I’m current trying to set up my Fedora 33 Workstation laptop as a wireguard VPN client to route all my internet traffic through my employers wireguard server. They have provided me with the following configuration file, which I placed into /etc/wireguard/wg0.conf
:
[Interface]
PrivateKey = <hidden>
Address = 141.26.29.47/32, 2001:4c80:50:100::1D2F/128
DNS = 141.26.64.60
MTU = 1380
[Peer]
PublicKey = <hidden>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = wireguard.uni-koblenz.de:51820
However, after I start the VPN connection via
$ sudo wg-quick up wg0
I am no longer able to access anything on the Internet, e.g. pinging Google times out:
$ ping google.de
PING google.de(muc12s03-in-x03.1e100.net (2a00:1450:4016:802::2003)) 56 data bytes
# No further output
I have diagnosed the problem so far in that it is related to firewalld. If I stop it everything works as expected, i.e. internet is accessible and routed through my employer:
$ sudo systemctl stop firewalld
I do now know much about firewalld, but since it’s enabled by default on Fedora, I would like to keep it so. I have tried searching the web a bit for how to set it up, but have so far been unsuccessful. I have added a port for 51820/udp
and turned on masquerading for both the FedoraWorkstation
and the default
zone:
$ firewall-cmd --list-all
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: wlp0s20f3
sources:
services: dhcpv6-client mdns samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp 51820/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns ssh
ports: 51820/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Additionally, I think I have all required kernel parameters:
$ sysctl -a
# Manually truncated
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.wg0.forwarding = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.wg0.forwarding = 1
Last, I don’t think this is a selinux problem. When I run setenforce 0
before doing wg-quick up wg0
I still see the exact same behavior.
In case this is relevant, here is some information on my system:
$ sudo wg
interface: wg0
public key: (hidden)
private key: (hidden)
listening port: 34874 # port seems to be random for every new connection
fwmark: 0xca6c # seems to at least change between this and 0xcc48
peer: (hidden)
endpoint: [2001:4c80:50:52::61e]:51820
allowed ips: 0.0.0.0/0, ::/0
transfer: 0 B received, 148 B sent
$ uname -r
5.9.16-200.fc33.x86_64
Does anybody what I’m missing?