New to Wireguard and VPNs... how exactly should this work? - eviltoast

EDIT: It seems something is causing my wireguard hanshake to fail. I can’t find much on this particular error except “try rebooting the wg server”. I rebooted everything, and I can’t get it to connect unless the clients are already connected to the home wifi.

So I installed wg-easy on my one of my virtual machines on my proxmox “homelab”. It seems to be working, and I installed the client wireguard-tools on my phone (via app), and on my laptop (EndeavorOS), and on my minecraft server (mineOS also in proxmox).

The web client for wg-easy shows all 3 clients connected and transmitting data.

I used my routers app to open the port to the wg-easy server.

I attempted to use my phone’s cell network to pretend like I am not home, and simply ping my minecraft server. I tried with the wg ip (10.8.0.x) and I tried pinging the normal wlan ip (192.168.x.x). Neither work. I’m really confused as to why this simple test didn’t work. The documentation on wireguard’s site is pretty sparse when it comes to testing your own setup. Doe anyone have any resource to help me understand how this should work?

Side note: I have to have wireguard installed on every computer in my home network if I want to be able to reach them, correct?

other side note: If I wanted to reach my minecraft webUI (mineOS) from outside my network, what address should I use?

  • AtariDump@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    9 months ago

    Did you open the appropriate port on your firewall and make sure you’re forwarding that port properly?

    Does the PC that’s the WG server have a static IP setup?

    Is that static IP in question 2 the same as what you’re forwarding the port to in question 1?

    • Nimrod@lemm.eeOP
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      9 months ago

      For your first question: I went to https://www.portchecktool.com/ and found that the connection is being refused. So I think this is the issue. I will have to dig in a bit more, but I do believe the answer to your 2nd and 3rd question are - yes.

      • mazadin@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        9 months ago

        Wanted to help you potentially avoid a wild goose chase—port checking tools won’t detect a wireguard port as open…it’s specifically designed to not advertise its presence for security purposes. Bad handshake requests are ignored, making it look like a firewall DROP rule.

        • Nimrod@lemm.eeOP
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          Oh wow. That is a good tip. Because that could drive someone like me insane. (Un)fortunately— I know there’s an issue. Any traffic I pass through my wg vpn ends up nowhere. So I know the tragic is being redirected, but I can’t tell where or why it doesn’t make it inside my home network.

          Either way, I got Tailscale to work right out the rip, so I’m just rocking that until I have more time to tinker with WG.

  • NateSwift@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    9 months ago

    Connect with your phone and check your public ip address (you can do this by googling or using a site like WhatIsMyIP. It should show the same IP as if you were on your home network without the vpn connected.

    If that’s working you could try actually connecting to the minecraft server. It might be set up to not respond to pings. You’ll want to use the same IP to connect to it as you’d use if you were on the same network

    • Nimrod@lemm.eeOP
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      Thanks for the reply. As I said below: when I flip on the wireguard toggle in my phone’s app, it appears as if I am connected, but it seems something is off. I am not seeing the “last handshake on” line, and when I try to navigate to the internet (for example ‘whatismyip’, my browser app times out. So it seems my requests are trying to go through the VPN, but they are getting stuck.

      • NateSwift@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        As others have said, definitely seems like a port forwarding issue. If you’re still trying to solve this, what do your port forward rules look like on your router?

        • Nimrod@lemm.eeOP
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          This is the first time I have attempted to port forward. So there is only one rule: this one. Port 5xxxx:5xxxx to the internal IP with the wg-easy docker container.

          Thanks for the reply, but I’ve bailed on this project for now. I fly to Europe tomorrow, so I don’t have any extra time to tinker. I gave Tailscale a try, and it works flawlessly, so I’m not likely to try WireGuard any time soon. I’ll wait for them to try an monetize their “free plan” users.

          • NateSwift@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            Sorry you couldn’t get wireguard running, glad you found something else that works!

            Enjoy your trip!

  • mikyopii@programming.dev
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    9 months ago

    You have WireGuard installed on your Minecraft server? On every computer? That isn’t correct.

    Once you are successfully connected to the VPN everything should behave like you are physically within your network even if you aren’t. You should connect to your Minecraft server like normal.

    The WireGuard iOS/Android app has a part where you can see when your last handshake was. If that isn’t happening then you aren’t connected.

    • Nimrod@lemm.eeOP
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      Okay, I thought something seemed a bit odd about what I was doing. So for my use case, I only need to access my home network with my phone, or my laptop. So all I need is a wireguard server on my home network (currently the case, running wg-easy), and the wireguard client on my phone and laptop.

      I have that happening right now. And strangely when I am connected to my home wifi I am seeing the “last handshake” information in the wireguard app. But as soon as I turn off wifi and attempt to use my cell network, that line disappears from the app.

      Although the frontend webpage for wg-easy still shows my phone connected.

      Lets pretend it is connected. You’re saying I could simply type “192.168.3.69/login” into my phone’s browser, and I would see the mineos login page as if I was on my home’s wifi?? Because that would literally be perfect.

      • mikyopii@programming.dev
        link
        fedilink
        arrow-up
        2
        ·
        9 months ago

        If everything is correct… yeah it would. If you are using hostnames to connect home then you will probably need to use the FQDN for it to work.

        I was in vacation in Brazil and I would work on my server in the United States during my downtime.

        • Nimrod@lemm.eeOP
          link
          fedilink
          arrow-up
          2
          ·
          9 months ago

          Damn. That sounds perfect. That’s exactly how I was hoping it would work. But for some reason my phone won’t connect… I wonder how to troubleshoot it.

            • Nimrod@lemm.eeOP
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              9 months ago

              EDIT: Tried from an external wifi network, same issue. I think it’s my port forwarding is broken/wrong. I can’t see the port being open from outside. Need to do some troubleshooting on that end. Any advice would be welcome.

              I will try that today.

                • Nimrod@lemm.eeOP
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  9 months ago

                  Yeah… I’m not sure there’s anything more I can do. I’ve added the port forwarding rule to my router. As far as I know, there’s not much else to do.

    • Nimrod@lemm.eeOP
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      This comment has been haunting me a bit. I have been struggling with my port forwarding in the rest of this thread, so I decided I need to investigate alternatives. I’ve heard good things about Tailscale, so I started googling. The following quote is directly from the Tailscale web-page: (emphasis mine):

      “WireGuard is typically configured using the wg-quick tool. To connect two devices, you install WireGuard on each device, generate keys for each device, and then write a text configuration for each device. The configuration includes information about the device (port to listen on, private IP address, private key) and information about the peer device (public key, endpoint where the peer device can be reached, private IPs associated with the peer device). It’s straightforward, particularly for a VPN. Every pair of devices requires a configuration entry, so the total number of configuration entries grows quadratically in the number of devices if they are fully connected to each other.

      I find it odd that they would say this, if the Wireguard VPN works as you stated. Any tutorial or article regarding wireguard fails to make this discussion obvious, so I am now even a bit more confused. (still won’t solve my port forwarding issue. So I guess I’m stuck with Tailscale anyway…