IT WORKS! You are a lifesaver. Thank you very very much. It totally slipped my mind there’s a “HA OS” underneath it all. I’ve checked for iptables in HA and there were none so I assumed it was a routing issue.
Now I just have to learn to formulate an iptables rule to forward (just) what I need forwarded and (just) where I need it forwarded to and make it persist and I’m golden. This is in no way an ask towards you, your help up 'till now has been invaluable and you’ve made far too much travel on your keyboard keys for unknown me, but, on the other hand, if and just if you have a suggestion lingering in your brain… I won’t be offended
In any case, thanks once again for your good will. Hope I can repay / pass it forward one day.
Thanks once again (sorry for late response - life/work got in the way ).
Your solution, as is usual per my experience, works. I’ll try and see what can I do to make them persist or be “reapplied” on reboot and be sure to write about it for posterity.
This is more of a general replay. but can solve someones problem. I am just putting it out there.
I had the vpn set up, and had a handshake. Can ping the host. But could not get any internet access, also the local webpages.
I found the problem here:
it turns out the mtu was set to high.
in the solution thy set is to 1340 with netsh. But you can also set it as a option on your client side wireguard configuration.
Hello Doron.
it seems I have the same issue, if I look at the routing, this is pointing towards the IP of the wireguard addon, however, it seems that packets are dropped at the host itself.
now I noticed that you are referring to iptables, however my hassos does not have iptables enabled. do you maybe have any other thoughts how I can enable packet flow?
Hi @broker . Are you actually running HASSOS (and a recent one)? Assuming you do, I believe it does have iptables (essentially nf_tables) installed and applied. Are you sure you’re connecting to a shell at the OS level? If you’re using UI “Terminal” or something like that, then you’re not at the OS level and indeed you will not see iptables.
Hello @doron:
these are the versions I am running:
Core2024.7.2
Supervisor2024.06.2
Operating System12.4
Frontend20240710.0
I am issuing the commands from the “advanced SSH & Web Terminal” with protection mode disabled.
what I think is strange if I do a traceroute from the terminal to my remote network (192.168.1.1) it gets forwarded to the wireguard-addon
if I am pinging from 192.168.1.0 network to other network 192.168.178.0 I get results
however if I ping from 192.168.178.0 to 192.168.1.0 there is none, i just cannot figure out what is causing that.
just a bit background, I am running a HA server in 192.168.178.0 space that connects to a UDM Pro SE the has the 192.168.1.0 space
just to make sure I am overseeing any issues in my config this is reflected when the tunnel is issued:
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
s6-rc: info: service legacy-services successfully started
[#] ip -4 address add 192.168.3.3/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 192.168.3.1/32 dev wg0
[#] ip -4 route add 192.168.1.0/24 dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
as an addon, if I check the settings of the wireguard docker:
docker exec -it e20bc7fdd12a route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.30.32.1 0.0.0.0 UG 0 0 0 eth0
172.30.32.0 * 255.255.254.0 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 wg0
192.168.3.1 * 255.255.255.255 UH 0 0 0 wg0
from the docker I am able to ping 192.168.1.1 & 192.168.3.1 (peer subnet)
Hi @broker
I’ll look at the details tomorrow - a bit busy right now, but a quick comment:
It sounds as if you are doing everything inside dockers (different dockers at that), and not at the OS level. To get to the OS level you need to enable SSH access to that level. Have you done that? If not, here is a guide as to how to go about that.
@doron, you were right. after going through the steps. and adding the route and issuing the iptables solved the problem., now I need to check how I can make this persistent.
@doron , that was my idea. but it seems very difficult, unless I am doing something wrong, as i seem not to have write access to the disk. I have tried to put a file in /etc/network/if-pre-up.d/ every time I try a touch or vi and safe, it gives me the error that the disk is read-only
Hi Folks, I wonder if somebody could help me out, or uses similar setup. I use two network providers (ISP), and I do switching between them. My setup looks like this:
A Netgear LM1200 LTE Modem does the switching between two IPS’s in bridge mode. The LAN Port of the netgear modem is connected to the WAN port of my home router (Asus should be able to do ISP switching also, but I found it extremely unreliable). I don’t use the two ISP’s at the same time (so no load balancing) it is simply for fallback mode, I turn off the Cable modem when don’t need so much bandwidth. My Home Assistant instance is wired directly to the Asus router which runs Wireguard and Adguard.
I set it up Wireguard on all my devices while using ISP1, but tested also with ISP 2 after setup and it worked. I have a script running on HA when it sees the ISP changed, I trigger an IP updated at duckdns. I use my own DNS (Adguard) which also runs on Home Assistant.
I noticed after a while when I am away from home (I turn of ISP1 and switch to ISP2), that my phone still connects to the Wireguard VPN, no errors whatsoever, but for some reason Internet doesn’t work. I can’t figure out where must be the issue. It is probably something with the DNS, since to the wireguard VPN I can connect, but the phone becomes offline.
What I tried:
I checked and the IP address at duckdns is correct.
if I connect the phone at home to the wireless network (so no VPN/Wireguard involved) everything works fine with Adguard both IPS1 and IPS2 works.
Something with the combo of wireguard, adguard is not OK when doing IPS switching. Anybody has some ideas what could go wrong?
You did not provide the config details for your WG instances, so I will try to throw in a blind guess. Check out “allowed_ips” for both phone client and HA WG instance, and also “client_allowed_ips” on the HA side. They should reflect what you really want to happen (my guess is you want WG to just route to the home LAN, not to carry the entire Internet for the remote clients).
Yes, that would probably lead to what you’re seeing.
Please do some reading wrt allowed_ip. This is a central piece in WG setup.
Basically, and this will oversimplify, if your phone’s WG setup will have, for your HA-side end, allowed_ips: 0.0.0.0/0, it would mean that when the WG link is active, the HA side will serve as the default gateway for your phone. This means that all traffic, whether destined to HA or to The Internet, will flow via your home (and HA). You can see how this would lead to the situation you described.
If you want WG to just serve as a path to your home gateway, configure allowed_ips and client_allowed_ips to denote your home network, only (e.g. 192.168.3.0/24 or 10.0.0.0/8 or whatever).
Hi doron, thanks I will read a bit more about these options. Now just without understanding the whole thing…
HA at the end runs Adguard. My thinking was that I want to do the add filtering with Adguard running on HA, so HA is my DNS server. At home on my local wireless network this is fine, in my router I set up HA with Adguard as my DNS server. Add filtering works all fine…
Now I still want to have add filtering with HA Adguard when I am outside of home. So I setup Wireguard so I can connect with VPN to my home network. When I leave home the VPN connects, and I still want to use HA Adguard as my DNS server. As advised by Frenk I do this in wireguard:
server:
dns:
- 172.30.32.1
So with my current limited understanding doesnt this mean that the whole traffic needs to go through HA? What am I missing here?
Okay for some reason I thought you only wanted to connect to your home WG for HA related traffic, not all traffic. Wrong assumption, sorry about that. So to do that, indeed you need allowed_ips and client_allowed_ips to cover the whole world, namely 0.0.0.0/0.
So let’s refocus on your original issue. If your mobile device can access the Internet just fine when ISP1 is active, but can’t when ISP2 is active, and you’re using the same DNS name server in both cases, then chances are that either your outgoing packets are not reaching the net, or the return packets from ISP2 do not make it back into WG. The latter is quite a common mishap.
So here’s the next thing I’d check: Verify that return packets from your ISP2 can find their way back to the IP address(es) you assigned for your phone(s), in the “peers” section, via the WG addon.
Apologies for the silly question but how do I check if the packages find there way back?
I checked the wireguard log section, but this doesnt tell too much. I just see all the peers, what are setup, but I dont really see if the are connected or not. I assume I need to increase the log level…
You’d need to do some packet capturing on the path between the router and the Netgear. That might prove tricky to explain/do in the setup you describe, so let’s put it aside for the moment.
You mentioned a script you run when the ISPs change. What does this script do, exactly?
Hi, I’m behind a CGNAT I have setup wireguard on my VPS, the addon and my phone. All devices can ping each other, but I’m not able to access the UI at 192.168.4.2:8123.
).