How to fix connected but no internet access issues in Wireguard + UFW + IPTables

Jian Jye
4 min readMar 25, 2021

--

Photo by Piron Guillaume on Unsplash

I just spent the whole day trying to figure out why isn’t my Wireguard working. The client seems to be able to connect but it’s not sending or receiving any data. Doing a wg show doesn’t show that the client is connected. It’s weird!

I was using this script from angristan and I thought maybe I botched the setup during my first try. So I re-install again with the script. Still no luck.

Then through chance, I realized that… if I disable ufw with ufw disable , my Wireguard client would start working fine!

That’s great now we just have to figure out the right rules to add. But this part is quite painful as well as it seems like everyone stops short of sharing the actual config which was key to solving the entire thing!

Lucky for you, I have it right here.

Step 1. Make sure that it’s indeed a UFW issue.

Test it by disabling UFW via the command:

$ ufw disable

If your client can now connect and load properly then you may continue with the guide. Else you may have a different issue and things mentioned here may not help you very much.

Step 2. Shut down wg0 before updating its config file

Type in this command:

$ wg-quick down wg0

Step 3. Add in new UFW rules into the config file

Go to /etc/wireguard/wg0.conf and edit the file, append these commands to the back of PostUp and PostDown. Replace <port> with the Wireguard listen port that you set up:

PostUp = ...; ufw route allow in on wg0 out on eth0; ufw route allow in on eth0 out on wg0; ufw allow proto udp from any to any port <port>PostDown = ...; ufw route delete allow in on wg0 out on eth0; ufw route delete allow in on eth0 out on wg0; ufw delete allow proto udp from any to any port <port>;

The full config file would look like this if you have a listen port of 54961:

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 54961
PrivateKey = ...
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT; iptable
s -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ufw route allow in on wg0 out on eth0; ufw route allow in on eth0 out on wg0; ufw allow proto udp from any to any port 54961
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ufw route delete allow in on wg0 out on eth0; ufw route delete allow in on eth0 out on wg0; ufw delete allow proto udp from any to any port 54961
### Client abc
[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

Step 4. Make sure the server allows IP Forwarding

Open /etc/sysctl.conf and uncomment these lines:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Open /etc/ufw/sysctl.confand uncomment these lines:

net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

Then run the command to update the system:

$ sysctl -p

Step 5. Time of reckoning…

Let’s restart UFW:

$ ufw disable
$ ufw enable

Next we get wg0 back online:

$ wg-quick up wg0

Then, let’s see if you have the same rules in your UFW (or you can jump right into testing your connection):

$ ufw status

You may have more rules like these and it’s fine. The 6 key lines required for Wireguard are as followed. Make sure your UFW has them:

  • The 2x 54961/udp lines
  • The 4x Anywhere on lines at the bottom

Was it helpful?

If you find this article helpful, do give me a little clap on Medium. 😄 It really makes my day to know that I have helped a fellow developer out there. Thanks!

--

--

Jian Jye

I write about Laravel, PHP, and web development related articles.