Cannot make it work in Oracle Cloud VM

[rmspro]

I have Wireguard VPN set up in Oracle Cloud VM (Ubuntu 18.04). Wireguard client (Windows) connects, but there is no internet. 0 bytes received, hundreds sent every other second.

Here are the things I've done and tried:

1. Created and updated/upgraded Ubuntu VM
2. Executed Angristan's scripts.
3. Added the port number assigned by Angristan's script in Ingress Rules (firewall)
4. Tried to check/uncheck "Skip source/destination check" in VNIC setup
5. Tried to set MTU size to 1360 (the default for wg0 was 8920) and added it in client config
6. (Update) Tried to open the firewall another way "sudo ufw allow 54321/upd", I have no idea why I should do this, but still no result.

One thing I didn't understand in the process is why "net.ipv4.ip_forward=1" is still commented out inside "/etc/sysctl.conf" file after executing Angristan's script. Isn't it supposed to be enabled? Anyway, I tried to manually enable it in the file, still no internet.

I'm not good with Linux, Wireguard and networking stuff, so I'm hoping to get some help here on how to troubleshoot this issue.

[rmspro]

Here is "/etc/wireguard/wg0.conf" file content:

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 54321
PrivateKey = PRIVATE_KEY
PostUp = iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
PublicKey = PUBLIC_KEY
PresharedKey = PRESHARED_KEY
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

---

Here is the Wireguard Windows client config:

[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.66.66.2/32, fd42:42:42::2/128
DNS = 1.1.1.1, 1.0.0.1
MTU = 1360

[Peer]
PublicKey = PUBLIC_KEY
PresharedKey = PRESHARED_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 150.101.202.303:54321

[muhammad-umair-akhter]

Hello,

I am also facing the issue in setting up the Wireguard VPN on Oracle Cloud VM.
I followed the instruction and created the VPS and their clients but not working for me here are the details:

===========================================
interface: wg0
public key:
private key: (hidden)
listening port: 64399

peer:
preshared key: (hidden)
allowed ips: 10.66.66.2/32, fd42:42:42::2/128

peer:
preshared key: (hidden)
allowed ips: 10.66.66.3/32, fd42:42:42::3/128

====================

This is the Desktop client conf:
[Interface]
PrivateKey =
Address = 10.66.66.2/32, fd42:42:42::2/128
DNS = 94.140.14.14, 94.140.15.15

[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.0.3:64399

====

Do you think it has something to do with the Firewall?

[FireMasterK]

Oracle cloud has a firewall that has to be configured in their portal.

Once you allow it, you should be able to use it just fine.

I'm able to run it fine on Ubuntu 20.04.

[rmspro]

@FireMasterK I have opened ports for Wireguard by adding ingress rules. Is there anything else to be done to configure the firewall on the Oracle side? By the way, I've also tried it with Ubuntu 20.04, same issue.

[raypnman]

The script works perfectly for me like 6 months ago but not work for my new instances on Oracle cloud VM recently.
Allowing the udp port on Oracle dashboard is not the only work to make it works.
After adding the accept rule for udp port into iptables, you will see your client device start receiving and sending data with the VM.
But your client is still not able to access Internet.
It seems there is a prebuilt FORWARD rule on Oracle VM blocking the traffic.
The generated config /etc/wireguard/wg0.conf is using "-A" to append the rules to the bottom of FORWARD chain, you may modify it using "-I" instead so it will add the rules to the top, and after it, run "sudo wg-quick down/up wg0" for resetting the iptables.
It should work then. At least it works for me.

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:(port num) state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited <<< Seems this blocking the traffic, you can remove it if no security concern for you

[HosseinMarvi]

Sorry I don't have enough knowledge about networking and I might need a bit more help.
@rayMomoko Do you mean replacing every -A flag with -I in wg0.conf? Because I tried to do that and it didn't help.
@FireMasterK Would you please explain where and how I can configure firewall settings?

[raypnman]

@HosseinMarvi Hi, not necessarily all, I did it for those being added to Chain FORWARD only.
If adding the rules by append (to the bottom), the transit traffic would be rejected by the prebuilt rule on Oracle VM which is at the top. (Basically the table lookup is from the top to the bottom)
I also added the port ACCEPT iptables rule to the wg0.conf (I am using udp port 60000).
Here's part of my wg0.conf and how my iptables eventually looks like.
Hope it can give you some help.

PostUp = iptables -I FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -I FORWARD -i wg0 -j ACCEPT;** iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; sudo iptables -I INPUT -i ens3 -p udp --dport 60000 -m state --state NEW,ESTABLISHED -j ACCEPT

PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; sudo iptables -D INPUT -i ens3 -p udp --dport 60000 -m state --state NEW,ESTABLISHED -j ACCEPT

oracle:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:60000 state NEW,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
InstanceServices  all  --  anywhere             link-local/16

Chain InstanceServices (1 references)
<<<prebuilt rules of Oracle VM>>>

oracle:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N InstanceServices
-A INPUT -i ens3 -p udp -m udp --dport 60000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -i ens3 -o wg0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
<<<prebuilt rules of Oracle VM>>>

[ItsSypher]

Thank you for the above reply, it really helped me fix the problem I was facing too.

A little addition, the iptables commands that you shared were initially not working for me until i removed the sudo(since we're gonna run sudo wg-quick anyway) and ** present in them which resulted in them finally working

[HosseinMarvi]

@rayMomoko Thanks for your great help. It worked for me on a freshly installed Ubuntu 20.04.

I should also mention that having OpenVPN installed before WireGuard was another reason that I couldn't solve the issue with this workaround.

[lonney9]

Wish I found this sooner, I just solved this exact problem by studying the OpenVPN script's iptables setup and comparing to the WireGuard script is how I figured it out..

The script needs updating to include a rule to allow the incoming port for WireGuard, and setup the iptables rules to insert vs append, otherwise the user is being setup for failure. This is how the OpenVPN script here configures things and it works out of the box on Oracle Cloud + Ubuntu 20.04 (after allowing those ports in the Oracle Cloud public VCN settings of course).

The formatting of the iptables rules in wg0.conf could be neater, one per line so its easy to read?

[davidrodord56]

Thank you @rayMomoko , it worked for me.

In my case I'm using it for LAN over VPN for Electrical Devices therefore no NAT is required, in my case the IP Tables are:

PostUp = iptables -I FORWARD -i enp0s3 -o %i -j ACCEPT; sudo iptables -I INPUT -i enp0s3 -p udp --dport <PORT> -m state --state NEW,ESTABLISHED -j ACCEPT
PostDown = iptables -D FORWARD -i enp0s3 -o %i -j ACCEPT;sudo iptables -D INPUT -i enp0s3 -p udp --dport <PORT> -m state --state NEW,ESTABLISHED -j ACCEPT

[RilusMahmud]

I've tried everything, but no luck!
I'm using an oracle free-tier VM with Ubuntu 22.04.
Can anyone help?

[marek2001]

`Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:55551
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:55551
ACCEPT udp -- anywhere anywhere udp dpt:55551 state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:http
ACCEPT tcp -- anywhere 172.18.0.4 tcp dpt:http
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:http
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:https

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere `

Sorry but still can't locate source of error.

[marek2001]

I use 55551 port.