Thanks for that guide, I was able to set up WireGuard with no problems. Works well - had access to my network when connected via my mobile hot spot.
But something strange (at least to me - might be strange because of lack of knowledge…):
now when connecting to network without using WireGuard, I can not log in to my Pi via SSH, neither I can access any services running! If connected with WireGuard (even if connecting to same network via WiFi) all works grand.
Thanks for reading. Glad to hear you got it working and sorry to hear at the same time something else stopped working! That’s an interesting problem. What does your server (RPi) wg0.conf look like? More specifically, what do you have under the AllowedIPs field?
Is this on your client wg0.conf or your RPi/server config?
Either way, in both configs you shouldn’t have any local IP addresses that were assigned by your router/DHCP server. That causes trouble.
The AllowedIPs field on your WireGuard server tells it what peer to route traffic through. It should be set to the address of the interface specified in the wg0-client.conf. I think a picture will help:
All of the IP addresses boxed in red should be set exactly as shown in your configuration without modification. We are merely setting up IPs for the tunnel interface and therefore they should not exist as local IP addresses on your local network.
Change those configs (don’t forget to reload the service) and let me know how that works out for you. We’ll talk about the theory later.
Thanks for the update, Greg and glad to hear you’ve got it working!
Man, I think you’re setting me up with such a dangerous question. In general, as long as you have a connection and it’s working, it’s safe (though I’m sure some security experts would take issue with this simplistic statement). If you’re working remotely and VPN’d (Wireguard’d) in, you could also double check by going to one of those “What Is My IP Address?” sites and checking the IP address there. Your IP address should (obviously) be different after you’ve started your WireGuard connection.
That’s actually how I discovered this little problem and had to update my config accordingly (to the one you now see on the blog that includes the IPv6 AllowedIPs):
Your issue has given me an idea for a new blog post: a quick introduction into the theory behind the WIreGuard configuration. I had wanted to work that more into the guide, but it’s a balancing act between keeping the article readable/actionable and comprehensiveness. Make the guide too comprehensive and theory-heavy and it becomes too difficult to read to figure out what you actually need to do to get it to work.
Anyway, thanks for reading and participating. Feel free to ask about anything you’re working on. Looking forward to hearing about your next project.