After a long time without touching Oracle Cloud’s free VPS, I came back a few days ago. Unexpectedly, when accessing the Dashboard again, I was able to immediately create a VPS ARM 4 vCPU, 24GB RAM, 200GB HDD. Take advantage of it to play around with new web apps.
While installing Wirehole-UI to set up VPN on this Oracle Cloud Server, I discovered that Wireguard was no longer working. More precisely, the client could still connect to the server, but could not access the Internet.
This article will give you a quick guide on how to fix WireGuard VPN not working on Oracle Cloud VPS.
1. Cause of error
Wirehole-UI application works on top of WireGuard VPN which is set up by wg-easy. By default after activation, wg-easy will configure the container’s iptables to allow wireguard client to access the internet through interface eth0.
You can check by viewing the Content of the wg0.conf file located in the same directory as the file. docker-compose.yml
sudo cat wg0.confCode language: CSS (css)# Note: Do not edit this file directly.
# Your changes will be overwritten!
# Server
(Interface)
PrivateKey = GC3uPUZkrEVtvxxxxxxxkw+//UNQCpqTMO3sTVSkE0=
Address = 10.8.0.1/24
ListenPort = 51820
PreUp =
PostUp = iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
PreDown =
PostDown = Code language: YAML (yaml)On line 10 is the command to configure iptables, using interface eth0
However on Oracle Cloud VPS, the created container is sometimes not used. eth0but it is eth1. Check with the following command
docker exec wg-easy ip r | grep default | cut -d ' ' -f 5 | head -n1Code language: JavaScript (javascript)eth1Because the iptables configuration command is specified to execute on the interface eth0 so wireguard client can only access the server but cannot access the Internet.
2. How to fix
Update file docker-compose.ymladd more parameters - WG_DEVICE=eth+ into the section environment:. Also change the image name to ghcr.io/wg-easy/wg-easy:13.
Contents of the file docker-compose.yml wg-easy’s will look like this. If you use Wirehole-UI, edit it in the wg-easy service section.
version: "3.8"
services:
wg-easy:
environment:
# ⚠️ Required:
# Change this to your host's public address
- WG_HOST=111.111.111.111
- WG_DEVICE=eth+
#- WG_PATH='./'
# Optional:
# - PASSWORD=10h30
# - WG_PORT=51820
# - WG_DEFAULT_ADDRESS=10.8.0.x
# - WG_DEFAULT_DNS=1.1.1.1
# - WG_MTU=1420
# - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24
# - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
# - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
# - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
# - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt
image: ghcr.io/wg-easy/wg-easy:13
container_name: wg-easy
volumes:
- .:/etc/wireguard
ports:
- "51820:51820/udp"
- "51824:51821/tcp"
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1Code language: YAML (yaml)Then reactivate with the command
docker compose down
docker compose up -dCode language: Nginx (nginx)Check the file again wg0.conf will see in the command line iptables has been changed from eth0 via eth+
# Note: Do not edit this file directly.
# Your changes will be overwritten!
# Server
(Interface)
PrivateKey = GC3uPUZkrEVtvxxxxxxxkw+//UNQCpqTMO3sTVSkE0=
Address = 10.8.0.1/24
ListenPort = 51820
PreUp =
PostUp = iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth+ -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
PreDown =
PostDown = Code language: YAML (yaml)That’s it. If nothing went wrong, WireGuard VPN should be working fine on Oracle Cloud VPS.
Comment Policy: We truly value your comments and appreciate the time you take to share your thoughts and feedback with us.
Note: Comments that are identified as spam or purely promotional will be removed.
To enhance your commenting experience, consider creating a Gravatar account. By adding an avatar and using the same e-mail here, your comments will feature a unique and recognizable avatar, making it easier for other members to identify you.
Please use a valid e-mail address so you can receive notifications when your comments receive replies.
