Hello everybody,
On my Router I have set up a VPN connection with WireGuard. My network is 172.16.1.0/24 and the remote network (of my parents) is 172.16.2.0/24. The VPN Config is listed above.
I'm trying to set up my Raspberry Pi as a WireGuard VPN Gateway. The plan is, that the Pi is connected to my VPN and all devices in the remote network connect via wifi to the Pi to connect to my local network.
This is my installation:And here are my config files.
VPNNET.conf:hostapd.confdefault/hostapd:dnsmasq.conf:sysctl:dhcpcd.conf:The current situation is, that I'm able to connect to my WiFi and get an IP-address from my dnsmasq-dhcp-pool but the speed is so slow, that I question if I'm even connected to the internet. When I make a speedtest on my Pi I get the speed I'm expecting (40MBit/s because this is the Upload Speed of my Router). Also with curl ifconfig.me I get the public ip-address of my home network.
Does anyone see the mistake I've made, why I don't have any Internet with my client?
Also, maybe someone could tell me why it's no longer possible for me to ssh into my pi with the local 172.16.2.4 address. I get a connection timeout error but when I ssh with the vpn-address, it works.
On my Router I have set up a VPN connection with WireGuard. My network is 172.16.1.0/24 and the remote network (of my parents) is 172.16.2.0/24. The VPN Config is listed above.
I'm trying to set up my Raspberry Pi as a WireGuard VPN Gateway. The plan is, that the Pi is connected to my VPN and all devices in the remote network connect via wifi to the Pi to connect to my local network.
This is my installation:
Code:
# Package Installationsudo apt install dnsmasq hostapd iptables-persistent resolvconf wireguard dhcpcd5 -y# WireGuard Configurationsudo nano /etc/wireguard/VPNNET.confsudo systemctl enable wg-quick@VPNNETsudo systemctl start wg-quick@VPNNET# Hostapd Configurationsudo nano /etc/hostapd.confsudo nano /etc/default/hostapdsudo systemctl unmask hostapdsudo systemctl enable hostapd# DNSmasq Configurationsudo rm /etc/dnsmasq.confsudo nano /etc/dnsmasq.confsudo systemctl restart dnsmasq# Configure NAT Rulessudo nano /et/sysctl.confsudo sysctl -p# Configure iptablessudo iptables -t nat -A POSTROUTING -o VPNNET -j MASQUERADEsudo iptables -A FORWARD -i wlan0 -o VPNNET -m state --state RELATED,ESTABLISHED -j ACCEPTsudo iptables -A FORWARD -i wlan0 -o VPNNET -j ACCEPTsudo sh -c "iptables-save > /etc/iptables/rules.v4"# Configure DHCPsudo nano /etc/dhcpcd.confsudo systemctl restart dhcpcdVPNNET.conf:
Code:
[Interface]PrivateKey = PRIVATE_KEYAddress = 172.16.1.202/24DNS = 172.16.1.1# Special SSH Route RulesPostUp = ip rule add from 172.16.2.4 table 200PostUp = ip route add default via 172.16.2.1 dev eth0 table 200PostDown = ip rule del from 172.16.2.4 table 200PostDown = ip route del default via 172.16.2.1 dev eth0 table 200[Peer]PublicKey = PUBLIC_KEYPresharedKey = PRE_SHARED_KEYAllowedIPs = 172.16.2.0/24, 0.0.0.0/0, ::/0Endpoint = xyz.myfritz.net:53320PersistentKeepalive = 25Code:
interface=wlan0driver=nl80211ssid=Pi-VPNhw_mode=achannel=36ieee80211n=1ieee80211ac=1wmm_enabled=1macaddr_acl=0auth_algs=1ignore_broadcast_ssid=0wpa=2wpa_key_mgmt=WPA-PSKrsn_pairwise=CCMPwpa_passphrase=test123456Code:
# Defaults for hostapd initscript## WARNING: The DAEMON_CONF setting has been deprecated and will be removed# in future package releases.## See /usr/share/doc/hostapd/README.Debian for information about alternative# methods of managing hostapd.## Uncomment and set DAEMON_CONF to the absolute path of a hostapd configuration# file and hostapd will be started during system boot. An example configuration# file can be found at /usr/share/doc/hostapd/examples/hostapd.conf.gz#DAEMON_CONF="/etc/hostapd/hostapd.conf"# Additional daemon options to be appended to hostapd command:-# -d show more debug messages (-dd for even more)# -K include key data in debug messages# -t include timestamps in some debug messages## Note that -B (daemon mode) and -P (pidfile) options are automatically# configured by the init.d script and must not be added to DAEMON_OPTS.##DAEMON_OPTS=""Code:
interface=wlan0dhcp-range=192.168.50.10,192.168.50.50,255.255.255.0,24hCode:
## /etc/sysctl.conf - Configuration file for setting system variables# See /etc/sysctl.d/ for additional system variables.# See sysctl.conf (5) for information.##kernel.domainname = example.com# Uncomment the following to stop low-level messages on console#kernel.printk = 3 4 1 3#################################################################### Functions previously found in netbase## Uncomment the next two lines to enable Spoof protection (reverse-path filter)# Turn on Source Address Verification in all interfaces to# prevent some spoofing attacks#net.ipv4.conf.default.rp_filter=1#net.ipv4.conf.all.rp_filter=1# Uncomment the next line to enable TCP/IP SYN cookies# See http://lwn.net/Articles/277146/# Note: This may impact IPv6 TCP sessions too#net.ipv4.tcp_syncookies=1# Uncomment the next line to enable packet forwarding for IPv4net.ipv4.ip_forward=1# Uncomment the next line to enable packet forwarding for IPv6# Enabling this option disables Stateless Address Autoconfiguration# based on Router Advertisements for this host#net.ipv6.conf.all.forwarding=1#################################################################### Additional settings - these settings can improve the network# security of the host and prevent against some network attacks# including spoofing attacks and man in the middle attacks through# redirection. Some network environments, however, require that these# settings are disabled so review and enable them as needed.## Do not accept ICMP redirects (prevent MITM attacks)#net.ipv4.conf.all.accept_redirects = 0#net.ipv6.conf.all.accept_redirects = 0# _or_# Accept ICMP redirects only for gateways listed in our default# gateway list (enabled by default)# net.ipv4.conf.all.secure_redirects = 1## Do not send ICMP redirects (we are not a router)#net.ipv4.conf.all.send_redirects = 0## Do not accept IP source route packets (we are not a router)#net.ipv4.conf.all.accept_source_route = 0#net.ipv6.conf.all.accept_source_route = 0## Log Martian Packets#net.ipv4.conf.all.log_martians = 1##################################################################### Magic system request Key# 0=disable, 1=enable all, >1 bitmask of sysrq functions# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html# for what other values do#kernel.sysrq=438Code:
# A sample configuration for dhcpcd.# See dhcpcd.conf(5) for details.# Allow users of this group to interact with dhcpcd via the control socket.#controlgroup wheel# Inform the DHCP server of our hostname for DDNS.#hostname# Use the hardware address of the interface for the Client ID.#clientid# or# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.# Some non-RFC compliant DHCP servers do not reply with this set.# In this case, comment out duid and enable clientid above.duid# Persist interface configuration when dhcpcd exits.persistent# vendorclassid is set to blank to avoid sending the default of# dhcpcd-<version>:<os>:<machine>:<platform>vendorclassid# A list of options to request from the DHCP server.option domain_name_servers, domain_name, domain_searchoption classless_static_routes# Respect the network MTU. This is applied to DHCP routes.option interface_mtu# Request a hostname from the networkoption host_name# Most distributions have NTP support.#option ntp_servers# Rapid commit support.# Safe to enable by default because it requires the equivalent option set# on the server to actually work.option rapid_commit# A ServerID is required by RFC2131.require dhcp_server_identifier# Generate SLAAC address using the Hardware Address of the interface#slaac hwaddr# OR generate Stable Private IPv6 Addresses based from the DUIDslaac privateinterface eth0 static ip_address=172.16.2.4/24 static routers=172.16.2.1 static domain_name_servers=172.16.2.1interface wlan0 static ip_address=192.168.178.1/24 nohook wpa_supplicantDoes anyone see the mistake I've made, why I don't have any Internet with my client?
Also, maybe someone could tell me why it's no longer possible for me to ssh into my pi with the local 172.16.2.4 address. I get a connection timeout error but when I ssh with the vpn-address, it works.
Statistics: Posted by Alpha-Inc. — Sun Jan 05, 2025 5:18 pm
