Help Configuring WireGuard VPN on a Raspberry Pi: Stuck On "Resolving Hosts"

Hi guys,

This is my first project of this kind so please go easy on me!

I’ve been trying to create a pivpn server using Wireguard as I’ve heard good stuff about them. I’ve done everything here but something is wrong somewhere as when I activate the vpn, it connects but sticks on ‘resolving hosts’ in the bottom left corner. I believe this is a DNS issue but I’m not sure. I’ve set my pi’s vpn as a static address and have portforwarded on my router but I’m not 100% sure I’ve done this correctly. Does anyone have a clue what the problem might be? I’m connecting via ethernet port and managing the pi via ssh on a mac if that helps anything.

Any help would be hugely appreciated!

Hi there,

In your client config, try manually forcing a DNS with something like DNS = 1.1.1.1 here.

If that doesn’t work, do you see any actual data transfer? The info from this troubleshooting section might also be helpful. If you post output, just make sure you hide your keys. :slight_smile:

Welcome to the club,
TorqueWrench

Hi TorqueWrench,

Thanks for getting back to me so quickly!

I’ve tried the troubleshooting methods you’ve mentioned and this is the output I get after using sudo wg :

interface : wg0
public key : [key deleted]
private key : (hidden)
listening port : 51820

peer : [key deleted]

preshared key : (hidden)
allowed ips : 10.6.0.2/32

I’ve added to nano wg0.conf :

[Interface]
Address = 10.253.3.1/24
SaveConfig = true
PrivateKey = <insert server_private_key>
ListenPort = 51900

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <insert client_public_key>
AllowedIPs = 10.253.3.2/32

so I’m not sure why it’s listening in on port 51820? I’ve obviously gone wrong somewhere I just can’t figure out where. I’m using a mac so have downloaded the wireguard app and followed the steps. I’m receiving no data, just sending:


Also one more thing; for portforwarding, the destination address is my wan ip address not my router address (192.168.1.1) right? and my port address is my pi’s ip address (the static ip I’ve set to it)?

Thanks again!

Thanks for gathering that information. I think I’ve found your problem:

The endpoint in your client configuration should be your VPN server’s WAN/public IP address/DDNS URL + port. I am going to update Endpoint = <insert vpn_server_address>:51900 in my guide since vpn_server_address is ambiguous as to whether it refers to public or private IP address. For the record, it refers to the public IP address of the VPN server (i.e. the router’s public/WAN IP address).

I am also curious what the address is that you’ve blocked out in that same client screenshot. It should be the tunnel IP address you’ve assigned to your client (i.e. 10.253.3.2/32). Our goal here is that the “Address” assigned in the [Interface] section of the client config matches the “AllowedIPs” in the [Peer] section of the server configuration.

This then brings me to the second major problem I see based on your output from sudo wg (presumably on your server):

That listening port (which, again, I assume is running on the server) doesn’t match up with the listening port set in your server’s wg0.conf where ListenPort=51900. Additionally, I don’t see it matching up with the AllowedIps = 10.253.3.2/32.

This makes me think that either the server or the service hasn’t been restarted since making changes to the server’s wg0.conf. You should be able to update the loaded WireGuard configuration by restarting the wg-quick service with sudo systemctl restart wg-quick@wg0 and rerunning sudo wg to confirm that the server’s WireGuard tunnel now matches your configuration. Alternatively, you can also just reboot your server/RPi.

As for your port forwarding question, it depends on your router’s configuration. Being consumer-oriented devices, sometimes they will use inaccurate language in an effort to make it more consumer-friendly. On more professional set ups, like pfSense, they use the accurate terminology:

Since pfSense is a firewall it actually inspects the traffic and looks at the packet’s destination address, which in our case would be my server’s public IP address on the assigned WireGuard port (under “Dest. Address” and “Dest. Ports” respectively). It then forwards this traffic onto the RPi VPN server at the appropriate (internal) IP address (NAT IP) and NAT Port.

If you’re using a regular consumer router, they’ll often skip over all this and just have an “external” port that the router will listen on and an “internal port” and “internal IP address” to forward the traffic onto. For additional information and screenshots, check out this guide on port forwarding on the Raspberry Pi and scroll down until you see the Netgear screenshots:

https://engineerworkshop.com/blog/connecting-your-raspberry-pi-web-server-to-the-internet/#port-forwarding

In the above Netgear scenario, pfSense’s “Dest. Ports” is equivalent to Netgear’s “External port range” field, with the “Internal Port Range” and “Internal IP Address” being equivalent to pfSense’s NAT IP and NAT Ports respectively.

If you need additional help for your specific router, additional screenshots would be helpful.

Hope this helps!

-TorqueWrench

Hi TorqueWrench,

Thanks again for your help I really appreciate it!

I can’t seem to change the wg0.conf file. When I hit nano wg0.conf the correct details show up in a file (port 51900 and allowed IPs = 10.253.3.2/32) however authentication fails when trying to set up Wireguard to automatically start on reboot. After sending ‘systemctl enable wg-quick@wg0’ it prompts me for the pi’s password twice which it accepts at this point, but can’t read the directory of ‘chown -R root:root /etc/wireguard/’. Here’s the code to explain better:

pi@pivpn : ~ $ systemctl enable wg-quick@wg0
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-unit-files ===
Authentication is required to manage system service or unit files.
Multiple identities can be used for authentication:

  1. , (pi)
  2. root
    Choose identity to authenticate as (1-2): 1
    Password:
    ==== AUTHENTICATION COMPLETE ===
    ==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ===
    Authentication is required to reload the systemd state.
    Multiple identities can be used for authentication:
  3. , (pi)
  4. root
    Choose identity to authenticate as (1-2): 1
    Password:
    ==== AUTHENTICATION COMPLETE ===
    pi@pivpn : ~ $ chown -R root:root /etc/wireguard/
    chown: cannot read directory ‘/etc/wireguard/’: Permission denied
    pi@pivpn : ~ $ chmod -R og-rwx /etc/wireguard/*
    chmod: cannot access ‘/etc/wireguard/*’: Permission denied

This maybe the reason it won’t save the wg0.conf file I’m assuming as it can’t read the directory. I’ve tried rebooting the pi using sudo reboot and sudo systemctl restart wg-quick@wg0 but to no avail. Do you know how to get around this?

As for the client configuration, I have amended it to show my public WAN IP:51900 and my address is showing as 10.253.3.2/32 (I wasn’t sure if this was sensitive info hence why I blocked it out, I’m a total noob at the stuff!)

Here’s the screenshot:

As for the portforwarding on my router, here’s a screenshot of the configuration for my router:

Does this look good to you?

Thanks again! :slight_smile:

Great stuff!

Those files are owned by root. To reload, you can simply do the following:

sudo su
systemctl enable wg-quick@wg0

Alternatively again, if you run the command sudo systemctl enable wg-quick@wg0, emphasis on the sudo, that should work as well.

As for your port forward, I was able to find this in a hyperoptic manual:

If the web server needs to be seen from any public IPv4 address, type 0.0.0.0 in the Source IP address and list prefix length as 0. Otherwise, if the web server needs to be accessed from just
one IPv4 address, list that one address as illustrated in Image 4.

We’re almost there!

-TorqueWrench

Hello, again :sweat_smile:

I’ve now fixed the listening port and now have this output using sudo wg:

pi@pivpn : ~ $ sudo wg

interface : wg0

public key : [key deleted]

private key : (hidden)

listening port : 51900

peer : [key deleted]

allowed ips : 10.253.3.2/32

Great! However I’m still not receiving any data from wireguard, only sending.

