While WireGuard Running, Can't Access Server via SSH

Hi!
Thanks for that guide, I was able to set up WireGuard with no problems. Works well - had access to my network when connected via my mobile hot spot.

But something strange (at least to me - might be strange because of lack of knowledge…):
now when connecting to network without using WireGuard, I can not log in to my Pi via SSH, neither I can access any services running! If connected with WireGuard (even if connecting to same network via WiFi) all works grand.

Any suggestions as why?

Thanks,
Greg

Hi greg,

Thanks for reading. Glad to hear you got it working and sorry to hear at the same time something else stopped working! :smiley: That’s an interesting problem. What does your server (RPi) wg0.conf look like? More specifically, what do you have under the AllowedIPs field?

-TorqueWrench

After updating your suggestion of file to my local IPs it looks like that:

AllowedIPs = 192.168.1.104/32

My understanding was that this line determines client`s IP address within network when dialled via WireGuard?

I can access my Pi via my mobile connected to WiFi using RaspController, so my presumption was issue with laptop rather than Pi itself.

Are you referring to these posts?


If so, that was for endpoint.

Is this on your client wg0.conf or your RPi/server config?

Either way, in both configs you shouldn’t have any local IP addresses that were assigned by your router/DHCP server. That causes trouble.

The AllowedIPs field on your WireGuard server tells it what peer to route traffic through. It should be set to the address of the interface specified in the wg0-client.conf. I think a picture will help:

All of the IP addresses boxed in red should be set exactly as shown in your configuration without modification. We are merely setting up IPs for the tunnel interface and therefore they should not exist as local IP addresses on your local network.

Change those configs (don’t forget to reload the service) and let me know how that works out for you. We’ll talk about the theory later. :wink:

-TorqueWrench

All right, I think I see where the issue is:
on Pi both eth0 and wg0 have same IP, hence conflict.

My question is: what do I have to do to successfully update wg0.conf on server side? After change via nano and saving, when I restart Pi, it reloads previous setting…

I`d rather avoid formatting SD card as other stuff set up there as well already.

Is it actually saving when you update with nano? (I.e. When you go back in with nano, are your changes still there?) If not, you probably need to edit with sudo:

sudo nano wg0.conf

As for reloading:

-TorqueWrench

I`m very grateful you took your time to resolve my issue. For others struggling with it:
for some reason file wg0.conf was not actually configuring anything… So what I did was

ifconfig wg0 down
systemctl disable wg-quick@wg0
apt-get --purge remove wireguard
rm -r /etc/wireguard

And then started from the scratch. Seems to work well!

Now the most important question from rookie like myself: how can I be sure that data is secure? Or is it: if it works, it`s safe; if it does not work - if would not be safe, hence it does not work?

1 Like

Thanks for the update, Greg and glad to hear you’ve got it working!

Man, I think you’re setting me up with such a dangerous question. :sweat_smile: In general, as long as you have a connection and it’s working, it’s safe (though I’m sure some security experts would take issue with this simplistic statement). If you’re working remotely and VPN’d (Wireguard’d) in, you could also double check by going to one of those “What Is My IP Address?” sites and checking the IP address there. Your IP address should (obviously) be different after you’ve started your WireGuard connection.

That’s actually how I discovered this little problem and had to update my config accordingly (to the one you now see on the blog that includes the IPv6 AllowedIPs):

Your issue has given me an idea for a new blog post: a quick introduction into the theory behind the WIreGuard configuration. I had wanted to work that more into the guide, but it’s a balancing act between keeping the article readable/actionable and comprehensiveness. Make the guide too comprehensive and theory-heavy and it becomes too difficult to read to figure out what you actually need to do to get it to work.

Anyway, thanks for reading and participating. Feel free to ask about anything you’re working on. Looking forward to hearing about your next project.

-TorqueWrench