Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

WireGuard VPN in EC2 instance

0

I am having trouble setting up a working wire guard vpn server on an ec2 instance, I created the wg0.conf file with the following contents

[Interface]
Address = 10.10.0.1/24
ListenPort = 10001
PrivateKey = <server_private_key>
SaveConfig = false
PostUp =   /etc/wireguard/helper/add_nat.sh
PostDown = /etc/wireguard/helper/del_nat.sh
 
[Peer]
PublicKey = <removed>
AllowedIPs = 10.10.0.2/32

the contents of add_nat.sh

#!/bin/bash
IPT="/sbin/iptables"

IN_FACE="ens5"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC 
SUB_NET="10.10.0.0/24"            # WG IPv4 sub/net aka CIDR
WG_PORT="10001"                  # WG udp port

## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT

then i enabled port forwarding by setting net.ipv4.ip_forward=1 in /etc/sysctl.conf, I also allow the port 10001 on UDP using the command ufw allow 10001/udp and I added that port rule to the inbound rules in ec2 security group

on my laptop I configured wg0.conf like so

[Interface]
PrivateKey = <laptop_private_key>
Address = 10.10.0.2/24
DNS = 8.8.8.8
 
[Peer]
PublicKey = <server_public_key>
AllowedIPs = 10.10.0.0/24 
Endpoint = <ec2_elastic_ip>:10001
PersistentKeepalive = 10

Trying to ping the server from my laptop results in 100% packet loss same as for the server side.

Is there something I missing or is there any errors in my configuration?

Tópicos
Computação
Tags
Amazon EC2
Idioma
English
Salem
feita há um ano672 visualizações
1 Resposta
0

check if the WireGuard service is running on the EC2 instance by running the command sudo systemctl status wg-quick@wg0. If it is not running, try starting it with sudo systemctl start wg-quick@wg0.

ensure that the routing configuration is correct.

or you can use tcpdump to see if packets are being properly received and forwarded by the EC2 instance.

profile picture
ESPECIALISTA
Sedat Salman
respondido há um ano
  • Salem
    há um ano

    I did check that wire guard service is running as for the packet capturing I am sure there is an error in the routing configuration but i am not sure what exactly, I inspected the pcap file in wireshark after pinging the ip 10.10.0.2, there are 6 packets all with the source 10.10.0.1 and the destination 10.10.0.2

  • Sedat Salman ESPECIALISTA
    há um ano

    can you send the routing information

    ip route show

  • Salem
    há um ano

    Here is the output of the command ip route show

    default via 172.31.0.1 dev ens5 
10.10.0.0/24 dev wg0 proto kernel scope link src 10.10.0.1 
172.31.0.0/20 dev ens5 proto kernel scope link src 172.31.5.82

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante