Wireguard configuration parsing error

My goal is to create a VPN so

1. Clients have static IP addresses.
2. Clients are able to communicate with each other and the server,
3. Clients can reach global Internet through the VPN.
4. Also, I’d like to setup DNS and private domain names (working with NginX).

Here is config of the server:

[Interface]
Address = 10.0.0.1/24
ListenPort = 5555
PrivateKey = xxxxx

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0

And client’s config:

[Interface]
PrivateKey = xxxxx
ListenPort = 5555
Address = 10.0.0.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <server ip>:5555

But when I’m trying to load server’s config wg setconf wg0 /etc/wireguard/wg0.conf I get this error:

Line unrecognized: `Address=10.0.0.1/24'
Configuration parsing error

Thus I commented this line. But it probably makes WG choose random IP addresses for the server and clients.

To make WireGuard work, I also ran these commands:

ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.0.1/24
ip link set up dev wg0

After all, wg commands provides the following output:

interface: wg0
  public key: xxxxx
  private key: (hidden)
  listening port: 5555

peer: xxxxx
  endpoint: <my IP address>:6228
  allowed ips: 0.0.0.0/0
  latest handshake: 2 minutes, 11 seconds ago
  transfer: 26.02 KiB received, 248 B sent

From the client (which is MacOS with WireGuard GUI) I’m able to connect, but:

• I get no Internet connection. I even can’t ping the server by global IP address, though I can with the private one, 10.0.0.1.
• I’m able to get connected to VPN even if I change the port in client’s config. I think it means that it doesn’t really get connected.

So, how can I achieve my goals? And what’s wrong with my configs??

_{PS. Neither iptables nor firewalls are installed on the server, so it can’t be a problem. Also, I have specified net.ipv4.ip_forward=1 & net.ipv6.conf.all.forwarding=1 in the /etc/sysctl.conf.
Software versions. OS is Ubuntu 18.04.4 LTS, Kernel: 4.15.0-20-generic, WG: wireguard-tools v1.0.20200206.}

Update

I removed Address from server’s config, and set AllowedIPs = 10.0.0.2/24 in the client’s one, I finally got connected to the server’s NginX from client by private IP, and able to reach the Internet (coz traffic goes outside VPN).

But if I set AllowedIPs = 0.0.0.0/0 on the client, I have no Internet access, though still can reach server by VPN’s IP address 10.0.0.1. I tried solving it with ifconfig wg0 broadcast/multicast, but had no success. Now the command ip address show wg0 provides the following output:

4: wg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.10.10.1/24 scope global wg0
       valid_lft forever preferred_lft forever
    inet 10.10.10.1 peer 10.10.10.2/32 scope global wg0
       valid_lft forever preferred_lft forever

In addition, I cannot access one client from another, I think it’s the same problem. How can I fix WireGuard configs or server network settings to solve the problem?

Hi there,

i hope you can help me as i saw there are a few Wireguard Users here as well.

I did setup Armbian 20.05.4 Buster on my Cubietruck and configured Wireguard. After a few mistakes the connection from outside (iOS Client) is stable but very slow. I went to the obvious roads and found the MTU setting on the client side could be an issue as well some PostUp command parameters can improve performance. But for any reason my wireguard doesn´t want to accept anything with PostUp, Safeconfig etc in my wg0.conf file: Parsing error. But without that been solved i assume i can´t work on the Performance improvement. Here a few lines of code showing the relevant config Files and the Error:

root@cubietruck:/etc/wireguard# cat wg0.conf
[Interface]
ListenPort=40404
PrivateKey=blablablaServerKey

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT


[Peer]
PublicKey=blablabla Public Key
AllowedIPs=192.168.42.100,fd00:42::100
root@cubietruck:/etc/wireguard# cat clients/omasiphone.conf 
[Interface]

      PrivateKey=blablablaclientkey
      Address=192.168.42.100/24,fd00:42::100/64
      DNS=1.1.1.1,2606:4700:4700::1111
      MTU = 1412
      PostUp = ip route add SERVER_PUBLIC_IP/32 via 192.168.1.200 dev eth0; iptables -A FORWARD -i wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
      PostDown = ip route del SERVER_PUBLIC_IP/32 via 192.168.1.200 dev eth0; iptables -D FORWARD -i wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
      
[Peer]
      PublicKey=blablablaclientkey
      Endpoint=ganzgeheim.myfritz.net:40404
      AllowedIPs=0.0.0.0/0,::/0
root@cubietruck:/etc/wireguard# wg setconf wg0 /etc/wireguard/wg0.conf
Line unrecognized: `PostUp=iptables-AFORWARD-iwg0-jACCEPT;iptables-tnat-APOSTROUTING-oeth0-jMASQUERADE;iptables-AFORWARD-ieth0-mstate--stateRELATED,ESTABLISHED-jACCEPT'
Configuration parsing error

Can you help me here a bit?

Мне нужно создать VPN такой, чтобы

1. У клиентов были стические IP адреса.
2. Клиенты могли взаимодействовать друг с другом и сервером,
3. Клиенты могли выходить в интернет из-под VPN.
4. Также, хотелось бы настроить собственный DNS и приватные домены (обрабатываемые NginX).

Конфигурационные сервера у меня такой:

[Interface]
Address = 10.0.0.1/24, fd86:ea04:1115::1/64
ListenPort = 5555
PrivateKey = xxxxx

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0

А это конфигурации клиента:

[Interface]
PrivateKey = xxxxx
ListenPort = 5555
Address = 10.0.0.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0, ::/0

Но при попытке загрузить конфигурации сервера через wg setconf wg0 /etc/wireguard/wg0.conf я получаю такую ошибку:

Line unrecognized: `Address=10.0.0.1/24,fd86:ea04:1115::1/64'
Configuration parsing error

Поэтому я закомментировал ту строку. Но это вероятно заставляет WG выбирать себе и клиентам случайные IP адреса.

Для запуска WireGuard я выполняю такие команды:

ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.0.1/24
ip link set up dev wg0

После, команда wg даёт такой вывод:

interface: wg0
  public key: xxxxx
  private key: (hidden)
  listening port: 5555

peer: xxxxx
  endpoint: <my IP address>:6228
  allowed ips: 0.0.0.0/0
  latest handshake: 2 minutes, 11 seconds ago
  transfer: 26.02 KiB received, 248 B sent

С клиента (моя MacOS с WireGuard GUI) у меня получается подключиться, но:

• Нет соединения с интернетом. Я даже не могу пинговать сервер по глобальному адресу, хотя по приватному 10.0.0.1 получается.
• Я могу подключиться к VPN даже если укажу в конфиге клиента другой порт. Думаю, это значит, что он не подключается на самом деле.

Как мне заставить WireGuard работать нужным образом? И что не так с моими конфигами??

_{PS. На сервере нет ни iptables, ни файерволов, так что это не может быть проблемой. Также, в файле /etc/sysctl.conf я указал net.ipv4.ip_forward=1 и net.ipv6.conf.all.forwarding=1, и выполнил systemctl restart systemd-networkd.
Версии ПО. ОС: Ubuntu 18.04.1 LTS, Kernel: 4.15.0-20-generic, WG: wireguard-tools v1.0.20200206.}

A few days ago I spun up a Windows Dev VM to have a play with WireGuard for Windows.

I didn’t really have a clear goal in mind when I started playing with this — part of it was in trying to create and launch a tunnel without using the GUI. Mostly I was just trying to learn more about a new implementation of a tool that I really like.

If you read my previous article, you’ll recall that I started off trying to do this with just wireguard.exe. Here are some things I’ve discovered:

wireguard.exe does a whole lot of stuff

Wireguard.exe isn’t just a GUI, which I originally thought it was. It’s also the piece of software that shouts out to WinTun to create the interface, as well as the utility that reads the ‘extended’ attributes in your .conf file (e.g. the stuff that wg-quick takes care of), as well as the utility that sets up your routes, DNS, etc, etc, etc.

wireguard.exe doesn’t create private/public keypairs

… To do this, you instead need to use wg.exe, which is installed under your System32 folder (so it’s in your path, so it’s accessible anywhere):

PS C:> wg genkey | tee $ENV:APPDATAWireGuard.priv | wg pubkey > $ENV:APPDATAWireGuard.pub

I did figure this out the other day, but I’m reiterating here.

wg.exe can read .conf files — but you don’t really want it to

Last time, I was having trouble reading a .conf file from wg.exe:

PS C:Users> wg setconf wg0 .wg0.conf
Line unrecognized: ` ■['
Configuration parsing error

I’m not entirely sure what this was — I’ve since been able to read in a .conf file perfectly fine (for the record this is UTF-8 with Windows CRLF line-endings).

However … my breakthrough kinda sucks.

Wireguard for Windows stores it’s config files in the Windows DPAPI-encrypted vault. This is vastly better than just bunging a file in C:UsersBlah and hoping for the best. Maybe it’s not perfect — I don’t know much about DPAPI — but it’s a far cry better than nothing.

When you use wireguard.exe to import a tunnel from a .conf file, it will read it in, sanity-check it (mine failed because I accidentally hit the keyboard during copy/pasta, so it rejected the Base64 encoding), and then safely store it away in the DPAPI storage. You can then delete your original .conf file. Just do this, it’s better.

You need both wireguard.exe and wg.exe

OK so here’s the bit that I only fully realised tonight: wireguard.exe is like wg-quick, but it also provides the interface into the Windows network stack and the Windows DPAPI storage of your sensitive conf files. You can’t even run wg set without it, because wireguard.exe is even responsible for creating the IPC Server that interfaces with WinTun.

Honestly the Windows world is so much more complicated than the Linux world*. 🙄

(* some caveats apply)

Conclusion

What’s my plan now?

I’m going to make a thing that:

• Installs wireguard.msi silently
• Uses wg.exe to create a private/public keypair
• Uses that keypair to create a temporary .conf file
• Uses wireguard.exe to import that .conf file from some predetermined location
• Deletes the .conf file (probably using cipher.exe to scrub it)
• Uses wireguard.exe to install the tunnel so it opens automatically on login

I’m hoping that this will create us something like an always-on-VPN connection that can be deployed easily by an IT support person, and require no end-user interaction.