I am having trouble setting up a working wire guard vpn server on an ec2 instance, I created the wg0.conf
file with the following contents
[Interface]
Address = 10.10.0.1/24
ListenPort = 10001
PrivateKey = <server_private_key>
SaveConfig = false
PostUp = /etc/wireguard/helper/add_nat.sh
PostDown = /etc/wireguard/helper/del_nat.sh
[Peer]
PublicKey = <removed>
AllowedIPs = 10.10.0.2/32
the contents of add_nat.sh
#!/bin/bash
IPT="/sbin/iptables"
IN_FACE="ens5" # NIC connected to the internet
WG_FACE="wg0" # WG NIC
SUB_NET="10.10.0.0/24" # WG IPv4 sub/net aka CIDR
WG_PORT="10001" # WG udp port
## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
then i enabled port forwarding by setting net.ipv4.ip_forward=1
in /etc/sysctl.conf
, I also allow the port 10001 on UDP using the command ufw allow 10001/udp
and I added that port rule to the inbound rules in ec2 security group
on my laptop I configured wg0.conf
like so
[Interface]
PrivateKey = <laptop_private_key>
Address = 10.10.0.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = <server_public_key>
AllowedIPs = 10.10.0.0/24
Endpoint = <ec2_elastic_ip>:10001
PersistentKeepalive = 10
Trying to ping the server from my laptop results in 100% packet loss same as for the server side.
Is there something I missing or is there any errors in my configuration?
I did check that wire guard service is running as for the packet capturing I am sure there is an error in the routing configuration but i am not sure what exactly, I inspected the pcap file in wireshark after pinging the ip
10.10.0.2
, there are 6 packets all with the source10.10.0.1
and the destination10.10.0.2
can you send the routing information
ip route show
Here is the output of the command
ip route show