WireGuard VPN in EC2 instance

0

I am having trouble setting up a working wire guard vpn server on an ec2 instance, I created the wg0.conf file with the following contents

[Interface]
Address = 10.10.0.1/24
ListenPort = 10001
PrivateKey = <server_private_key>
SaveConfig = false
PostUp =   /etc/wireguard/helper/add_nat.sh
PostDown = /etc/wireguard/helper/del_nat.sh
 
[Peer]
PublicKey = <removed>
AllowedIPs = 10.10.0.2/32

the contents of add_nat.sh

#!/bin/bash
IPT="/sbin/iptables"

IN_FACE="ens5"                   # NIC connected to the internet
WG_FACE="wg0"                    # WG NIC 
SUB_NET="10.10.0.0/24"            # WG IPv4 sub/net aka CIDR
WG_PORT="10001"                  # WG udp port

## IPv4 ##
$IPT -t nat -I POSTROUTING 1 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT -I INPUT 1 -i $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT -I FORWARD 1 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT -I INPUT 1 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT

then i enabled port forwarding by setting net.ipv4.ip_forward=1 in /etc/sysctl.conf, I also allow the port 10001 on UDP using the command ufw allow 10001/udp and I added that port rule to the inbound rules in ec2 security group

on my laptop I configured wg0.conf like so

[Interface]
PrivateKey = <laptop_private_key>
Address = 10.10.0.2/24
DNS = 8.8.8.8
 
[Peer]
PublicKey = <server_public_key>
AllowedIPs = 10.10.0.0/24 
Endpoint = <ec2_elastic_ip>:10001
PersistentKeepalive = 10

Trying to ping the server from my laptop results in 100% packet loss same as for the server side.

Is there something I missing or is there any errors in my configuration?

Salem
asked a year ago606 views
1 Answer
0

check if the WireGuard service is running on the EC2 instance by running the command sudo systemctl status wg-quick@wg0. If it is not running, try starting it with sudo systemctl start wg-quick@wg0.

ensure that the routing configuration is correct.

or you can use tcpdump to see if packets are being properly received and forwarded by the EC2 instance.

profile picture
EXPERT
answered a year ago
  • I did check that wire guard service is running as for the packet capturing I am sure there is an error in the routing configuration but i am not sure what exactly, I inspected the pcap file in wireshark after pinging the ip 10.10.0.2, there are 6 packets all with the source 10.10.0.1 and the destination 10.10.0.2

  • can you send the routing information

    ip route show

  • Here is the output of the command ip route show

    default via 172.31.0.1 dev ens5 
    10.10.0.0/24 dev wg0 proto kernel scope link src 10.10.0.1 
    172.31.0.0/20 dev ens5 proto kernel scope link src 172.31.5.82
    

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions