enabling WG0 allows telegram but impedes browsing

S Bauer sanderbauer at gmail.com
Fri Aug 20 11:16:34 UTC 2021


Hello team,

Hoping you could help me out with a foggy situation.
The past week I have been struggling to get the Wireguard VPN working
smoothly. Everything seems to work on paper, except in a specific way
it doesn't. I am using Pop!_OS 21.04 (Ubuntu Hirsute).

SitRep;
I work as a freelance consultant and want to be careful about the
local networks' peeping tom when accessing sensitive work documents
from 'out of office', e.g. at a friend's place or at a hotel. So my
objective is to access my home network via PiHole and then continue
onward to access my work-related documents on a fileserver.
I was hoping this could be easily achieved with Wireguard.

Using the Wireguard VPN wg0 with wg-quick worked perfectly when I
connected to my brother's phone hotspot (4G). I could access our home
via VPN as expected and could work on my documents without any
problems.
The trouble is that I am now at a different location, working with a
fixed router from Ziggo NL. For some reason the WG0 still connects
perfectly, but after that a small mystery occurs. I did not make any
modifications to WG0.conf, so I remain stumped.
With WG active, I am no longer able to access any webpage. So no
access to protonmail\gmail, reddit or anything else. Telegram,
however, is still working fine. Internal machines on the home's local
network (IP-camera) can also be accessed directly.
Disabling the WG gives me full access to any webpage as usual. So
something is amiss that affects my browser only (Firefox 91.0).

I already did some troubleshooting. Starting with Uncomplicated
Firewall (UFW). I tried disabling UFW and rebooting, but this did not
change anything. I still lacked browser access when connected with
WG0, but Telegram still worked fine.
The output from sudo wg is;
interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: <portnumber>
  fwmark: 0xca6c

peer: (hidden)
  preshared key: (hidden)
  endpoint: >our_endpoint_name<.ddns.net:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 3 seconds ago
  transfer: 92 B received, 4.77 KiB sent

To be on the safe side, I added several rules to UFW (and reloaded UFW
each time) per advice from
https://jianjye.medium.com/how-to-fix-no-internet-issues-in-wireguard-ed8f4bdd0bd1
, leaving me with the following output from ufw status verbose. (But
like I said, the problem occurs even with UFW disabled.)
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere/udp on wg0        ALLOW IN    Anywhere/udp
<portnumber>/udp                  ALLOW IN    Anywhere
<portnumber>/udp                  ALLOW IN    Anywhere
<portnumber>/udp on wlp0s20f3     ALLOW IN    Anywhere
Anywhere/udp on wlp0s20f3  ALLOW IN    Anywhere/udp
<portnumber> on wlp0s20f3         ALLOW IN    Anywhere
Anywhere/udp (v6) on wg0   ALLOW IN    Anywhere/udp (v6)
<portnumber>/udp (v6)             ALLOW IN    Anywhere (v6)
<portnumber>/udp (v6)             ALLOW IN    Anywhere (v6)
<portnumber>/udp (v6) on wlp0s20f3 ALLOW IN    Anywhere (v6)
Anywhere/udp (v6) on wlp0s20f3 ALLOW IN    Anywhere/udp (v6)
<portnumber> (v6) on wlp0s20f3    ALLOW IN    Anywhere (v6)

Anywhere on eth0           ALLOW FWD   Anywhere on wg0
Anywhere on wg0            ALLOW FWD   Anywhere on eth0
Anywhere on wg0            ALLOW FWD   Anywhere on enp40s0
Anywhere on enp40s0        ALLOW FWD   Anywhere on wg0
Anywhere on wlp0s20f3      ALLOW FWD   Anywhere on wg0
Anywhere on wg0            ALLOW FWD   Anywhere on wlp0s20f3
Anywhere (v6) on eth0      ALLOW FWD   Anywhere (v6) on wg0
Anywhere (v6) on wg0       ALLOW FWD   Anywhere (v6) on eth0
Anywhere (v6) on wg0       ALLOW FWD   Anywhere (v6) on enp40s0
Anywhere (v6) on enp40s0   ALLOW FWD   Anywhere (v6) on wg0
Anywhere (v6) on wlp0s20f3 ALLOW FWD   Anywhere (v6) on wg0
Anywhere (v6) on wg0       ALLOW FWD   Anywhere (v6) on wlp0s20f3

Now all these rules may be barbaric overkill, and yes I will admit
that I have a limited understanding of what everything means and how
it affects my security. Though I am a linux newcomer and employ
duckduckgo to the best of my abilities the learning curve is still
pretty much in effect. That being said, do feel free to point out any
serious flaws I may have unwittingly introduced or simply push me
towards some longreads ;)

Any hints on solving this issue are appreciated.


Additional notes;
* the DDNS in wg0.conf is properly translated to an IP address each
time. So that seems to be no issue.
* I am currently using the Dutch Ziggo network, which already seems to
have a reputation concerning the use of VPN applications. Maybe the
issue lies herein?
* Should I consider this relevant? >
https://github.com/pop-os/pop/issues/773 I am a bit cautious about
doing more random stuff before actually understanding what is going
on.

Regards,
Sander


More information about the WireGuard mailing list