#networking

you mean you don't know what reverse ssh tunneling is?

this maps a port on the remote, to a local port

y

but you can do it the other way around too

not really

You can

You can tunnel a local port to the remote system

e.g. you know you can use ssh to login to linux right?

yes, I'm very familiar with it

I know how this works

OK

never used tunneling though

:D

ssh -R 25565:localhost:25565 user@server

actually just setup remote access to my home network via wireguard 2 days ago

this exposes your local 25565 to the remote server

mostly used by ppl who have dynip but want their network to go

so I can turn on my pc and remote into it

wdym by network to go?

https://i.imgur.com/1vv89ir.png

expose network to public (yet it isn't recommended lol)

I have a dynamic IP myself, although it basically never changes

@slate sonnet This is what we're suggesting. Your gameserver initiates a tunnel to your VPS

I don't get what you are trying to say

port forward?

@slate sonnet the 'local machine' in this context, is your minecraft server host

Can my friends connect using the ip of the vps?

yes

yep

Yeah, all you then have to do is configure your host, to tunnel data from its public IP on port 25565, through the tunnel that was established

I think that is done with iptables

But how would I do that since I have a cgnat?

You don't need a local ip

Oh, okay

start the tunnel from your end to the vps

@slate sonnet your gameserver host (local) establishes a tunnel to the server. After this the server can directly reach your gameserver

You connect to your vps

@slate sonnet then you just have to make sure your VPS routes traffic through the tunnel

and the vps is able to redirect traffic trough this connection of yours

for the tunnel, you can either use VPN, or use ssh (hackiest and simplest way)

@slate sonnet CG-NAT prevents connections from being established from the WAN side (listening on a port on your IP)

but we can still establish a tunnel in the reverse direction

Ah, I see

Make sense

You know how to do it?

NAT breaks the end-to-end principle

https://en.wikipedia.org/wiki/End-to-end_principle

https://i.imgur.com/8kooDc6.png

Connect to the vps?

NAT breaks this ^

I know the general idea I think

y basically everything we talked about

Not really😅

your first step is to get a cheap vps

Yeah

Does it matter what cpu and stuff?

no

No

you dont need lot of CPU for this

since it's not computing anything

you need 1 core

as a tip

Just like a 1 core cpu and stuff

Okay

@slate sonnet get a VPS that is close to you

but not ovh france

lol

otherwise you get a lot of latency

xD

burned down yesterday

for those who don't know

I laughed a lot on twitter

"what's an emergency plan"

"what backup?"

I laughed at the poor fucks who didnt have an emergency plan

and were looking on the OVH web panel for the button to activate their emergency plan

y

xD

"I loose money mimimimi"

fantastic

Cloud to ashes

special kind of uplink

Before the fire ^

1gb of ram is alright?

more than enough for your purposes yes

Okay

Also I have an option of windows server, ubuntu, debian and centos

ubuntu

thats the easiest one you'll find lots of support for

Debian would be the 2nd choice, if you prefer a cleaner system

Ubuntu is based on debian

@slate sonnet the article that @peak cloak posted: https://github.com/mochman/Bypass_CGNAT
Assumes ubuntu as well

We can just try to do it with Wireguard, that's the cleanest solution

and probably more reliable than any ssh-equivalent

Okay

That's what I'm gonna do then

All the stuff that I need to do is on the github page?

https://i.imgur.com/yZ2cmSb.png

this is in essence what we need to set up

The big red arrow points to the machine on your LAN with the gameserver on it

as you can see, the VPS has two IP addresses

a public one, and a private tunnel IP

The gameserver host (the nginx proxy in the image) also has an IP on that tunnel network

this is how the VPS and gameserver can then directly talk to eachother

So do I keep the private one to myself and give my friends the public one?

@slate sonnet yeah the idea is that the public IP of your VPS will route its traffic to your gameserver behind your CG-NAT

Someone can help me understand how to make my integrated graphics work again ?
Asus sabertooth z87 mboard with i7 4770 no Nvidia / amd gpu only the the cpu gpu that not giving any output

#tech-support

@slate sonnet so Internet -> VPS -> Wireguard -> Game Server

Wireguard is also over the internet

Got it

so you want use wireguard or ssh-tunnel?

I'd use wireguard

kk

I think I should use wireguard

Wireguard would automatically keep the tunnel up, ssh is a bit hacky :P

then I'm out :D no idea of wireguard honestly

I use ssh tunneling for on-the-fly

@dense furnace neither do I

lol

but we have a tutorial

:D

oh

okay

https://github.com/mochman/Bypass_CGNAT

This assumes wireguard on a VPS

@dense furnace I'm still using layer 2 tunnels over here :3

Cgnat block port forwarding right ?

@lean pebble its a shared public IP

so you cannot port forward

Ya I hate it

CG-NATs are the bane of ipv4

@dense furnace thanks to my ISP, I have a public /29 xD

This is so dam option to use

I have /32

😆

1 IP

I have 9 in total, if you count the /32 WAN

But /29 on my dedicated server

I think.

oof

Well IPs are pretty cheap in europe

But I think I don't like static ip

ppl always know who/where you are once exposed

Nah

My external IP address always changing his location

😆

My ISP routes the /29 through their internal network

So I can even share this publicly, without you guys doxing me ;P

kek

Lol

Now we have your internal network

lol

That interface looked like windows xp lmao

@slate sonnet winbox

@slate sonnet https://i.imgur.com/ejvPGen.png

management tool for RouterOS

Dunno what routeros is but okay

looks old

hehe

You must have a whole networking setup

unknown software is the best protection

lol

@slate sonnet thats my core router in the attic https://cdn.discordapp.com/attachments/776722183119699988/777646103775674368/IMG-20200922-WA0001.jpg

Yeah

nice one

Damn

RB4011

10gbit router

living the dream

I'm soon gonna be living alone hopefully

Want to create a whole network for stuff

@dense furnace RouterOS v7 (in beta right now) will add Wireguard support

Like game server

File server

That I can access anywhere

@slate sonnet thats what that box underneath is for :)

That's a Ryzen 2600

teamspeak for you and your frien.. oh wait

damn

But atm I'm stuck on a network where I can't even port forward lmao

what specs exactly?

@dense furnace R2600, 16GB ECC (2400Mhz), 2x 10G SFP+ network

ayy you don't need to honestly. Just route everything trough external servers lol

NVMe boot drive, and 4x 4TB storage

on a mini ITX board

xD

internally you can do whatever you want

Well yes, but my goal is to be able to host everything myself

oof

@dense furnace the whole thing cost me around 800 bucks

you still can. 3€/m vps is nothing? It's just for the ip honestly

it's totally legit

Well yeah

oof

wait what

@slate sonnet I pay my ISP 16euros/month for extra IP addresses ;P

Everything? switch etc.?

@dense furnace nah just the server

oof

that router is 190 bucks

https://mikrotik.com/product/rb4011igs_rm

800 bucks is too much isnt it?

or is it older?

@dense furnace network card alone was 200 bucks

like the old new

OH shit

ok

I pay the equivalent of 5.65 euros per month for 35mbit up and down

I built this machine 2 years ago

I pay 35€ for 100down 40 up

ok it's legit then

@slate sonnet I have 250/250mbit, extra /29 subnet and IPTV for a grand total of 140/month

Damn

I resell two IP addresses

thats hell cheap

two companies get their internet from me

Russia has really cheap internet

In my opinion

each get 50/50 internet, for 50 bucks

I get 0ms ping in speedtest lmao

so I only pay around 40bucks/month

rofl

5ms

18ms

._.

