Para começar, não sou muito versado em redes ou gerenciamento de servidores, então tenham paciência se isso parecer elementar para alguns de vocês.
Eu configurei uma instância do Wireguard rodando em um VPS, usando Debian. Minha intenção é usá-lo para privacidade na internet, pois as opções atuais à minha disposição são inadequadas.
Eu tentei e falhei várias vezes para fazer o Wireguard funcionar corretamente, pois meu(s) dispositivo(s) cliente(s) não conseguem se conectar à internet. Eu consigo me conectar ao servidor sem problemas, o Wireguard mostra o cliente conectado e, sempre que ele está conectado, eu consigo fazer SSH no servidor sem problemas a partir do dispositivo cliente. Eu tentei adicionar um DNS, especificamente o do Google (8.8.8.8, 8.8.4.4), mas isso também não ajuda. Eu não consigo nem fazer ping no DNS quando ele está definido.
Abaixo está minha configuração atual de servidor e cliente:
Cliente:
[Interface]
PrivateKey = [redacted]
Address = 10.0.0.2/32
[Peer]
PublicKey = [redacted]
Endpoint = [redacted]:51820
AllowedIPs = 0.0.0.0/0
Servidor:
PrivateKey = [redacted]
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = [redacted]
AllowedIPs = 10.0.0.2/32
Qualquer ajuda sobre isso seria apreciada. Já faz um tempo que estou batendo a cabeça na parede sobre isso.
Tabela de roteamento do servidor:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet [redacted]/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether [redacted] brd ff:ff:ff:ff:ff:ff
inet [redacted]/25 brd [redacted] scope global dynamic enp1s0
valid_lft 73624sec preferred_lft 73624sec
inet6 [redacted]/64 scope link
valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
Saída das tabelas de IP do servidor:
Chain INPUT (policy DROP 989 packets, 54363 bytes)
pkts bytes target prot opt in out source destination
630K 320M ufw-before-logging-input 0 -- * * 0.0.0.0/0
0.0.0.0/0
630K 320M ufw-before-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
213K 12M ufw-after-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
212K 12M ufw-after-logging-input 0 -- * * 0.0.0.0/0
0.0.0.0/0
212K 12M ufw-reject-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
212K 12M ufw-track-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 5286 packets, 1038K bytes)
pkts bytes target prot opt in out source destination
7518 1184K ufw-before-logging-forward 0 -- * * 0.0.0.0/0
0.0.0.0/0
7518 1184K ufw-before-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
5286 1038K ufw-after-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
5286 1038K ufw-after-logging-forward 0 -- * * 0.0.0.0/0
0.0.0.0/0
5286 1038K ufw-reject-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
5286 1038K ufw-track-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 225 packets, 20892 bytes)
pkts bytes target prot opt in out source destination
370K 75M ufw-before-logging-output 0 -- * * 0.0.0.0/0
0.0.0.0/0
370K 75M ufw-before-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
3564 350K ufw-after-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
3564 350K ufw-after-logging-output 0 -- * * 0.0.0.0/0
0.0.0.0/0
3564 350K ufw-reject-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
3564 350K ufw-track-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
363 36318 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:138
2 84 ufw-skip-to-policy-input 6 -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
6 308 ufw-skip-to-policy-input 6 -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:68
4 8908 ufw-skip-to-policy-input 0 -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
327 46259 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
219 11136 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
1927 126K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 3
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 11
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 12
305 19540 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8
5286 1038K ufw-user-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
211K 188M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
56 19597 ufw-logging-deny 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
56 19597 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 3
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 11
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 12
11 626 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8
0 0 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:67 dpt:68
20848 1252K ufw-not-local 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 17 -- * * 0.0.0.0/0 224.0.0.251
udp dpt:5353
0 0 ACCEPT 17 -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
20848 1252K ufw-user-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
193K 42M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
1960 219K ufw-user-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
56 19597 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID limit: avg 3/min burst 10
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
20844 1243K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type LOCAL
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type MULTICAST
4 8908 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
12 9300 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
10 600 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate NEW
1362 162K ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
19757 1175K ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
90 13764 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:51820
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK]
"
0 0 REJECT 0 -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Por sugestão do usuário Davidgo, adicionar iptables -t nat -A POSTROUTING -o [YOUR ETHERNET INTERFACE] -j MASQUERADE(interface foi enp1s0no meu caso) e adicionar iptables -I FORWARD -j ACCEPTcorrigiu temporariamente o problema. Após a reinicialização do servidor, essas alterações são revertidas. Tentarei trabalhar em como adicionar essas regras permanentemente.