) on wlp0s20f3 ALLOW IN Anywhere (v6)
> Anywhere/udp (v6) on wlp0s20f3 ALLOW IN Anywhere/udp (v6)
> <portnumber> (v6) on wlp0s20f3 ALLOW IN Anywhere (v6)
>
> Anywhere on eth0 ALLOW FWD Anywhere on wg0
> Anywhere on wg0 ALLOW FWD Anywhere on eth0
> Anywhere on wg0 ALLOW FWD Anywhere on enp40s0
> Anywhere on enp40s0 ALLOW FWD Anywhere on wg0
> Anywhere on wlp0s20f3 ALLOW FWD Anywhere on wg0
> Anywhere on wg0 ALLOW FWD Anywhere on wlp0s20f3
> Anywhere (v6) on eth0 ALLOW FWD Anywhere (v6) on wg0
> Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on eth0
> Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on enp40s0
> Anywhere (v6) on enp40s0 ALLOW FWD Anywhere (v6) on wg0
> Anywhere (v6) on wlp0s20f3 ALLOW FWD Anywhere (v6) on wg0
> Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on wlp0s20f3
>
> Now all these rules may be barbaric overkill, and yes I will admit
> that I have a limited understanding of what everything means and how
> it affects my security. Though I am a linux newcomer and employ
> duckduckgo to the best of my abilities the learning curve is still
> pretty much in effect. That being said, do feel free to point out any
> serious flaws I may have unwittingly introduced or simply push me
> towards some longreads ;)
>
> Any hints on solving this issue are appreciated.
>
>
> Additional notes;
> * the DDNS in wg0.conf is properly translated to an IP address each
> time. So that seems to be no issue.
> * I am currently using the Dutch Ziggo network, which already seems to
> have a reputation concerning the use of VPN applications. Maybe the
> issue lies herein?
> * Should I consider this relevant? >
> https://github.com/pop-os/pop/issues/773 I am a bit cautious about
> doing more random stuff before actually understanding what is going
> on.
>
> Regards,
> Sander



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: enabling WG0 allows telegram but impedes browsing
       [not found]   ` <CA+MSESmGoAuQJX3rn-a3aucV8YoD+pnrVtTVDaMu9EFuS=-mqg@mail.gmail.com>
@ 2021-08-31 14:46     ` S Bauer
  0 siblings, 0 replies; 4+ messages in thread
From: S Bauer @ 2021-08-31 14:46 UTC (permalink / raw)
  Cc: wireguard

Hi all,

I found some time to troubleshoot properly.
Below I posted my outputs, responding to the different hints I
received from several of the mailinglist subscribers. (thanks for
helping)

The following is with WG0 disabled. Sending a ping to google and a
route to Reddit.

...:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=14.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=13.3 ms
.......seq=3 to seq=18....
64 bytes from 8.8.8.8: icmp_seq=19 ttl=117 time=10.1 ms
64 bytes from 8.8.8.8: icmp_seq=20 ttl=117 time=10.7 ms
^C
--- 8.8.8.8 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19029ms
rtt min/avg/max/mdev = 9.892/15.839/90.310/17.462 ms

...:~$ host -v reddit.com
Trying "reddit.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46050
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;reddit.com. IN A

;; ANSWER SECTION:
reddit.com. 161 IN A 151.101.65.140
reddit.com. 161 IN A 151.101.193.140
reddit.com. 161 IN A 151.101.129.140
reddit.com. 161 IN A 151.101.1.140

Received 92 bytes from 127.0.0.53#53 in 15 ms
Trying "reddit.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43918
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;reddit.com. IN AAAA

Received 28 bytes from 127.0.0.53#53 in 23 ms
Trying "reddit.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32760
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;reddit.com. IN MX

;; ANSWER SECTION:
reddit.com. 300 IN MX 10 aspmx2.googlemail.com.
reddit.com. 300 IN MX 10 aspmx3.googlemail.com.
reddit.com. 300 IN MX 5 alt2.aspmx.l.google.com.
reddit.com. 300 IN MX 5 alt1.aspmx.l.google.com.
reddit.com. 300 IN MX 1 aspmx.l.google.com.

Received 158 bytes from 127.0.0.53#53 in 15 ms


...:~$ mtr -n reddit.com
                    My traceroute  [v0.94]
... (>my_IP<) -> reddit.com

2021-08-31T14:27:10+0200
Keys:  Help   Display mode   Restart statistics   Order of fields   quit

                                              Packets
Pings
 Host
                                            Loss%   Snt   Last   Avg
Best  Wrst StDev
 1. 10.160.243.129            0.0%     3   11.1   8.4   4.4  11.1   3.5
    >my_ip<
 2. 10.160.243.129          0.0%     3   11.8  11.4  11.1  11.8   0.4
 3. 212.142.52.193          0.0%     2   14.7  12.9  11.1  14.7   2.6
 4. 213.51.7.90                0.0%     2   12.3  10.9   9.5  12.3   2.0
 5. 213.51.64.58              0.0%     2   31.0  27.6  24.1  31.0   4.9
 6. 213.46.191.170          0.0%     2   12.8  11.4  10.1  12.8   1.9
 7. 151.101.1.140            0.0%     2   10.8  10.6  10.4  10.8   0.2

...:~$ ip route show
default via >my_ip< dev wlp0s20f3 proto dhcp metric 600
>my_ip</.. dev wlp0s20f3 scope link metric 1000
>my_ip</.. dev wlp0s20f3 proto kernel scope link src >my_ip< metric 600


The following is with WG0 enabled, let's see where things mess up.

..:~$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add (hidden)/.. dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

...:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10244ms

...:~$ host -v reddit.com
Trying "reddit.com"
;; connection timed out; no servers could be reached

...:~$ mtr -n reddit.com
no output

...:~$ ip route show
default via >my_ip< dev wlp0s20f3 proto dhcp metric 600
>my_ip</.. dev wg0 proto kernel scope link src >my_ip<
>my_ip</.. dev wlp0s20f3 scope link metric 1000
>my_ip</.. dev wlp0s20f3 proto kernel scope link src >my_ip< metric 600

So, apparently all fails when WG0 is enabled without any changes to the MTU.

Per advice from Roman I reduced the MTU to 1400.
...:~$ sudo ifconfig wg0 mtu 1400 up
Double checking by performing
...:~$ ip a
......
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state
UNKNOWN group default qlen 1000
    link/none
    inet .../.. scope global wg0
       valid_lft forever preferred_lft forever

But even with the MTU lowered I get the following output.
...:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
17 packets transmitted, 0 received, 100% packet loss, time 16370ms

Trying even lower MTU.

...:~$ sudo ifconfig wg0 mtu 1200 up
(I also performed this step with
...:~$ sudo ip link set mtu 1200 up dev wg0 and confirmed with ip a
But this method did not produce a different result)
...:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
23 packets transmitted, 0 received, 100% packet loss, time 22521ms
...:~$ mtr -n reddit.com
no output

Am I missing something here?