germany

¯_(ツ)_/¯

the most shitty and expensive internet you can think of

https://i.imgur.com/SHOLg7f.png

damn

entire network here is FQDN

and my lastname is in the host xD

@dense furnace the RB4011 is pretty sweet as a router

it has so much headroom in terms of performance

if I fully saturate my NAS and internet

CPU usage is like 15% at most

https://i.imgur.com/bNQsz6F.png

I want a unifi router

and switch

ew

:D

unifi overpriced

Also, when I setup the vps and setup wireguard and stuff, the only data that's gonna be coming and going between my pc and the vps is minecraft server stuff? (since I want to host a minecraft server)

@slate sonnet yeah wireguard creates a virtual network on both machines

in that screenshot on the github

that's the 10.0.0.0/24

but those are only reachable on the machines themselves

Well what I mean is that if I just use my pc and search stuff on google for example, that data is gonna go through my main network

But the minecraft stuff will go through the vps

Or will everything on my pc go through the vps?

Or can I configure it

good question, you have to logoff the vpn i guess

@slate sonnet think of wireguard as a network cable plugged directly between your gameserver and VPS

that's all it is

idk, can you link only the executionable with wireguard?

@slate sonnet this config rule: https://i.imgur.com/VussQl0.png

iptables -t nat -A PREROUTING -p tcp -i eth0 '!' --dport 22 -j DNAT --to-destination 10.0.0.2; iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4

this ^

is a config rule for the VPS internal network stack

It basically transports traffic on a specific port, through that internal network

Oh okay

oh i get it

So with that pretty much the only data is gonna be minecraft server data (since its only on 1 port 25565 udp/tcp)

@slate sonnet specifically

@slate sonnet that rule forwards all ports

except port 22

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25565 -j DNAT --to-destination 10.0.0.2

@dense furnace no

the !

inverts it

so its all ports except 22

Well I'm gonna do all this later when I buy the vps

*corrected

@dense furnace https://i.imgur.com/2bhTrWn.png

@dense furnace only needs two exceptions

y I need to learn to read the damn documentation

SSH and wireguard itself

all other traffic is routed through that tunnel

but he doesn't want that

@dense furnace he does.

He can then augment this, with a regular firewall

and then only permit 25565 incoming

Does anyone here know a VPS provider that has a student plan and does not ask for a flipping credit card from a student who is below the age of 18 (other than microsoft azure)?

he only want to route 25565 trough the vpn

do you have paypal?

@dense furnace yeah, but this tutorial would forward all ports
But we can use a firewall to only permit incoming on 25565

so even if all traffic is forwarded, only 25565 will be allowed in

that's why I did this :o

Would someone below 18 and without a bank account be able to get a paypal account?

idk

other countrys other laws

Depends on where you live?

Yes

wait

how do you want to pay

without a bank account?

For example I know that in Russia you can't make a paypal account under the age of 18

paypal requires you to set up a bank account or credit card

Yet you can get a debit card

maybe prepaid

but there is no legal host I know about offering this

since you HAVE TO identify yourself

paypal has my mugshot

Well, AWS and DigitalOcean offer a student plan with credit and then there's oracle which gives basically anyone 2 free VMs

or rather, a photograph of my ID

AWS VMs you can get for free even without a student plan

you can get a micro vm for 1 year for free, as long as you create a new account with a credit card

no bank account = no credit card

git gud.

I know but again the whole credit card thing, they need it for "Verification"

I'm confused

So basically

you have nothing?

no bank, no credit card

etc

then why do you need paypal lol

if you dont have money

No he needs a vps host

F

but for free

I guess

Azure was gracious enough

time to ask mommy for her creditcard I guess

google for a hoster which accepts paysafecard or something like this

only reason I even own a credit card to begin with, was because of my travels to the United states a couple years ago

you NEED a creditcard in the US, especially as tourist

No debit?

Debit cards here are Maestro

those don't work in US

Mine is mastercard

mine visa

mastercard = credit card

Maestro is a seperate debit system

But my card is a debit

Huh

https://en.wikipedia.org/wiki/Maestro_(debit_card)

got 2 debit cards from maestro and 1 credit card from mastercard

Maestro doesn't exist in russia afaik

but guys

Only mastercard and visa

this is obviously the wrong channel for plastic payment cards

:D

My creditcard is Mastercard/Visa

Yes lmao

my debit is maestro

I can use my debit card for contactless payment and such

ping us again later when you bought the vps

Me?

@slate sonnet what host are you planning on using?

y

:D

Some russian one

1 sec

russian internet

I live in russia so its the best for me lmao

ruvds.com

okay

not you

lol

woah woah ruvds.com even supports german language

I'm impressed

They have a few servers in europe I think

Datacenters in frankfurt

@slate sonnet you want as close as possible

London

Yes

I know

as little latency between your internet and the VPS

I picked my datacenter

Just saying that they seem legit

 crystal@watomat  ~  ping ldn.services.local.knockturnmc.com
PING ldn.services.local.knockturnmc.com (10.244.174.53) 56(84) bytes of data.
64 bytes from 10.244.174.53: icmp_seq=1 ttl=64 time=45.3 ms
64 bytes from 10.244.174.53: icmp_seq=2 ttl=64 time=15.2 ms
64 bytes from 10.244.174.53: icmp_seq=3 ttl=64 time=15.2 ms

My vps is like 15ms...

That's good?

Its in London

Well I mean, I don't think it matters too much

and I'm connected via amsterdam

so this is about as good as I can get

I get 7ms to the exchange, and 15ms to the VPS

oh there is a vps for 240₽

Well I think I got like 10ms ping while connected to moscow when I was using parsec

1x2.2GHz
1gb RAM
20gb HDD
ubuntu

My pc was home

I was in moscow

Yes

@dense furnace those specs are good nuf

https://prnt.sc/10ixaa4

That's like half a euro I think?

lmao

per month

2,73€

Oh wait

I'm dumb

Yeah

the rubel is stronger than you think

hehe

OVH's cloud VPSes are around 2,50 euro/month

same specs

but OVH also burns down ocassionally

Pretty much the same spec as I did

y but they also burn down

lmao

Saw the pics posted earlier

@slate sonnet I had a dedicated server in BHS (canada) with OVH

and they had a tunnel collapse on their fiber backbone

entire datacenter offline for 2 days

and they reimbursed me with $5

I have a question though, on ruvds there is an option for 1 ip

kek

yes

That means I'll have 1 private and 1 public, right?

eh

You need only a single IP

1 public

the private one is created via wireguard

if that's the question

Ah

Okay

Yes, that's pretty much the question

you can basically create as much private IP's as you want lol

Huh, apparently kaspersky use their services

I'm buying the vps

Okay, so I have to connect to it via ssh, right?

@dense furnace @tame carbon

Exactly

@slate sonnet are you on windows?

Yes

https://www.putty.org/

I can ssh on my phone though

Use this ^

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe

can just grab this one ^

standalone putty

How do I ssh?

you enter the IP address of the server in there

and press Open

you should get username + password via mail

unless you already set it yourself

https://i.imgur.com/jfpW0Dt.png

you type root as the username, and the password they provided to you

Don't be confused by the ssh-tunnel stuff we spoke of earlier

SSH can be used for a multitude of things

but its primarily used for remote login on servers

Okay, logged in

@slate sonnet change the password

So now I just basically follow the github guide right?

run passwd

I can do that from the hosting site

No

you do that from within the system

Okay

Done

@slate sonnet now you can follow the guide

https://i.imgur.com/uVK4h21.png

worth looking into setting up certificate-based login for ssh if you're leaving port 22 open to the world

yeah

at some point

yep. first I think setting up the wireguard stuff

once that works

you can harden security

password auth is good enough for now

we can do that later

he got some time

:D

No copy paste in putty? :(

right click

yep

copy is selecting text

paste is right click

^

ctrl+c sends an important program termination signal in unix systems, so you can't have that conflicting with copy/paste

not sure if ctrl+v sends a signal

^V

^C

etc

not sure if it does anything i mean

^V

yeah but that's what the client sends

when you do a CTRL V

I thought ctrl+shift+v would work

it will in some programs

you can even have mouseclicks on SSH xD

btw

you can probably bind it to paste in the putty config

@slate sonnet that first command uses nano which is a text editor

but once you get used to it, select to copy and right-click to paste is super fast and way easier

wat.

wtf is that host

@untold elbow its russian

VODKA

ruvds is the hosters name

Did sudo sysctl -p

lmao

the rest ist dynamic generated i guess

o

@slate sonnet did you uncomment the config rule as per that guide?

yes

and save ?

https://i.imgur.com/OkV6Qb7.png

CTRL + X, Y <ENTER>

cool

Uncommented and saved

sudo sysctl -p fails?

yes

Gives me this

Well wait

@slate sonnet run it without sudo

you're logged in as root

so you dont need sudo

sudo = super user do

or: run as admin

Makes sense

Ran it

No issue

kk

I'm just so used to writing sudo for installing stuff

now run

apt install wireguard

@slate sonnet wait

before oyu do that

update existing packages

apt update && apt upgrade -y

run that

and then apt install wireguard

updating rn

apt update downloads latest definitions from the server
apt upgrade downloads the software and installs it

I run kde neon as an only os on my laptop, so I know my way around linux a little bit

ooohok

I was confused

Just sometimes I get stuck because of a dumb thing lol

because you didnt know how to ssh

Never used it

so I assumed knowledge: 0

No problem

I ran a minecraft server off my jailbroken iphone once lmao

same

my old iphone 4

with JamVM

OOoooooofff

older versions of minecraft ran off 1.5

That must have sucked

which is what jamvm ran

iphone 4 only has 512M ram, so... xD

started mc with 256M ram

and took like 15 mins for the spawn to generate

I have 3gb of ram

Pretty much worked okay-ish for 1 person

It was actually better than my laptop lmao

Laptop has an amd a8-3500m

Main pc has a ryzen 3 3100

@slate sonnet you'll have to start paying attention once you get to step 1c

One of my core is like the same performance of my laptop I think lol

Okay

Still updating

These fields https://i.imgur.com/fxAMEOn.png

are different from what you are using

is wireguard on the main debian/ubuntu repos now? or do you still need to get it from the ppa

err

According to the guide it is

should be in there

Since it doesn't tell you to add the ppas

neato, glad to see it's getting more mainstream

yeah, don't need to add anything

@untold elbow ^

wait, how do I paste in putty again?

nice

right click

right click

Umm

How do I do this

copy them line by line

Since I'm in root I don't need sudo

just remove the sudo in front of it

But the second line is a bracket

and run it

doesnt matter, just copy the whole line

and run it

sudo is cucked for some reason

unable to resolve host

@slate sonnet do cat /etc/hostname

and then verify that you have this in /etc/hosts

/etc/hosts should contain: 127.0.0.1 localhost

put a space at the end, and add the hostname its failing to find

How would I do that

so it has: 127.0.0.1 localhost ruvds-whatever

@slate sonnet use nano

nano /etc/hosts

that's your static DNS file

and sudo is looking for the hostname, but its not set

so we can just add it

https://i.imgur.com/xLM23ho.png

so add the ruvds whatever

this is how I have it ^

Right?

@slate sonnet yeah that ruvds is what you have in /etc/hostname

It does

yes, but on the line below?

does it have that other one?

No

my hostname is private

so yours would have to be ruvds-whatever

you can just add it

On the second line?

Or doesn't matter

@slate sonnet just put it at the end of the localhost line

okay

you can have multiple names for a single IP

odd. I'd expect your host to do this for you

they just ship a broken sudo install xD

Okay

Now the command did something I think

No error message now

Cool

Okay, I'm confused on what I should do in 1c

"use the following config"

@slate sonnet do you see the block of text underneath the table?

Yes

@slate sonnet starts with [Interface]

values in there, referr to the table above

and in your case, these have to be set specifically to your environment

your public IP is not 1.2.3.4

Hi, I have a Cisco air-cap2602i-e-k9 which I want to introduce into my house network, can you assist me ?
1: need to talk to the unit, configure the unit and have it working.

2: have a Netgear RAX120 router, 3rd unit as they are useless quality, what the best Wi-fi router with lan support to buy?

@slate sonnet I recommend opening a textfile, and noting these things down

Before you continue

So are these commands or do I have to change a configuration file?

@slate sonnet the config file below is for wireguard
https://i.imgur.com/jxpmFSf.png

but the information is incorrect, you have to adjust it

gotta nano into the config file and paste all that

the table above explains what each bit does

How do I access it?

@slate sonnet start with the first thing

VPS IP

you have that already.

so you copy the config file, and modify 1.2.3.4 to your IP

nano /etc/wireguard/wg0.conf

No like, how do I access the config file in nano

Thanks

sudo nano /etc/wireguard/wg0.conf

assuming wg0 is your interface

you can copy/paste the whole block of text into nano and edit as needed

to find your ethernet devices run ip link show

that tutorial expects your primary interface to be named eth0

https://i.imgur.com/BapHTEv.png

my system has ens3

as default

https://i.imgur.com/CJhpMXC.png

This tutorial is pretty well written.

can you link to the tutorial? im curious to read it

https://github.com/mochman/Bypass_CGNAT

Mine is eth0 too

@untold elbow https://i.imgur.com/yZ2cmSb.png

neat

How do I find out an unused port?

Can I just randomly pick one?

@slate sonnet just use what they have in there

Okay

you dont have to change those

@untold elbow this tutorial forwards all ports except 22 and wireguard

gotcha

hope your VPS allows a good amount of traffic through it

So how do I find an RFC1918 IP/CIDR

Don't really need much

thats good

@slate sonnet just use 10.0.0.1/24

as long as your home network uses a different subnet

you should be fine

Hosting a minecraft server for my friends and I want to use this because i have a cgnat

ahhh

Classic.

How can I check that?

@slate sonnet on your local computer, run ipconfig

Okay

@slate sonnet look at the ip address and subnet mask

too late now, but dynamic dns might have been easier 😮

255.255.255.0 is equivalent to /24

but wireguard is fun

/24 is CIDR notation, its shorthand for a subnet mask

Classless Inter Domain Routing

Mine is this

Ye, most home networks are /24

prob on 192.168.something too

I have 192.168.88.0/24 here :)

Yeah

192.168

yeah so you can use that 10. address

So what should I do since its /24?

you can also use /24

@slate sonnet nah you're cool.

Oh okay

that's just the size of the network

just had to make sure your LAN is on a different subnet than wireguard

the /24 is just network size

10.0.0.1/24 just means 10.0.0.0 to 10.0.0.255

^ yeppers

as long as that doesn't overlap with your home network, you're good

which is 192.168.88.0 - 192.168.88.255

someone roasted me in #public-chat for talking about networking and routers
dismissing it as: who cares about what their router config panel looks like

xD

Well I can change that in my router so I shouldn't really care TOO much

Right?

Were, you talking about wireguard installation

?

@slate sonnet you can keep the IP stuff for wireguard as is.

@slate sonnet yeah but that's kind of a pain and you dont really need to

@slate sonnet https://i.imgur.com/xsxZ7ZE.png

Also, how do I find out my vps ip?

@slate sonnet you entered that in putty

:P

Oh

Right

lmao

@slate sonnet it says you can change those wireguard IP settings

but for sake of simplicity, leave them as is.

'cause if you were, there was a one click installation script (well, not one click per se)

That's what I'm doing

@slate sonnet your wireguard server will sit on 10.0.0.1 and your minecraft server will have a wireguard client on 10.0.0.2

We'll get to that, once server is configured

I'll be out for 20 mins, gotta make some food

I can help you once I return, or nag @untold elbow ;)

How do I do undo

I replaced my private key by accident

i just had to hop on a call so im unavailable for a minute too 😮

Because I copy pasted

i think alt+u does undo in nano

So I've done the start of the guide, but the second half is written for linux. Is there any way I can do it on windows?

Or am I just dumb and missing something

@untold elbow

sorry, give me a minute, wrapping up on a call

Np

windows side is easy, install the windows wireguard client and add a new empty config

then just copy the client-side config into that

in the wireguard window there will be an "add tunnel" button, you do "add empty tunnel"

it'll generate the client key pair for you when you do that

Doesn't give me an option to add a new empty config?

under the add tunnel menu? what's it say?

add empty tunnel

Oh

Okay

I think I can figure it out from here

cool

wat

it's almost certainly going to not work the first time you connect. it'll say "connected" but it won't pass traffic and you'll have to fix something

i never get wireguard to work on the first go-round

lots of tiny tiny things you can screw up along the way

Whats up?

Should I have block untunneled traffic turned off?

no

your config is not tunneling port 22

you don't want that blocked

if you want to tunnel port 22, you'll have to make sure ssh is listening on your wireguard interface

Sooooooo

oh on the client side i don't think you need all the PostUp and PostDown stuff

those are all linux commands anyway

I can remove everything on the postup and postdown?

Client side

client side, yes

that may prevent you from connecting to your VPS via SSH while the tunnel is connected (or it might just work, not sure)

if it does prevent it, you can either disconnect from the tunnel to SSH or you can reconfigure the SSH service in the VPS to work

endpoint won't work, you need your VPS' IP address there

Okay

I was gonna just aks

other than that, looks good

ask

How do I check if it's connected?

I guess nvm

connect and go to like whatismyip.com

When I activate the tunnel I pretty much get no internet

yep

On my main pc

ok so now we troubleshoot

So what should I do now

Yeah

The fun part

can you ping your wireguard server through the tunnel? in cmd do ping 10.0.0.1

run that on your local system

Request timed out

So no, I cant

Oh wait

I forgot to do this

that'll do it 🙂

you don't need to do that on the client

wireguard should auto-start with your windows computer (i believe)

whats systemctl status wg-quick@wg0.service say?

Forgot to add the public key

that'll do it

do you know where to find that?

Yes

I saved it

never ever ever post your private key.

ever.

Did I post my private key?

i dont think so

no

Oh okay

its just a psa/headsup

Because I know not to do that

Yeah

Okay

public key is fine to post

public key on my vps' wireguard server is BTtKlQ7OEBS5sOjJ1aNjvo018N0Fe4RAA0G6YXzFJl4=

I see you're almost done

neat

Gonna test wireguard now

Nope, still nothing

troubleshooting stage

did the service start?

wg-quick up wg0

┬─┬ ノ( ゜-゜ノ)

Already exists

do wg and post output

should not output private key values

Gives me my private key

as hidden

public key

and port

no peers listed below that?

I'm not tunneled rn

1 sec

did you add your windows system's public key to the server's wg.conf?

wg0.conf

Yes

Btw when I'm tunneled and ping 10.0.0.1 request timed out

when you're tunneled, does wg on the server show any peers?

gotta ssh on my phone

1 sec

how do I ssh using a terminal?

ssh user@ip

while you're in the server, ping 10.0.0.2 to see if the server can see your local system

so my used would be @ruvds-2xerj

User

or no

root@ip

@slate sonnet ssh root@<server ip>

okay

Nope, nothing

hm ok. do you have ufw installed on the server or any other firewall like that?

ufw status

status inactive

ufw is not enabled by default on ubuntu

welp that isn't it

go over the server config once more

Hmm

is the instance running?

