How to Fix WireGuard VPN Configuration Errors for Client-Server Communication and Internet Access


1 views

The original configuration attempts show several common WireGuard implementation pitfalls. The error message Line unrecognized: Address=10.0.0.1/24' typically occurs when using older versions of WireGuard tools that don't support the INI-style configuration format.

For Ubuntu 18.04 with wireguard-tools v1.0.20200206, use this corrected server configuration:

[Interface]
PrivateKey = xxxxx
ListenPort = 5555
# Address must be set via ip commands for older versions
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = client_pubkey
AllowedIPs = 10.0.0.2/32
PersistentKeepalive = 25

The MacOS client configuration should be adjusted for proper routing:

[Interface]
PrivateKey = xxxxx
Address = 10.0.0.2/32
DNS = 8.8.8.8, 1.1.1.1

[Peer]
PublicKey = server_pubkey
AllowedIPs = 10.0.0.0/24, 0.0.0.0/0
Endpoint = server_ip:5555
PersistentKeepalive = 25

Essential server-side commands for proper routing:

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Set up NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT

When clients can't communicate with each other:

  1. Verify peer AllowedIPs include the VPN subnet (10.0.0.0/24)
  2. Ensure proper NAT rules are in place
  3. Check firewall settings on both server and clients
  4. Test with wg show and ping 10.0.0.1 from clients

For private domain resolution, add this to your Nginx configuration:

server {
    listen 10.0.0.1:80;
    server_name vpn.example.com;
    
    location / {
        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
    }
}

Then configure client DNS settings to use your server's DNS resolver or a split-horizon DNS solution.

When setting up WireGuard VPN, many developers encounter issues with static IP assignment, inter-client communication, and proper internet routing. The original configuration attempts showed several common pitfalls:

// Problematic server config snippet
[Interface]
Address = 10.0.0.1/24  // This line caused parsing error
ListenPort = 5555
PrivateKey = xxxxx

The correct approach involves separate steps for interface configuration and IP assignment:

# Correct server setup commands
sudo ip link add dev wg0 type wireguard
sudo ip address add dev wg0 10.0.0.1/24
sudo ip link set up dev wg0

Here's a complete working configuration for both server and client:

// Server configuration (/etc/wireguard/wg0.conf)
[Interface]
PrivateKey = SERVER_PRIVATE_KEY
ListenPort = 5555

# IP assignment done via system commands instead
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

// Client configuration
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = server.example.com:5555
PersistentKeepalive = 25

The key to proper internet routing lies in these critical components:

  • Correct MASQUERADE rules in PostUp/PostDown
  • Proper kernel forwarding settings (net.ipv4.ip_forward=1)
  • Accurate AllowedIPs configuration

For clients to communicate with each other, modify the server's peer configuration:

[Peer]
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = CLIENT2_PUBLIC_KEY
AllowedIPs = 10.0.0.3/32

And ensure clients have routes to each other through the server's IP.

For Nginx integration with private domains, consider this approach:

# Example Nginx server block for VPN
server {
    listen 10.0.0.1:80;
    server_name vpn.internal;
    
    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
    }
}

When debugging WireGuard connections, these commands are invaluable:

# Check WireGuard status
sudo wg show

# Verify interface configuration
ip addr show wg0

# Test routing
traceroute 8.8.8.8

# Check firewall rules
sudo iptables -L -v -n
  1. Verify kernel forwarding is enabled (sysctl -p)
  2. Check interface IP assignment (ip addr show)
  3. Confirm proper NAT rules exist (iptables -t nat -L)
  4. Test both private network and internet access