How to fix connected but no internet access issues in Wireguard + UFW + IPTables
I just spent the whole day trying to figure out why isn’t my Wireguard working. The client seems to be able to connect but it’s not sending or receiving any data. Doing a
wg show doesn’t show that the client is connected. It’s weird!
I was using this script from angristan and I thought maybe I botched the setup during my first try. So I re-install again with the script. Still no luck.
Then through chance, I realized that… if I disable ufw with
ufw disable , my Wireguard client would start working fine!
That’s great now we just have to figure out the right rules to add. But this part is quite painful as well as it seems like everyone stops short of sharing the actual config which was key to solving the entire thing!
Lucky for you, I have it right here.
Step 1. Make sure that it’s indeed a UFW issue.
Test it by disabling UFW via the command:
$ ufw disable
If your client can now connect and load properly then you may continue with the guide. Else you may have a different issue and things mentioned here may not help you very much.
Step 2. Shut down
wg0 before updating its config file
Type in this command:
$ wg-quick down wg0
Step 3. Add in new UFW rules into the config file
/etc/wireguard/wg0.conf and edit the file, append these commands to the back of PostUp and PostDown. Replace
<port> with the Wireguard listen port that you set up:
PostUp = ...; ufw route allow in on wg0 out on eth0; ufw route allow in on eth0 out on wg0; ufw allow proto udp from any to any port <port>PostDown = ...; ufw route delete allow in on wg0 out on eth0; ufw route delete allow in on eth0 out on wg0; ufw delete allow proto udp from any to any port <port>;
The full config file would look like this if you have a listen port of 54961:
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 54961
PrivateKey = ...
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT; iptable
s -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ufw route allow in on wg0 out on eth0; ufw route allow in on eth0 out on wg0; ufw allow proto udp from any to any port 54961
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ufw route delete allow in on wg0 out on eth0; ufw route delete allow in on eth0 out on wg0; ufw delete allow proto udp from any to any port 54961### Client abc
PublicKey = ...
PresharedKey = ...
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
Step 4. Make sure the server allows IP Forwarding
/etc/sysctl.conf and uncomment these lines:
/etc/ufw/sysctl.confand uncomment these lines:
Then run the command to update the system:
$ sysctl -p
Step 5. Time of reckoning…
Let’s restart UFW:
$ ufw disable
$ ufw enable
Next we get
wg0 back online:
$ wg-quick up wg0
Then, let’s see if you have the same rules in your UFW (or you can jump right into testing your connection):
$ ufw status
You may have more rules like these and it’s fine. The 6 key lines required for Wireguard are as followed. Make sure your UFW has them:
- The 2x
- The 4x
Anywhere onlines at the bottom
Hopefully now that you have made it this far, your client connection is working as expected!
Was it helpful?
If you find this article helpful, do give me a little clap on Medium. 😄 It really makes my day to know that I have helped a fellow developer out there. Thanks!