Re: enabling WG0 allows telegram but impedes browsing

[Chris <wireguard@spam-free.eu>]

If I understand it right, everything seems fine BUT once wg is up you cannot 
reach e.g. other websites.
Therefore you you try to track the route to say reddit. Command line:

mtr -n reddit.com

and then you will see at what point the data transport to reddit gets stuck.

Also check (command line)

host -v reddit.com

to check on the correct DNS working.

Chris


On 20/08/2021 13:16, S Bauer wrote:
> Hello team,
>
> Hoping you could help me out with a foggy situation.
> The past week I have been struggling to get the Wireguard VPN working
> smoothly. Everything seems to work on paper, except in a specific way
> it doesn't. I am using Pop!_OS 21.04 (Ubuntu Hirsute).
>
> SitRep;
> I work as a freelance consultant and want to be careful about the
> local networks' peeping tom when accessing sensitive work documents
> from 'out of office', e.g. at a friend's place or at a hotel. So my
> objective is to access my home network via PiHole and then continue
> onward to access my work-related documents on a fileserver.
> I was hoping this could be easily achieved with Wireguard.
>
> Using the Wireguard VPN wg0 with wg-quick worked perfectly when I
> connected to my brother's phone hotspot (4G). I could access our home
> via VPN as expected and could work on my documents without any
> problems.
> The trouble is that I am now at a different location, working with a
> fixed router from Ziggo NL. For some reason the WG0 still connects
> perfectly, but after that a small mystery occurs. I did not make any
> modifications to WG0.conf, so I remain stumped.
> With WG active, I am no longer able to access any webpage. So no
> access to protonmail\gmail, reddit or anything else. Telegram,
> however, is still working fine. Internal machines on the home's local
> network (IP-camera) can also be accessed directly.
> Disabling the WG gives me full access to any webpage as usual. So
> something is amiss that affects my browser only (Firefox 91.0).
>
> I already did some troubleshooting. Starting with Uncomplicated
> Firewall (UFW). I tried disabling UFW and rebooting, but this did not
> change anything. I still lacked browser access when connected with
> WG0, but Telegram still worked fine.
> The output from sudo wg is;
> interface: wg0
> public key: (hidden)
> private key: (hidden)
> listening port: <portnumber>
> fwmark: 0xca6c
>
> peer: (hidden)
> preshared key: (hidden)
> endpoint: >our_endpoint_name<.ddns.net:51820
> allowed ips: 0.0.0.0/0, ::/0
> latest handshake: 3 seconds ago
> transfer: 92 B received, 4.77 KiB sent
>
> To be on the safe side, I added several rules to UFW (and reloaded UFW
> each time) per advice from
> https://jianjye.medium.com/how-to-fix-no-internet-issues-in-wireguard-ed8f4bdd0bd1
> , leaving me with the following output from ufw status verbose. (But
> like I said, the problem occurs even with UFW disabled.)
> Status: active
> Logging: on (low)
> Default: deny (incoming), allow (outgoing), deny (routed)
> New profiles: skip
>
> To Action From
> -- ------ ----
> Anywhere/udp on wg0 ALLOW IN Anywhere/udp
> <portnumber>/udp ALLOW IN Anywhere
> <portnumber>/udp ALLOW IN Anywhere
> <portnumber>/udp on wlp0s20f3 ALLOW IN Anywhere
> Anywhere/udp on wlp0s20f3 ALLOW IN Anywhere/udp
> <portnumber> on wlp0s20f3 ALLOW IN Anywhere
> Anywhere/udp (v6) on wg0 ALLOW IN Anywhere/udp (v6)
> <portnumber>/udp (v6) ALLOW IN Anywhere (v6)
> <portnumber>/udp (v6) ALLOW IN Anywhere (v6)
> <portnumber>/udp (v6) on wlp0s20f3 ALLOW IN Anywhere (v6)
> Anywhere/udp (v6) on wlp0s20f3 ALLOW IN Anywhere/udp (v6)
> <portnumber> (v6) on wlp0s20f3 ALLOW IN Anywhere (v6)
>
> Anywhere on eth0 ALLOW FWD Anywhere on wg0
> Anywhere on wg0 ALLOW FWD Anywhere on eth0
> Anywhere on wg0 ALLOW FWD Anywhere on enp40s0
> Anywhere on enp40s0 ALLOW FWD Anywhere on wg0
> Anywhere on wlp0s20f3 ALLOW FWD Anywhere on wg0
> Anywhere on wg0 ALLOW FWD Anywhere on wlp0s20f3
> Anywhere (v6) on eth0 ALLOW FWD Anywhere (v6) on wg0
> Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on eth0
> Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on enp40s0
> Anywhere (v6) on enp40s0 ALLOW FWD Anywhere (v6) on wg0
> Anywhere (v6) on wlp0s20f3 ALLOW FWD Anywhere (v6) on wg0
> Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on wlp0s20f3
>
> Now all these rules may be barbaric overkill, and yes I will admit
> that I have a limited understanding of what everything means and how
> it affects my security. Though I am a linux newcomer and employ
> duckduckgo to the best of my abilities the learning curve is still
> pretty much in effect. That being said, do feel free to point out any
> serious flaws I may have unwittingly introduced or simply push me
> towards some longreads ;)
>
> Any hints on solving this issue are appreciated.
>
>
> Additional notes;
> * the DDNS in wg0.conf is properly translated to an IP address each
> time. So that seems to be no issue.
> * I am currently using the Dutch Ziggo network, which already seems to
> have a reputation concerning the use of VPN applications. Maybe the
> issue lies herein?
> * Should I consider this relevant? >
> https://github.com/pop-os/pop/issues/773 I am a bit cautious about
> doing more random stuff before actually understanding what is going
> on.
>
> Regards,
> Sander