Trouble running a proxy VPN

Trouble running a proxy VPN

[Pranesh Prakash]

[-- Attachment #1.1: Type: text/plain, Size: 3037 bytes --]

Dear all,
I'm running Ubuntu 16.04 on my laptop and a remote DigitalOcean server, 
and trying to set up a VPN proxy to send all my (for now IPv4) traffic 
through that server.

I can get a VPN tunnel up an working, but I can't get my web traffic to 
pass through it.  What am I doing wrong?

Here are my config files:
===
On the client:
~ cat /etc/wireguard/deneb.conf
[Interface]
Address = 10.10.10.2/32
PostUp = echo nameserver 10.10.10.1 | resolvconf -a tun.%i -m 0 -x
PostDown = resolvconf -d tun.%i
PrivateKey = [pvtkey-of-client]

[Peer]
PublicKey = [pubkey-of-server]
AllowedIPs = 0.0.0.0/0
Endpoint = 162.x.x.125:500
PersistentKeepalive = 25

On server:
sol@deneb:~⟫ cat /etc/wireguard/deneb.conf
[Interface]
Address = 10.10.10.1
PrivateKey = [pvtkey-of-server]
ListenPort = 500

[Peer]
PublicKey = [pubkey-of-client]
AllowedIPs = 10.10.10.2/24
===

On the client I do:
~ sudo wg-quick up deneb
[#] ip link add deneb type wireguard
[#] wg setconf deneb /dev/fd/63
[#] ip address add 10.10.10.2/32 dev deneb
[#] ip link set mtu 1420 dev deneb
[#] ip link set deneb up
[#] wg set deneb fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev deneb table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] echo nameserver 10.10.10.1 | resolvconf -a tun.deneb -m 0 -x

~ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by 
resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.10.10.1
nameserver 127.0.1.1
search lan

~ ping -c2 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=263 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=287 ms

--- 10.10.10.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 263.302/275.567/287.833/12.276 ms

~ ping google.com
PING google.com (216.58.197.46) 56(84) bytes of data.
^C
--- google.com ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7000ms

~  sudo wg show deneb
interface: deneb
  public key: [pubkey-of-client]
  private key: (hidden)
  listening port: 40401
  fwmark: 0xca6c

peer: [pubkey-of-server]
  endpoint: 162.x.x.125:500
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 48 seconds ago
  transfer: 85.73 KiB received, 208.13 KiB sent
  persistent keepalive: every 25 seconds

On the server:
sol@deneb:~⟫ sudo wg show wg0
interface: wg0
   public key: [pubkey-of-server]
   private key: (hidden)
   listening port: 500

peer: [pubkey-of-client]
   endpoint: 123.x.x.4:40401
   allowed ips: 10.10.10.0/24
   latest handshake: 10 seconds ago
   transfer: 1.26 MiB received, 1.15 MiB sent

-- 
Pranesh Prakash
Policy Director, Centre for Internet and Society
http://cis-india.org | tel:+91 80 40926283
sip:pranesh@ostel.co | xmpp:pranesh@cis-india.org
https://twitter.com/pranesh


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: Trouble running a proxy VPN

[Jason A. Donenfeld]

Looks like maybe you forgot to enable IP forwarding and masquerading
on the server.

Re: Trouble running a proxy VPN

[Pranesh Prakash]

[-- Attachment #1.1: Type: text/plain, Size: 1524 bytes --]

Jason A. Donenfeld <Jason@zx2c4.com> [2017-06-14 13:48:45 +0200]:
> Looks like maybe you forgot to enable IP forwarding and masquerading
> on the server.

This was exactly it.  Thanks for the help on the IRC as well.

I had forwarding configured for OpenVPN on a different IP range, but had 
to change it for WireGuard and the IP range I was using with it.

For future novices reading this thread, the things one has to do on a 
*fresh* Ubuntu installation:

Step 1: Change /proc/sys/net/ipv4/ip_forward to allow IPv4 packets to be 
forwarded in this session:
$ sudo sysctl -w net.ipv4.ip_forward=1

Step 2: Change /etc/sysctl.conf to allow the forwarding of IPv4 packets 
even after reboots:
$ sudo sed '/ip_forward/s/^# *//' /etc/sysctl.conf

Step 3: Enable masquerading for the IP range which is there in the 
AcceptedIPs line on what is to act as the proxy server (ex: 10.10.10.0/24)
$ sudo iptables -t nat -A POSTROUTING -o <external interface> -s 
10.10.10.0/24 -j MASQUERADE

... where <external interface> is something like eth0, enp0s25, wlan0, 
wlp3s0, etc., depending on which network interface is being used to 
connect to the Internet.  You can do this by checking via:

$ ip route ls

Once you've done that, this should work

$ sudo wg-quick up <name>

Cheers,
Pranesh



-- 
Pranesh Prakash
Policy Director, Centre for Internet and Society
http://cis-india.org | tel:+91 80 40926283
sip:pranesh@ostel.co | xmpp:pranesh@cis-india.org
https://twitter.com/pranesh


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: Trouble running a proxy VPN

[Thomas Sattler]

Am 17.06.2017 um 06:26 schrieb Pranesh Prakash:
> Step 2: Change /etc/sysctl.conf to allow the forwarding of IPv4 packets
> even after reboots:
> $ sudo sed '/ip_forward/s/^# *//' /etc/sysctl.conf

Shouldn't this be "sed -i" instead of just "sed"?

Thomas