This is the code for the wg0-client.conf file:

[Interface]

PrivateKey = [key deleted]
Address = 10.253.3.2/32

DNS = 1.1.1.1

[Peer]

PublicKey = [key deleted]
AllowedIPs = 0.0.0.0/0, ::/0

Endpoint = [public WAN IP]:51900

Any idea what the problem is now? Failing this, I think I’ll just wipe and start over :man_facepalming:

1 Like

That config looks correct. Are you sure you have the right keys set up in each? I would double check them. Also, make sure your RPi has the IP address you think it does. This can be done with sudo ifconfig (see the section here and scroll down).

The only other area I anticipate there could be a problem is in your port forwarding setup on the router. Do you want to share a screenshot of that config?

Oh! Something else it could be…I assume you’re testing this from your home network? (The same one your Raspberry Pi is on?). If so, you might be running into a NAT loopback problem. Netgear offers a nice, succinct explanation of NAT loopback:

NAT loopback is a feature which allows the access of a service via the WAN IP address from within your local network.

For example, you have a web server hosted on your local network. This web server is accessible from the outside using a public IP that is assigned to it. However, if you required internal users to access this web server using the same public IP address instead its local IP address, your router needs to support NAT loopback.
Source: https://kb.netgear.com/000049578/NETGEAR-Router-support-for-NAT-Loopback

It’s also known as hairpinning, NAT reflection, etc.

A quick way to test either of these situations would be to replace the public WAN IP in the endpoint of your wg0-client.conf with the RPi server’s LAN address. If the connection works, then we know the problem is in the router/network config.

If it does work, connect your laptop to a cellular hotspot (or some other external network) and then try to connect using WireGuard (remember to replace your client’s config with your public WAN IP again). If the connection continues to work, then the problem is hairpinning. If it fails, we know the problem is in the port forwarding.

-TorqueWrench

1 Like

Hi TorqueWrench,

I’ve finally done it, thank you so much! I was having issues overwriting the wg0.conf files as it wasn’t keeping the updated document after rebooting the pi for whatever reason, so I formatted the sd card and started from scratch. After going through your walkthrough again, it works great!

I believe I am still having issues with the portforwarding though as it connects fine with the pi’s ip address but not if I’m connecting externally from my phone’s hotspot connection (after replacing the pi’s IP with my public WAN). Here’s a screenshot of my router’s portforwarding set up in case anyone else comes across the same issues as I’ve had:

and the wg0-client.conf file (with keys omitted):

I’ve tried changing the endpoint IP to my WAN address in the wg0-client.conf and my router then tried accessing from my phone’s hotspot but there’s no data being received. The only way I can get a connection is by the configurations above.

Thanks again TorqueWrench, you’ve been incredibly helpful!

1 Like

Great, so we know the problem is now on the WAN/router side. That config looks correct based off what I read about your router configuration, which leads me to believe you’re behind a carrier grade NAT (CGNAT). Doing a quick search, I came across this:

In a nutshell, a CGNAT is where you, your neighbors, and everyone else’s router are all sitting on what is essentialy one giant LAN. Your router is basically just another device on hyperoptic’s network just as your Raspberry Pi is just another device on your home network.

The reason this causes a problem is that, for the same reason you have to enable port forwarding on your router, there’s another router upstream of you that also needs port forwarding set up and you don’t control that router. You’re basically in a double NAT situation (this is also why double NAT tends to have a negative connotation).

You can confirm by visiting one of those “What Is My IP Address?” websites and comparing the IP address to what you see on your router: How To Tell If You’re Behind a CGNAT.

-TorqueWrench

That makes sense. Oh well, I tried I guess haha. Just so I understand this a bit better, the connection I’ve used above would mean that my WAN address is still visible as my vpn is only working internally through my LAN? So essentially I have a private connection through my LAN but not WAN? I tried using whatismyipaddress.com with my vpn enabled and disabled and interestingly my ipv4 adress is still visible when vpn is enabled but my ipv6 address is hidden?