Sander

Op do 26 aug. 2021 om 09:40 schreef S Bauer <sanderbauer@gmail.com>:
>
> Thank you all for the insights about MTU settings, DNS and routing.
> I am a bit caught up in work with important deadlines but will test all your advice soon as possible and inform everyone on the outcomes.
>
> Regards
> Sander
>
> Chris ccc:
>>
>> If I understand it right, everything seems fine BUT once wg is up you cannot
>> reach e.g. other websites.
>> Therefore you you try to track the route to say reddit. Command line:
>>
>> mtr -n reddit.com
>>
>> and then you will see at what point the data transport to reddit gets stuck.
>>
>> Also check (command line)
>>
>> host -v reddit.com
>>
>> to check on the correct DNS working.
>>
>> Chris
>>
>>
>> On 20/08/2021 13:16, S Bauer wrote:
>> > Hello team,
>> >
>> > Hoping you could help me out with a foggy situation.
>> > The past week I have been struggling to get the Wireguard VPN working
>> > smoothly. Everything seems to work on paper, except in a specific way
>> > it doesn't. I am using Pop!_OS 21.04 (Ubuntu Hirsute).
>> >
>> > SitRep;
>> > I work as a freelance consultant and want to be careful about the
>> > local networks' peeping tom when accessing sensitive work documents
>> > from 'out of office', e.g. at a friend's place or at a hotel. So my
>> > objective is to access my home network via PiHole and then continue
>> > onward to access my work-related documents on a fileserver.
>> > I was hoping this could be easily achieved with Wireguard.
>> >
>> > Using the Wireguard VPN wg0 with wg-quick worked perfectly when I
>> > connected to my brother's phone hotspot (4G). I could access our home
>> > via VPN as expected and could work on my documents without any
>> > problems.
>> > The trouble is that I am now at a different location, working with a
>> > fixed router from Ziggo NL. For some reason the WG0 still connects
>> > perfectly, but after that a small mystery occurs. I did not make any
>> > modifications to WG0.conf, so I remain stumped.
>> > With WG active, I am no longer able to access any webpage. So no
>> > access to protonmail\gmail, reddit or anything else. Telegram,
>> > however, is still working fine. Internal machines on the home's local
>> > network (IP-camera) can also be accessed directly.
>> > Disabling the WG gives me full access to any webpage as usual. So
>> > something is amiss that affects my browser only (Firefox 91.0).
>> >
>> > I already did some troubleshooting. Starting with Uncomplicated
>> > Firewall (UFW). I tried disabling UFW and rebooting, but this did not
>> > change anything. I still lacked browser access when connected with
>> > WG0, but Telegram still worked fine.
>> > The output from sudo wg is;
>> > interface: wg0
>> > public key: (hidden)
>> > private key: (hidden)
>> > listening port: <portnumber>
>> > fwmark: 0xca6c
>> >
>> > peer: (hidden)
>> > preshared key: (hidden)
>> > endpoint: >our_endpoint_name<.ddns.net:51820
>> > allowed ips: 0.0.0.0/0, ::/0
>> > latest handshake: 3 seconds ago
>> > transfer: 92 B received, 4.77 KiB sent
>> >
>> > To be on the safe side, I added several rules to UFW (and reloaded UFW
>> > each time) per advice from
>> > https://jianjye.medium.com/how-to-fix-no-internet-issues-in-wireguard-ed8f4bdd0bd1
>> > , leaving me with the following output from ufw status verbose. (But
>> > like I said, the problem occurs even with UFW disabled.)
>> > Status: active
>> > Logging: on (low)
>> > Default: deny (incoming), allow (outgoing), deny (routed)
>> > New profiles: skip
>> >
>> > To Action From
>> > -- ------ ----
>> > Anywhere/udp on wg0 ALLOW IN Anywhere/udp
>> > <portnumber>/udp ALLOW IN Anywhere
>> > <portnumber>/udp ALLOW IN Anywhere
>> > <portnumber>/udp on wlp0s20f3 ALLOW IN Anywhere
>> > Anywhere/udp on wlp0s20f3 ALLOW IN Anywhere/udp
>> > <portnumber> on wlp0s20f3 ALLOW IN Anywhere
>> > Anywhere/udp (v6) on wg0 ALLOW IN Anywhere/udp (v6)
>> > <portnumber>/udp (v6) ALLOW IN Anywhere (v6)
>> > <portnumber>/udp (v6) ALLOW IN Anywhere (v6)
>> > <portnumber>/udp (v6) on wlp0s20f3 ALLOW IN Anywhere (v6)
>> > Anywhere/udp (v6) on wlp0s20f3 ALLOW IN Anywhere/udp (v6)
>> > <portnumber> (v6) on wlp0s20f3 ALLOW IN Anywhere (v6)
>> >
>> > Anywhere on eth0 ALLOW FWD Anywhere on wg0
>> > Anywhere on wg0 ALLOW FWD Anywhere on eth0
>> > Anywhere on wg0 ALLOW FWD Anywhere on enp40s0
>> > Anywhere on enp40s0 ALLOW FWD Anywhere on wg0
>> > Anywhere on wlp0s20f3 ALLOW FWD Anywhere on wg0
>> > Anywhere on wg0 ALLOW FWD Anywhere on wlp0s20f3
>> > Anywhere (v6) on eth0 ALLOW FWD Anywhere (v6) on wg0
>> > Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on eth0
>> > Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on enp40s0
>> > Anywhere (v6) on enp40s0 ALLOW FWD Anywhere (v6) on wg0
>> > Anywhere (v6) on wlp0s20f3 ALLOW FWD Anywhere (v6) on wg0
>> > Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on wlp0s20f3
>> >
>> > Now all these rules may be barbaric overkill, and yes I will admit
>> > that I have a limited understanding of what everything means and how
>> > it affects my security. Though I am a linux newcomer and employ
>> > duckduckgo to the best of my abilities the learning curve is still
>> > pretty much in effect. That being said, do feel free to point out any
>> > serious flaws I may have unwittingly introduced or simply push me
>> > towards some longreads ;)
>> >
>> > Any hints on solving this issue are appreciated.
>> >
>> >
>> > Additional notes;
>> > * the DDNS in wg0.conf is properly translated to an IP address each
>> > time. So that seems to be no issue.
>> > * I am currently using the Dutch Ziggo network, which already seems to
>> > have a reputation concerning the use of VPN applications. Maybe the
>> > issue lies herein?
>> > * Should I consider this relevant? >
>> > https://github.com/pop-os/pop/issues/773 I am a bit cautious about
>> > doing more random stuff before actually understanding what is going
>> > on.
>> >
>> > Regards,
>> > Sander
>>
>>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-08-31 14:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-20 11:16 enabling WG0 allows telegram but impedes browsing S Bauer
2021-08-21 20:27 ` Roman Mamedov
2021-08-23 17:38 ` Chris
     [not found]   ` <CA+MSESmGoAuQJX3rn-a3aucV8YoD+pnrVtTVDaMu9EFuS=-mqg@mail.gmail.com>
2021-08-31 14:46     ` S Bauer

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.vuxu.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git