not working on Oracle Free Cloud

[masterwishx]

installed OK but dont have access to internet from Oracle Free Cloud in installation steps it detect private adress 10.10.x.x on enp0s3 adapter instead of public 182.x.x.x and if im insert public then i dont have access to internet

[Sirherobrine23]

Hello here had the same problem look at this discussions #241, This solves my problem.

[masterwishx]

Thanks . you mean to add these two lines ?

PostUp = iptables -I FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -I FORWARD -i wg0 -j ACCEPT;** iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; sudo iptables -I INPUT -i ens3 -p udp --dport 60000 -m state --state NEW,ESTABLISHED -j ACCEPT

PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; sudo iptables -D INPUT -i ens3 -p udp --dport 60000 -m state --state NEW,ESTABLISHED -j ACCEPT

Also this script cant find my real ouside ip address , it show my private ip in start of install . founded another scrit that find it but didnt tryed it (road warroir wireguard-install

Also tryed piVPN but also no lack, i will try it again , after i remade instance of Oracle server. Thanks

[Sirherobrine23]

so, the script already adds this rule in the wireguard configuration, and it also asks the endpoint that the clients will have.

And what I could understand is that the client is not having access, you will have to go to the oracle cloud dashboard to release the wireguard ports that were configured.

And if you still can't access the wireguard network, run this command to remove the iptable rules: iptables -F to remove all the rules.

[Sirherobrine23]

Oracle defined some rules to block almost all ports on the vm, and on your virtual network.

[masterwishx]

so, the script already adds this rule in the wireguard configuration

you mean this or https://github.com/Nyr/wireguard-install

[masterwishx]

i opened the port in oracle cloud befor running script

[Sirherobrine23]

so, the script already adds this rule in the wireguard configuration

you mean this or https://github.com/Nyr/wireguard-install

The https://github.com/angristan/wireguard-install, I don't know other scripts, just a docker image that I'm developing.

[Sirherobrine23]

You could put the iptable rules here (iptables --list).

[Sirherobrine23]

And vm from oracle is what configuration for me to create one here to help you better.

[masterwishx]

OK, Thanks a lot for now i made new instance and dont know what script to use now?!?

1. this one (tryed befor,no success to internet side)
2. https://github.com/Nyr/wireguard-install (there is video on youtube + fix if no internet)
3. pivpn (tryed befor ,no success to internet side)

[masterwishx]

And vm from oracle is what configuration for me to create one here to help you better.

ubuntu 20.4 VM.Standard.A1.Flex -ocpu x4, mem 24gb only added udp port for wireguard

[Sirherobrine23]

I'll try here and send you the iptables settings.

[Sirherobrine23]

Setup Commands

curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
# in "IPv4 or IPv6 public address:" add VM public IP here.
# and "Server's WireGuard port [1-65535]:" add port opened in oracle cloud dashboard.
sudo ./wireguard-install.sh
sudo iptables -F
sudo iptables-save | sudo tee /etc/iptables/rules.v4
sudo reboot

Oracle cloud subnet egress route:

setup log, with angristan/wireguard-install:

ubuntu@wireguardvm:~$ curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15554  100 15554    0     0   106k      0 --:--:-- --:--:-- --:--:--  106k
ubuntu@wireguardvm:~$ chmod +x wireguard-install.sh
ubuntu@wireguardvm:~$ sudo ./wireguard-install.sh
Welcome to the WireGuard installer!
The git repository is available at: https://github.com/angristan/wireguard-install

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

IPv4 or IPv6 public address: 144.22.149.61
Public interface: enp0s3
WireGuard interface name: wg0
Server's WireGuard IPv4: 10.66.66.1
Server's WireGuard IPv6: fd42:42:42::1
Server's WireGuard port [1-65535]: 51820
First DNS resolver to use for the clients: 8.8.8.8
Second DNS resolver to use for the clients (optional): 1.1.1.1

Okay, that was all I needed. We are ready to setup your WireGuard server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
...

Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash and can't exceed 15 chars.
Client name: phone
Client's WireGuard IPv4: 10.66.66.2
Client's WireGuard IPv6: fd42:42:42::2
```ubuntu@wireguardvm:~$ sudo ./wireguard-install.sh
Welcome to the WireGuard installer!
The git repository is available at: https://github.com/angristan/wireguard-install

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

IPv4 or IPv6 public address: 144.22.149.61
Public interface: enp0s3
WireGuard interface name: wg0
Server's WireGuard IPv4: 10.66.66.1
Server's WireGuard IPv6: fd42:42:42::1
Server's WireGuard port [1-65535]: 51820
First DNS resolver to use for the clients: 8.8.8.8
Second DNS resolver to use for the clients (optional): 1.1.1.1

Okay, that was all I needed. We are ready to setup your WireGuard server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
...
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash and can't exceed 15 chars.
Client name: phone
Client's WireGuard IPv4: 10.66.66.2
Client's WireGuard IPv6: fd42:42:42::2
...
ubuntu@wireguardvm:~$ sudo iptables -F && sudo iptables-save | sudo tee /etc/iptables/rules.v4 

My phone client:

[masterwishx]

1.did the script found your external ip? 2.and you have access to inet ? 3. do i need run (iptables -F) its delete iptables ?

Thanks a lot , i will try it.

also have some strange problem when i use "reboot" command in ssh, then i can access by ssh to server (timeout) also checked by https://www.infobyip.com/sshservertest.php , server 22 port like unvalible ... so im restaring by cloud by oracle dashboard ...

[Sirherobrine23]

1. No, I had to put the vm's public IP provided by oracle's Dashboard.
2. Yes.
3. Yes, because you will have to eliminate the rules defined by oracle that blocks all requests to the vm.

To restart the vm over ssh you must use the sudo reboot command.

[masterwishx]

ah OK Thanks i will try

[masterwishx]

if im using root user i dont need "sudo reboot" only reboot no?

[Sirherobrine23]

with root no, I created the vm and used the default user (ubuntu) to configure wireguard.

[masterwishx]

but i cant somehow to enter to server now by ssh !!!! after reboot also rebooted by dashboard after this and still cant access to ssh also https://www.infobyip.com/sshservertest.php cant access to 22 port i will try later ,i had this proble yesturday also ,and opened ticked but today it was OK... anyway thanks a lot for help i will try it when will able to connect Thanks

[Sirherobrine23]

if you don't have ssh access, connect to the vm through the Dashboard, to solve this problem. You can also send commands to verify the integrity of the vm through the Dashboard.

[Sirherobrine23]

also does not put the IP of the wireguard interface in the same cidr of the network interface that access the internet, because this conflict.

[masterwishx]

i added upd port in ingress without statles box checked, also i found i have mtu 9000 on enp0s3 and mtu 8920 on wg0 may mtu case problem ?

also now i have installed other script (https://github.com/Nyr/wireguard-install ) its very same like this but also can find real outside ip ,willbe cool to add it to this script. also i having wireguard OK but no internet somehow ,also used
"sudo iptables -F && sudo iptables-save | sudo tee /etc/iptables/rules.v4 " but not help.

tomorrow i will unninstall it and install you script and will follow your guide i hope you will help me out . Thanks

If $ip is a private IP address, the server must be behind NAT

if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
	echo
	echo "This server is behind NAT. What is the public IPv4 address or hostname?"
	# Get public IP and sanitize with grep
	get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}(\.[0-9]{1,3}){3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")")
	read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
	# If the checkip service is unavailable and user didn't provide input, ask again
	until [[ -n "$get_public_ip" || -n "$public_ip" ]]; do
		echo "Invalid input."
		read -p "Public IPv4 address / hostname: " public_ip
	done
	[[ -z "$public_ip" ]] && public_ip="$get_public_ip"
fi

[Sirherobrine23]

the MTU as I remember it won't be a problem as they are the size of the udp packets. If you are not able to access the NAT must be the iptables rule, I will be waiting for you to help.

[raypnman]

Not sure if you are using Oracle Linux instead of Ubuntu. If that is the case, don't forget to allow traffic using firewall-cmd, otherwise traffic may be blocked by the firewall. There is a ssh service allowed by default in firewall-cmd, but not the others. I am allowing the wireguard traffic under services as well. If you don't have any security concerns, you could completely disable the firewalld...(um...I won't)

You may allow traffic that you have configured inside the xml with command like below: sudo firewall-cmd --zone=public --permanent --add-service=wireguard

You should then see your service being added in the services:

oracle ~]$ sudo firewall-cmd --list-all --zone=public --permanent
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ftp iperf3-tcp iperf3-udp ssh wireguard zabbix-tcp zabbix-udp
  ports:
  protocols:
  forward: no
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

An example of the xml file and the location:

oracle ~]$ sudo ls /etc/firewalld/services/wireguard.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>wireguard</short>
  <description>WireGuard open UDP port 60000 for client connections</description>
  <port protocol="udp" port="60000"/>
</service>

It is also a good idea to use tcpdump when troubleshooting, to see if packets arrived to the VM or not.

[Sirherobrine23]

Hello, he is using Ubuntu to apply wireguard server.

Não tenho certeza se você está usando o Oracle Linux em vez do Ubuntu. Se for esse o caso, não se esqueça de permitir o tráfego usando firewall-cmd, caso contrário o tráfego pode ser bloqueado pelo firewall. Existe um serviço ssh permitido por padrão no firewall-cmd, mas não os outros. Estou permitindo o tráfego de wireguard em serviços também. Se você não tiver nenhuma preocupação de segurança, poderá desativar completamente o firewall-ncmd

Você pode permitir o tráfego que você configurou dentro do xml com o comando abaixo: sudo firewall-cmd --zone=public --permanent --add-service=wireguard

Você deve então ver seu serviço sendo adicionado nos serviços:

oracle ~]$ sudo firewall-cmd --list-all --zone=public --permanent
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ftp iperf3-tcp iperf3-udp ssh wireguard zabbix-tcp zabbix-udp
  ports:
  protocols:
  forward: no
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Um exemplo do arquivo xml e do local:

oracle ~]$ sudo ls /etc/firewalld/services/wireguard.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>wireguard</short>
  <description>WireGuard open UDP port 60000 for client connections</description>
  <port protocol="udp" port="60000"/>
</service>

Também é uma boa ideia usar o tcpdump ao solucionar problemas, para ver se os pacotes chegaram à VM ou não.

[raypnman]

Hello, he is using Ubuntu to apply wireguard server.

Oh, yes, just saw the environment in previous posts...

[xw-l]

So, reinstall the system, and everything will work out。(BONUS: It really works!)

[Sirherobrine23]

he can do that, and it would be nice, but it depends on him, sometimes he doesn't want to recreate the vm by some service he hosts there.

[masterwishx]

I unnistalled the script that has wireguard, and will install yours, then I will post all info of wireguard. I already made new clean instance. After tryed your script and pivpn script. Also I made backup of clean boot disk after creation of vm.and I don't installed any services befor wireguard. All that I had befor is gone. I wanted to make wireguard to work first...

I installed wireguard on my Unraid home server without any problem in 5-10 min. But vps I'm trying for first time. If will be problems again I can restore backup or recreate vm. Thanks

[masterwishx]

Finally installed you script script and still no internet on my phone. but somehow after:

sudo iptables -F && sudo iptables-save | sudo tee /etc/iptables/rules.v4 reboot

i having next iptables with old script ip in it :