Wireguard VPN - Issues
**********************

.. highlight:: bash

- :doc:`sys-vpn`
- :doc:`detail/sys-vpn`
- :doc:`issues-vpn`

Initial Diagnostics
===================

Check the wireguard interface is up::

  sudo wg

  peer: siOe0gA/wSjnFZpX1ODhHjv5z6WDsIm+B3SEJy58DlU=
    endpoint: 133.122.144.188:52062
    allowed ips: 10.10.2.10/32
    latest handshake: 32 minutes, 31 seconds ago
    transfer: 10.03 GiB received, 331.45 MiB sent

.. tip:: So the server has not checked in for 32 minutes!

Connection issues
=================

To diagnose connection issues use (on both the client and the server)::

  sudo wg show

or if the interface is configured to start at boot time (assuming
interface is called ``wg0``) use::

  sudo systemctl wg-quick@wg0 status

e.g a typical client will show::

  interface: wgx
    public key: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy=
    private key: (hidden)
    listening port: yyyyy

  peer: sssssssssssssssssssssssssssssssssssssssssss=
    endpoint: s.s.s.s:sssss
    allowed ips: a.a.a.0/24
    latest handshake: 20 seconds ago
    transfer: 46.90 MiB received, 523.78 MiB sent
    persistent keepalive: every 25 seconds

A typical server will show::

  interface: wgx
    public key: sssssssssssssssssssssssssssssssssssssssssss=
    private key: (hidden)
    listening port: sssss

  peer: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy=
    endpoint: y.y.y.y:yyyyy
    allowed ips: a.a.a.x/32
    latest handshake: 1 second ago
    transfer: 2.37 GiB received, 964.48 MiB sent

  peer: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz=
    endpoint: z.z.z.z:zzzzz
    allowed ips: a.a.a.z/32
    latest handshake: 3 seconds ago
    transfer: 28.27 MiB received, 20.33 MiB sent

  peer: wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww=
    allowed ips: a.a.a.w/32

Lines to look out for in this output are::

  - If there are no ``latest handshake`` or ``transfer lines`` (e.g peer
    wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww= above) this indicates the peer has
    not been seen since the service started.

  - If the interface has been started recently a ``transfer`` line showing 
    ``0B received`` indicates that the service is not connected.  This is
    usually due to a configuration issue.

  - ``latest handshake`` should be less than a few minutes. if the transfer
    line shows a value for bytes received this indicates the configuration
    worked at some point so it may be a public network issue - the wireguard
    interface sends encrypted traffic over the public network imnterface.

Reset the interface
-------------------

To reset a the wireguard interface (assuming it's called ``wg0``) use::

  wg-quick wg0 down && wg-quick wg0 up

If the interface is started at boot time you can also use::

  sudo systemctl restart wg-quick@wg0

Configuration issues
====================

The ``PublicKey`` in the ``Peer`` section of the client configuration is the
public key of the *server*, not the client::

  [Peer]
  PublicKey = sssssssssssssssssssssssssssssssssssssssssss=

DNS
===

If you only have a single wireguard network and have a DNS server configured to
resolve the nodes on a wireguard network, you can configure nodes to use this
with the DNS directive in the wireguard configuration file. e.g::

  DNS = a.a.a.x

If your system is configured to start the VPN network at boot rebooting may
resolve DNS issues or you can simply `Reset the interface`_ as described above.

.. tip:: To check your name server information on ubuntu 20.04 and later use
         ``resolvectl status``.

Ubuntu 24.04
------------

The DNS changes in 24.04 cause an issue.

To resolve this either install ``systemd-resolved``::

  apt install systemd-resolved

Or remove the DNS entry in the configuration file e.g::

  # e.g. remove 'DNS = 10.10.2.1' from:
  /etc/wireguard/wg0.conf
  # restart
  sudo wg-quick up wg0

For more information, see
`wg-quick fails with systemd resolvconf compatibility shim`_

Firewall
========

ssh
---

If the firewall is failing to block access to ``ssh``, then check the
``/etc/ssh/sshd_config`` file to make sure it includes the following line::

  Include /etc/ssh/sshd_config.d/*.conf

If you upgraded Ubuntu from a version earlier than 20.04, then the file may
have been modified by a Salt state and be invalid.

To fix the issue, copy ``/etc/ssh/sshd_config`` from another server
(for example commands, see `Ticket 4445`_ on the 21/12/2021).

Unstable connection
===================

Check to make sure you are not using the configuration in two (or more) places!

Wireguard identifies a node using the public key.  The server is able to route
to the node using the ``AllowedIPs = a.a.a.x/32`` directive for the peer in the
server configuration file.  If two nodes have the same IP or public key they
will constantly break each other.

Firewall Rules
==============

A server protected by a firewall (recommended) needs a rule for it's port to
allow traffic.

A client with ``PersistentKeepalive`` directive only needs a firewall rules if
the output chain is restricted (for iptables, check using ``sudo iptables -L``).


.. _`Ticket 4445`: https://www.kbsoftware.co.uk/crm/ticket/4445/
.. _`wg-quick fails with systemd resolvconf compatibility shim`: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/2092329