How to fix connected but no internet access issues in Wireguard + UFW + IPTables

Photo by Piron Guillaume on Unsplash

I just spent the whole day trying to figure out why isn’t my Wireguard working. The client seems to be able to connect but it’s not sending or receiving any data. Doing a wg show doesn’t show that the client is connected. It’s weird!

I was using this script from angristan and I thought maybe I botched the setup during my first try. So I re-install again with the script. Still no luck.

Then through chance, I realized that… if I disable ufw with ufw disable , my Wireguard client would start working fine!

That’s great now we just have to figure out the right rules to add. But this part is quite painful as well as it seems like everyone stops short of sharing the actual config which was key to solving the entire thing!

Lucky for you, I have it right here.

Step 1. Make sure that it’s indeed a UFW issue.

Test it by disabling UFW via the command:

$ ufw disable

If your client can now connect and load properly then you may continue with the guide. Else you may have a different issue and things mentioned here may not help you very much.

Step 2. Shut down wg0 before updating its config file

Type in this command:

$ wg-quick down wg0

Step 3. Add in new UFW rules into the config file

Go to /etc/wireguard/wg0.conf and edit the file, append these commands to the back of PostUp and PostDown. Replace <port> with the Wireguard listen port that you set up:

PostUp = ...; ufw route allow in on wg0 out on eth0; ufw route allow in on eth0 out on wg0; ufw allow proto udp from any to any port <port>PostDown = ...; ufw route delete allow in on wg0 out on eth0; ufw route delete allow in on eth0 out on wg0; ufw delete allow proto udp from any to any port <port>;

The full config file would look like this if you have a listen port of 54961:

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 54961
PrivateKey = ...
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT; iptable
s -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ufw route allow in on wg0 out on eth0; ufw route allow in on eth0 out on wg0; ufw allow proto udp from any to any port 54961
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ufw route delete allow in on wg0 out on eth0; ufw route delete allow in on eth0 out on wg0; ufw delete allow proto udp from any to any port 54961
### Client abc
[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

Step 4. Make sure the server allows IP Forwarding

Open /etc/sysctl.conf and uncomment these lines:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Open /etc/ufw/sysctl.confand uncomment these lines:

net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

Then run the command to update the system:

$ sysctl -p

Step 5. Time of reckoning…

Let’s restart UFW:

$ ufw disable
$ ufw enable

Next we get wg0 back online:

$ wg-quick up wg0

Then, let’s see if you have the same rules in your UFW (or you can jump right into testing your connection):

$ ufw status

You may have more rules like these and it’s fine. The 6 key lines required for Wireguard are as followed. Make sure your UFW has them:

  • The 2x 54961/udp lines
  • The 4x Anywhere on lines at the bottom

Was it helpful?

If you find this article helpful, do give me a little clap on Medium. 😄 It really makes my day to know that I have helped a fellow developer out there. Thanks!

I write about Laravel, PHP, and web development related articles.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Matic Network Scaling Using Plasma Predicates

How to Use Divi Builder to Build a Custom Site (Step by Step)

8 Reasons To Consider An Anytime Modern Snowflake Data Warehouse

A Better Datadog AWS Integration for Organizations with Multiple Accounts

Reduce Cost and Increase Productivity with Value Added IT Services from buzinessware — {link} -

Ask me Anything with Devs: Ecosystem Development and Genesis Heroes minting event

[Solution]Exercise: Maps | A Tour of Go

My head wrapped in FizzBuzz

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jian Jye

Jian Jye

I write about Laravel, PHP, and web development related articles.

More from Medium

Secure Synology NAS with a custom domain, dynamic DNS and a free certificate

Creating a Huel monitor app

Generating a self-signed certificate for smart card logon using a FIDO2 security key

Dynamic use QR codes