1 sec

oh wonder if you forgot to restart it after adding the key

wg-quick down wg0 && wg-quick up wg0

You should use systemd.

not use wg directly.

thats fine too

i was gonna suggest systemd service config after the tunnel is all working

systemctl restart wg-quick@wg0.service

systemctl status wg-quick@wg0.service

says its active

screenshot?

apple would like a word with you: what is this jailbreak

Uncover

lmao

@slate sonnet also nice masking

but I can see your host in the top

;)

lmao

fudge

lol and you posted it in the error messages way up above

no one is going to do anything with your hostname alone

its public for a reason ;)

Still

wait

Im still looking at the screenshot and uh

you sure that iptables is correct?

No

I just copied from the guide

i closed the screenshot no fair 😦

@slate sonnet on the server, for sake of sanity

run ping 10.0.0.1

that should reply with <1ms

Yes

@slate sonnet okay, wg show

It should be listening on port 55107

correct

okay, server is configured correctly.

So lets take a look at the client now

@untold elbow how is auth handled by wg?

is it just pubkey auth?

yes

has he copied his client key to the server already?

yes

Yes

That's the key that wireguard gives you right?

each peer generates a public/private key

you copy the public key of your client to the server

but you've done this

Into the config?

yep

@untold elbow that screenshot above from the windows tunnel

If so, then I've copied the wrong thing

I am missing masquerade rules

i don't think you need those on windows

i don't use them on my windows wg client

Whats the command for changing the config for wg?

you just edit the config file

Directory

nano /etc/wireguard/wg0.conf

at the bottom, there should be a [Peer] section

edit config, restart

Yes, my public key is just the one that wireguard gave me

Not my pc key

the public key of the windows system, right?

No

oh no, that should be your windows system's public key

Okay

1 sec

wireguard takes like 15 minutes to set up and then like 90 minutes to fix

Programs: they do exactly what you tell them to

even if its not what you want

Yup

how do I restart?

but once you get wireguard running, it's really solid... i made some basic bash scripts to add/remove clients quickly

systemctl...

yeah

systemctl yeah

what next?

Try connect again

Idk the command

oh

err

systemctl restart wg-quick@wg0.service
systemctl status wg-quick@wg0.service

second one isn't strictly needed but it's good to check that the service is actually running

Yeah

Okay

So now I should tunnel and I should still have internet

In theory

you might have to reconnect

Or at least ping 10.0.0.2 from my phone

10.0.0.2 is your windows client

so if you can ping it from the server, then you have success.

ping 10.0.0.1 from your desktop

or that

That seems good

thats a good sign

thats very promising

try to get to google

No internet tho

Gonna try ping from my phone

you dont have DNS configured in the tunnel

@untold elbow he doesn't want his default route through wireguard

i think it's routing everything

It shouldn't..

Ping is 60

allowedips 0.0.0.0/0

Pinged from my server to my pc

ping 45.79.196.241 from your pc

thats my vps

don't you need to edit IP tables for it to NAT?

I have no internet on my pc

Wait

1 sec

chances are that wireguard is forwarding all system traffic through the tunnel

but we don't want this

Ping 132

ok cool so you can reach the internet

you just dont have dns

Looks like it

wait...

bring the tunnel down, add DNS = 8.8.8.8 under [Interface] and restart it

just to test

on the client side

@untold elbow is there a way to prevent the client from default routing over the tunnel?

instead using it merely as a resource subnet

YEs

the AllowedIPs section does that

I have internet

@slate sonnet run tracert 1.1.1.1

see what route it takes

on vps?

if you want to do it by port, i believe you have to use windows' equivalent to iptables

on your windows machine, with the tunnel enabled

which i know nothing about

@untold elbow its route-metric

the tunnel just has to be a higher value than the default if

so you can add some PostUp = route-metric commands to the client side

and undo them with PostDown commands

Is it supposed to take a little while?

to tracert? it could

Oh okay

Finished