Wireguard VPN doesn't work

Support Network
1

Hi guys
I have a WG config to bypass iran internet censorship. i can connect to this config with my phone and windows but not in manjaro

at first i couldn’t connect to WG at all but after following the link below i can connect but after that nothing work
i can’t ping anything and i can’t access to any domain

[root tip] [How To] Make Manjaro compatible with major VPN providers

i tried to connect to the config with GUI and with wg-quick and systemctl start wg-quick@SMART1.service but none of them work

2

i assume you meant, you have a wireguard configuration file. if so and you use NetworkManager, use command;

$ sudo nmcli connection import type wireguard file <WG-configuration-file-path>
2 Likes
3

Once you have installed wireguard-tools you can use wg-quick in the terminal as follows:
sudo wg-quick up <WG-configuration-file-path>* to start wireguard connection (which also shares executed commands)
sudo wg-quick down <WG-configuration-file-path>* to stop wireguard connection (which also shares executed commands)
sudo wg show <WG-configuration-file-path>* to monitor connection (handshake/transfer)

*If the wireguard conf file is placed under /etc/wireguard/, only the conf file name is required

Assuming an established wireguard connection what of this does work?
ping -c5 8.8.8.8
ip route get 8.8.8.8
ping -c5 manjaro.org

1 Like
5

I did what you said, but still the same problem

❯ sudo wg-quick up SMART1
[#] ip link add dev SMART1 type wireguard
[#] wg addconf SMART1 /dev/fd/63
[#] ip -4 address add **.**.***.***/32 dev SMART1
[#] ip link set mtu 1300 up dev SMART1
[#] resolvconf -a SMART1 -m 0 -x
[#] ip -4 route add 192.169.0.0/16 dev SMART1
[#] ip -4 route add 192.170.0.0/15 dev SMART1
[#] ip -4 route add 192.172.0.0/14 dev SMART1
[#] ip -4 route add 192.160.0.0/13 dev SMART1
[#] ip -4 route add 192.176.0.0/12 dev SMART1
[#] ip -4 route add 172.0.0.0/12 dev SMART1
[#] ip -4 route add 192.128.0.0/11 dev SMART1
[#] ip -4 route add 172.32.0.0/11 dev SMART1
[#] ip -4 route add 192.192.0.0/10 dev SMART1
[#] ip -4 route add 172.64.0.0/10 dev SMART1
[#] ip -4 route add 100.0.0.0/10 dev SMART1
[#] ip -4 route add 192.0.0.0/9 dev SMART1
[#] ip -4 route add 172.128.0.0/9 dev SMART1
[#] ip -4 route add 100.128.0.0/9 dev SMART1
[#] ip -4 route add 193.0.0.0/8 dev SMART1
[#] ip -4 route add 173.0.0.0/8 dev SMART1
[#] ip -4 route add 11.0.0.0/8 dev SMART1
[#] ip -4 route add 101.0.0.0/8 dev SMART1
[#] ip -4 route add 1.0.0.0/8 dev SMART1
[#] ip -4 route add 8.0.0.0/7 dev SMART1
[#] ip -4 route add 2.0.0.0/7 dev SMART1
[#] ip -4 route add 194.0.0.0/7 dev SMART1
[#] ip -4 route add 174.0.0.0/7 dev SMART1
[#] ip -4 route add 102.0.0.0/7 dev SMART1
[#] ip -4 route add 96.0.0.0/6 dev SMART1
[#] ip -4 route add 4.0.0.0/6 dev SMART1
[#] ip -4 route add 196.0.0.0/6 dev SMART1
[#] ip -4 route add 168.0.0.0/6 dev SMART1
[#] ip -4 route add 12.0.0.0/6 dev SMART1
[#] ip -4 route add 200.0.0.0/5 dev SMART1
[#] ip -4 route add 160.0.0.0/5 dev SMART1
[#] ip -4 route add 104.0.0.0/5 dev SMART1
[#] ip -4 route add 208.0.0.0/4 dev SMART1
[#] ip -4 route add 176.0.0.0/4 dev SMART1
[#] ip -4 route add 16.0.0.0/4 dev SMART1
[#] ip -4 route add 112.0.0.0/4 dev SMART1
[#] ip -4 route add 64.0.0.0/3 dev SMART1
[#] ip -4 route add 32.0.0.0/3 dev SMART1
[#] ip -4 route add 128.0.0.0/3 dev SMART1
[#] wg set SMART1 fwmark 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip -6 route add ::/0 dev SMART1 table 51820
[#] nft -f /dev/fd/63
❯ sudo wg show SMART1
interface: SMART1
  public key: Rjy+z85/r0yedqiMVbk7/n6BRXl1uVDGSKj410y5Z3I=
  private key: (hidden)
  listening port: 56922
  fwmark: 0xca6c

peer: fh9AAOXeha4QTp6+aEOQISqBD2pGMX1FMqhtM0NkmRY=
  endpoint: (hidden):906
  allowed ips: 1.0.0.0/8, 2.0.0.0/7, 4.0.0.0/6, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/3, 96.0.0.0/6, 100.0.0.0/10, 100.128.0.0/9, 101.0.0.0/8, 102.0.0.0/7, 104.0.0.0/5, 112.0.0.0/4, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, ::/0
  latest handshake: 35 seconds ago
  transfer: 956 B received, 630.27 MiB sent
  persistent keepalive: every 11 seconds
❯ ping -c5 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 43036ms

❯ ip route get 8.8.8.8
8.8.8.8 dev SMART1 src  **.**.***.*** uid 1000 
    cache 
❯ ping -c5 manjaro.org
^C
❯ sudo wg show SMART1
interface: SMART1
  public key: Rjy+z85/r0yedqiMVbk7/n6BRXl1uVDGSKj410y5Z3I=
  private key: (hidden)
  listening port: 56922
  fwmark: 0xca6c

peer: fh9AAOXeha4QTp6+aEOQISqBD2pGMX1FMqhtM0NkmRY=
  endpoint: (hidden):906
  allowed ips: 1.0.0.0/8, 2.0.0.0/7, 4.0.0.0/6, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/3, 96.0.0.0/6, 100.0.0.0/10, 100.128.0.0/9, 101.0.0.0/8, 102.0.0.0/7, 104.0.0.0/5, 112.0.0.0/4, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, ::/0
  latest handshake: 3 minutes, 7 seconds ago
  transfer: 3.25 KiB received, 3.49 GiB sent
  persistent keepalive: every 11 seconds

I did it but it just add config file to VPN exactly like i did in GUI
still i can’t send or receive data

6

It seems like your up stream is working, but not down.

The first things I would look at is:

  • Routing
  • Firewall

After you connect, paste your routing table here, which is just the output of:

ip route

This is also where I’d do the first ping test. Don’t start with Google’s 8.8.8.8 server. Instead, ping your default gateway (the IP shown on the default route), since it’s only one hop away.

Assuming you have a default route.

And to show your firewall rules, just run:

sudo nft list ruleset

The default is to have an accept policy on all 3 with no rules. (There are some applications out there that modify rules even if you didn’t.)

1 Like
7 
❯ ip route
default via 192.168.8.1 dev enp5s0 proto dhcp src 192.168.8.114 metric 100 
1.0.0.0/8 dev X2200761_SMART1 scope link 
2.0.0.0/7 dev X2200761_SMART1 scope link 
4.0.0.0/6 dev X2200761_SMART1 scope link 
8.0.0.0/7 dev X2200761_SMART1 scope link 
11.0.0.0/8 dev X2200761_SMART1 scope link 
12.0.0.0/6 dev X2200761_SMART1 scope link 
16.0.0.0/4 dev X2200761_SMART1 scope link 
32.0.0.0/3 dev X2200761_SMART1 scope link 
64.0.0.0/3 dev X2200761_SMART1 scope link 
96.0.0.0/6 dev X2200761_SMART1 scope link 
100.0.0.0/10 dev X2200761_SMART1 scope link 
100.128.0.0/9 dev X2200761_SMART1 scope link 
101.0.0.0/8 dev X2200761_SMART1 scope link 
102.0.0.0/7 dev X2200761_SMART1 scope link 
104.0.0.0/5 dev X2200761_SMART1 scope link 
112.0.0.0/4 dev X2200761_SMART1 scope link 
128.0.0.0/3 dev X2200761_SMART1 scope link 
160.0.0.0/5 dev X2200761_SMART1 scope link 
168.0.0.0/6 dev X2200761_SMART1 scope link 
172.0.0.0/12 dev X2200761_SMART1 scope link 
172.32.0.0/11 dev X2200761_SMART1 scope link 
172.64.0.0/10 dev X2200761_SMART1 scope link 
172.128.0.0/9 dev X2200761_SMART1 scope link 
173.0.0.0/8 dev X2200761_SMART1 scope link 
174.0.0.0/7 dev X2200761_SMART1 scope link 
176.0.0.0/4 dev X2200761_SMART1 scope link 
192.0.0.0/9 dev X2200761_SMART1 scope link 
192.128.0.0/11 dev X2200761_SMART1 scope link 
192.160.0.0/13 dev X2200761_SMART1 scope link 
192.168.8.0/24 dev enp5s0 proto kernel scope link src 192.168.8.114 metric 100 
192.169.0.0/16 dev X2200761_SMART1 scope link 
192.170.0.0/15 dev X2200761_SMART1 scope link 
192.172.0.0/14 dev X2200761_SMART1 scope link 
192.176.0.0/12 dev X2200761_SMART1 scope link 
192.192.0.0/10 dev X2200761_SMART1 scope link 
193.0.0.0/8 dev X2200761_SMART1 scope link 
194.0.0.0/7 dev X2200761_SMART1 scope link 
196.0.0.0/6 dev X2200761_SMART1 scope link 
200.0.0.0/5 dev X2200761_SMART1 scope link 
208.0.0.0/4 dev X2200761_SMART1 scope link 
❯ sudo nft list ruleset
table ip6 wg-quick-X2200761_SMART1 {
	chain preraw {
		type filter hook prerouting priority raw; policy accept;
	}

	chain premangle {
		type filter hook prerouting priority mangle; policy accept;
		meta l4proto udp meta mark set ct mark
	}

	chain postmangle {
		type filter hook postrouting priority mangle; policy accept;
		meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
	}
}
❯ ping 192.168.8.1
PING 192.168.8.1 (192.168.8.1) 56(84) bytes of data.
64 bytes from 192.168.8.1: icmp_seq=1 ttl=64 time=0.520 ms
64 bytes from 192.168.8.1: icmp_seq=2 ttl=64 time=0.887 ms
64 bytes from 192.168.8.1: icmp_seq=3 ttl=64 time=0.910 ms
64 bytes from 192.168.8.1: icmp_seq=4 ttl=64 time=0.503 ms
^C
--- 192.168.8.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.503/0.705/0.910/0.193 ms
8

I found the problem
There was something wrong with my config file
In the peer section, I add AllowedIPs = 0.0.0.0/0, ::/0 and everything works fine
Before there were lots of bizarre IPs
Thanks everyone @koshikas @Molski @heyjo

3 Likes
9

That definitely falls under a routing issue.

It’s a common trick method for VPN providers to include everything except a few excluded ranges; without using 0.0.0.0/0.

So the problem was a misconfigured client configuration file.

2 Likes
10

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.