no acces to webgui/ssh after enabling wireguard (plugin)

Hello,

Tried solving this problem by myself and searched this forum for similar error but no luck. I'm trying to get wireguard through the plugin (custom) to work with the following configs:

 [Interface]
# Device: device name here
PrivateKey = insert key here
Address = 10.69.171.24/32
DNS = 100.64.0.63
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = insert key here
AllowedIPs = 0.0.0.0/0
Endpoint = 193.32.249.66:51820

After a reboot the terminal shows that a connection is made with the mullvad server on a different external ip. Google is pingable and the curl ifconfig.io command verifies the external ip. But I cannot access the webgui, nor ssh.

Then I made a change (AllowedIPs) to the config with the help of nano editor and some info on this forum:

[Interface]
# Device: device name here
PrivateKey = insert key here
Address = 10.69.171.24/32
DNS = 100.64.0.63
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = insert key here=
AllowedIPs = 192.168.1.0/24
Endpoint = 193.32.249.66:51820

After a reboot the terminal shows a the normal public ip. No vpn connection has been made. This time it is possible to access the webgui/ssh.

A final change in the config (dns) didn't help:

[Interface]
# Device: device name here
PrivateKey = insert key here
Address = 10.69.171.24/32
DNS = 192.168.1.1
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = insert key here
AllowedIPs = 0.0.0.0/0
Endpoint = 193.32.249.66:51820

The wireguard config is newly generated on the mullvad website with killswitch enabled. I've noticed when I make a change in /etc/wireguard/wgnet_mullwg.conf (AllowedIPs) and after a reboot the webgui doesn't reflect that change.

Thank you in advance!

Quote from gderf

Try regenerating the wireguard config with the killswitch DISabled.

While you where responding to my post I've updated/modified it. Will try disable option.

Quote from gderf

Seems like you have run into this before, no?

Post

RE: How to restart qbittorrent container every x hours automatically

Conclusion:

Problem:
glueton with qbitorrent in a compose resulted in random disconnect after x amount of hours/days. Torrents wouldn't start and rss feeds stopped working. A restart of qbittorrent container was necessary to regain functionality.

Solution:
Switching to a different image called dyonr/qbittorrentvpn that has build in vpn with killswitch. When using wireguard make sure you configure a wireguard config file through your vpn service provider (in my case mullvad) that uses only ipv4…

thesorcerer

Jun 25th 2023

That was a problem with a docker container. Since then I used binhex qbittorrent which functions really good. I wanted to try the wireguard plugin now, thus having all my clients in my household using a vpn.

Thank you for the suggestion. All seems to work now. Webgui/ssh is reachable with vpn connection enabled through wireguard plugin. I really want killswitch for obvious reasons enabled. Any ideas?

Quote from chente

To do that you need a point-to-site configuration. In this article you can see how to configure it. https://www.procustodibus.com/…ard-point-to-site-config/

I don't know if you want to connect to a remote server that you own or a commercial remote server. If it is the latter, you will have to consult that provider about what they allow you to do. You will also have to adapt the iptables configurations to what that article says for it to work.

That's not what I mean. Every client has individually been configured to use a vpn connection. In the future I will configure opnsense to do as you suggested.