1

When I activate my local WireGuard client, I am unable to access the internet from my browser. However, I am successfully connecting to my WireGuard peer. I am using MacOs 12.6.

Here is my local WireGuard configuration file:

[Interface]
PrivateKey = <private key>
Address = 192.168.220.7/24
DNS = 192.168.100.30

[Peer]
PublicKey = <public key>
PresharedKey = <preshared key>
AllowedIPs = 192.168.100.0/24, 192.168.200.0/24, 192.168.102.0/24, 192.168.103.0/24
Endpoint = <endpoint ip>

As far as I understand, the WireGuard connection should only be used if the IP address falls within the range defined under "AllowedIPs". However, I could be wrong about that.

When I run the ifconfig command in my terminal and look for the wireguard tunnel it looks like this:

utun5: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420
    options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
    inet 192.168.220.7 --> 192.168.220.7 netmask 0xffffff00
Improve this question
5
  • 1
    Are you able to reach hosts on the peer? Specifically, are you able to reach 192.168.100.30 for DNS queries?
    – grawity_u1686
    Commented Jul 5, 2023 at 12:26
  • Thanks for your fast replay! I tried to ping 192.168.100.30 (the DNS Server) directly from the peer machine and it did not work. What does this imply?
    – Jakob
    Commented Jul 5, 2023 at 12:43
  • Also from my local machine I can not Ping 192.168.100.30 no matter, if I have the WireGuard connection activated or not.
    – Jakob
    Commented Jul 5, 2023 at 12:53
  • 1
    It's supposed to be on the remote network; who manages it and can they check whether they're at least receiving your packets? Can you ping anything else in the remote network by IP address?
    – grawity_u1686
    Commented Jul 5, 2023 at 13:07
  • Yes I can ping other servers in the within the remote network. But I can't ping the DNS Server in the remote Network (192.168.100.30).
    – Jakob
    Commented Jul 7, 2023 at 9:30

2 Answers 2

Reset to default
0

As far as I understand, the WireGuard connection should only be used if the IP address falls within the range defined under "AllowedIPs".

Yes, but in order to determine the IP address, your DNS server must be contacted – which cannot be made to depend on the website's IP address (as it isn't known yet…), so the configured 192.168.100.30 will need to be contacted for any address.

It sounds like the DNS server is currently down (or you have the wrong IP address), so you won't be able to "access Internet" as long as you're using it for DNS.

Some operating systems (e.g. Linux with systemd-resolved) can choose from multiple DNS servers depending on the domain name, but as far as I know WireGuard doesn't yet configure that correctly even where it's available (it does not have a Domain= option).

Improve this answer
1
  • Thank you very much for your Answer, it has helped me to understand the topic better and ultimate fix the issue. It turns out the firewall was set up incorrectly so that the DNS server could not be reached. Once this was fixed I also can access the Internet while being connected to WireGuard.
    – Jakob
    Commented Jul 7, 2023 at 15:37
0

Can confirm for MacOS, just remove the DNS server entry from the interface section, and it works fine.

DNS = 192.168.100.30

The idea is having a working DNS server to resolve the DNS->IP and the one provided by wireguard is not doing it.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .