Hi All,
I have a Raspberry pi 5 (8GB) running bookworm:
I'm trying to set up a wireguard client connection to my VPN provider (ProtonVPN). I followed their official guide (https://protonvpn.com/support/wireguard-linux) for setup/installation and it went without a hitch. However, when I check the pi's public facing IP address via
I get an IPv6 address associated to my ISP, not my VPN provider. The same is true if check through https://ip.me/. I've spent hours trying to figure out what's wrong with my setup but couldn't find (or understand) what's wrong with it. My best guess is the traffic isn't going through the tunnel. Here are the details:
Wireguard configuration file: (Removed key)
Bringing up wireguard and checking that the connection is established:
Subsequent calls to wg also show that transferred and received bytes are changing:
Check IP address, disconnect the vpn client, and check again:
Redacted the address a bit but the point is it's the same whether the client is up or down, when it shouldn't be. Also checked by visiting https://ip.me/. and results are the same
Brought the client back up and checked the routing:
Default route to wg is present and it's routing all packets without fwmark to wg (explained here: https://www.linuxquestions.org/question ... 175673235/ )
I don't know what to check next, any help would be appreciated.
Thanks
I have a Raspberry pi 5 (8GB) running bookworm:
Code:
kdalu@kdalu-rpi:~ $ cat /etc/os-releasePRETTY_NAME="Debian GNU/Linux 12 (bookworm)"NAME="Debian GNU/Linux"VERSION_ID="12"VERSION="12 (bookworm)"VERSION_CODENAME=bookwormID=debianHOME_URL="https://www.debian.org/"SUPPORT_URL="https://www.debian.org/support"BUG_REPORT_URL="https://bugs.debian.org/"Code:
curl https://ifconfig.io/Wireguard configuration file: (Removed key)
Code:
[Interface]# Key for kdalu-rpi# Bouncing = 6# NetShield = 2# Moderate NAT = off# NAT-PMP (Port Forwarding) = on# VPN Accelerator = onPrivateKey = <REMOVED>Address = 10.2.0.2/32DNS = 10.2.0.1[Peer]# CA#374PublicKey = 32BouQp7QBFlZTBW8goSEE+kDnyEqbjYGKWNOdqx4DM=AllowedIPs = 0.0.0.0/0Endpoint = 149.22.82.55:51820Code:
kdalu@kdalu-rpi:~ $ wg-quick up wg[#] ip link add wg type wireguard[#] wg setconf wg /dev/fd/63[#] ip -4 address add 10.2.0.2/32 dev wg[#] ip link set mtu 1420 up dev wg[#] resolvconf -a wg -m 0 -x[#] wg set wg fwmark 51820[#] ip -4 route add 0.0.0.0/0 dev wg table 51820[#] ip -4 rule add not fwmark 51820 table 51820[#] ip -4 rule add table main suppress_prefixlength 0[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1[#] nft -f /dev/fd/63kdalu@kdalu-rpi:~ $ sudo wginterface: wg public key: EahBYXgN5BwfnYJsYr05rNbFEGu6VllZeIHe38VhujE= private key: (hidden) listening port: 43218 fwmark: 0xca6cpeer: 32BouQp7QBFlZTBW8goSEE+kDnyEqbjYGKWNOdqx4DM= endpoint: 149.22.82.55:51820 allowed ips: 0.0.0.0/0 latest handshake: 37 seconds ago transfer: 5.23 KiB received, 3.24 KiB sentkdalu@kdalu-rpi:~ $Code:
kdalu@kdalu-rpi:~ $ sudo wginterface: wg public key: EahBYXgN5BwfnYJsYr05rNbFEGu6VllZeIHe38VhujE= private key: (hidden) listening port: 43218 fwmark: 0xca6cpeer: 32BouQp7QBFlZTBW8goSEE+kDnyEqbjYGKWNOdqx4DM= endpoint: 149.22.82.55:51820 allowed ips: 0.0.0.0/0 latest handshake: 1 minute, 16 seconds ago transfer: 13.04 KiB received, 8.57 KiB sentkdalu@kdalu-rpi:~ $Code:
kdalu@kdalu-rpi:~ $ curl https://ifconfig.io/2607:xxxx:xxxx:xxxx::7336kdalu@kdalu-rpi:~ $ wg-quick down wg[#] ip -4 rule delete table 51820[#] ip -4 rule delete table main suppress_prefixlength 0[#] ip link delete dev wg[#] resolvconf -d wg -f[#] nft -f /dev/fd/63kdalu@kdalu-rpi:~ $ curl https://ifconfig.io/2607:xxxx:xxxx:xxxx::7336kdalu@kdalu-rpi:~ $Brought the client back up and checked the routing:
Code:
kdalu@kdalu-rpi:~ $ wg-quick up wg[#] ip link add wg type wireguard[#] wg setconf wg /dev/fd/63[#] ip -4 address add 10.2.0.2/32 dev wg[#] ip link set mtu 1420 up dev wg[#] resolvconf -a wg -m 0 -x[#] wg set wg fwmark 51820[#] ip -4 route add 0.0.0.0/0 dev wg table 51820[#] ip -4 rule add not fwmark 51820 table 51820[#] ip -4 rule add table main suppress_prefixlength 0[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1[#] nft -f /dev/fd/63kdalu@kdalu-rpi:~ $ routelDst Gateway Prefsrc Protocol Scope Dev Tabledefault link wg 51820default 10.0.0.1 10.0.0.100 dhcp wlan010.0.0.0/24 10.0.0.100 kernel link wlan0172.17.0.0/16 172.17.0.1 kernel link docker010.0.0.100 10.0.0.100 kernel host wlan0 local10.0.0.255 10.0.0.100 kernel link wlan0 local10.2.0.2 10.2.0.2 kernel host wg local127.0.0.0/8 127.0.0.1 kernel host lo local127.0.0.1 127.0.0.1 kernel host lo local127.255.255.255 127.0.0.1 kernel link lo local172.17.0.1 172.17.0.1 kernel host docker0 local172.17.255.255 172.17.0.1 kernel link docker0 localkdalu@kdalu-rpi:~ $ ip rule0: from all lookup local32764: from all lookup main suppress_prefixlength 032765: not from all fwmark 0xca6c lookup 5182032766: from all lookup main32767: from all lookup defaultkdalu@kdalu-rpi:~ $ ip route show table 51820default dev wg scope linkI don't know what to check next, any help would be appreciated.
Thanks
Statistics: Posted by kdal — Mon Jan 06, 2025 7:06 pm