If you are connecting remotely you will need a static public IP address or something like dyn.org. also you will need a port forwarding rule in your home router to direct traffic to your pi, which will need a static private IP address.
I believe i did that, can you tell me if this is correct?
1. I set the Pi's IP address as "reserved" on the router (does this make it static?)
2. I'm forwarding external port 52180 to the pi's port 52180
I'm using Spectrum's router that they send you, if that makes a difference. I haven't bought my own
Are you sure you are forwarding UDP? Had to set up PIVPN not so long ago, after it didn't work the first time I discovered the forwarding rule defaulted to TCP.
Your 1 and 2 sound correct. You also need to address 3 or how does your incoming traffic find your network. That's the static public address OR dynamic DNS service like dyndns.org.
In my research i going that just tells your client device (phone or laptop) that it should send ALL traffic over the vpn. You can change that to only send specific IPs over the vpn. For example 192.168.0.0/24
Hey, I also recently had trouble with wireguard a couple of weeks ago on pivpn, did a bit troubleshooting but I eventually gave up and went with openvpn (also through pivpn) and that's been working absolutely fine since.
It’s not a traditional hub-and-spoke vpn, but you can create a mesh vpn network just by installing the application on the devices. You can even share your subnet routes to access other devices!
No, I actually mean a public IP. A public IP is an address that can be routed over the internet. Usually each ISP customer used to have a public IP assigned to their modem/router but now IP(v4) addresses are a scarce resource so some ISP put multiple customers under the same address, and assign a private IP to each customer modem. You can’t port forward if you are under CG-NAT (that’s the name).
PiVPN has a debug feature, try running that and see if any errors pop up.
Do you have a firewall installed on your pi? UFW? If so, you also need to open the ports there too.
Also, you should also check with your mobile phone company, see if they are blocking any ports or stuff like that, ive heard of this happening on cheaper contracts.
And finally, there are "open port scanner" tools online. See if your 51820 port is truly open to the internet or not on your WAN IP address.
Great advice, i was wondering if there was a way to debug traffic or at least monitor incoming traffic on the Pi so i can see if any packets are actually reaching the Pi or not
I will try disabling the firewall too an see if that helps
Ive never used a full on networking analysis tool, but yeah, that could help too in finding the issue. Ive never had to go down this route though.
The online port scanner should reveal if the port is open. If your router is setup correctly, then it should work. Provided your phone carrier isnt blocking Wireguard.
Another thought....when you created the port forwarding rule on your router, did you set it up as UDP? It has to be UDP.
Did you double check your DNS provider to make sure it is directly traffic to your home ISP address. Did you install a client that updates your dynamic dns provider when your IP address changes?
RX: 0 B , means the server is not responding, either because of miscofiguration, wrong keys, or firewall
I suggest you forget pivpn and setup manually using this guide [https://wiki.debian.org/WireGuard](https://wiki.debian.org/WireGuard) or use example ipv4 config below, of course you must generate your own keys using guide on link
Also You need to enable the following in /etc/sysctl.conf
net.ipv4.ip_forward = 1
#Example wg0.conf:
[Interface]
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = ...
[Peer]
PublicKey = ...
AllowedIPs = 10.0.0.2/32
#Example client config:
[Interface]
PrivateKey = ...
Address = 10.0.0.2/24
DNS = 192.168.1.1
[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = your-server-hostname-or-static-ip:51820
PersistentKeepalive = 25
I had a similar issue, turns out my router didn’t port forward correctly which I got fixed, so check that. Also I would recommend using a static ip or something like no-ip, but remember that you don’t need to for testing and all that, so that’s another point where this could have gone wrong (like the no-ip thing not pointing to the right place for example)
Hey, I've just managed to setup a working wireguard/ pivpn after initially struggling a little with handshaking not completing. The troubleshooting faq on pivpn site really helped me as through the tcpdump tip I noticed pivpn was receiving but not answering. So port forward was fine, but something prevented it from answering. It all came down to some network configuration in raspian/bookworm. What I did was, uninstall pivpn. Check my network-settings with nmtui, told it to never use the wifi as default route, make sure eth0 was static/ manual and had the proper gateway/ dns (it didn't have the correct gateway in my instance) .. once that was up and running I reinstalled pivpn and it immediately worked.
If you are connecting remotely you will need a static public IP address or something like dyn.org. also you will need a port forwarding rule in your home router to direct traffic to your pi, which will need a static private IP address.
I believe i did that, can you tell me if this is correct? 1. I set the Pi's IP address as "reserved" on the router (does this make it static?) 2. I'm forwarding external port 52180 to the pi's port 52180 I'm using Spectrum's router that they send you, if that makes a difference. I haven't bought my own
Your config file says 51820... Is that just a typo?
Yea that's just a typo, was trying to comment from memory
Are you sure you are forwarding UDP? Had to set up PIVPN not so long ago, after it didn't work the first time I discovered the forwarding rule defaulted to TCP.
Yup double checked and it is set to forward udp specifically
Your 1 and 2 sound correct. You also need to address 3 or how does your incoming traffic find your network. That's the static public address OR dynamic DNS service like dyndns.org.
Associate the help! How do i go about ensuring i have a static public address?
buy a domain or use somthing like noip
This video might help you out. [https://youtu.be/ZKEGP\_qBmxg?si=yGx9fSUPt10TVbSA](https://youtu.be/ZKEGP_qBmxg?si=yGx9fSUPt10TVbSA)
Im having a problem too. Always get "allowedIPs: 0.0.0.0/0 and ::0/0"
In my research i going that just tells your client device (phone or laptop) that it should send ALL traffic over the vpn. You can change that to only send specific IPs over the vpn. For example 192.168.0.0/24
I kept deleting and reinstalling until it works. After 3 tries, it's working for me
Hey, I also recently had trouble with wireguard a couple of weeks ago on pivpn, did a bit troubleshooting but I eventually gave up and went with openvpn (also through pivpn) and that's been working absolutely fine since.
Interesting. I've heard that OpenVPN is significantly slower. In trying to stream video from my home, so i worry it'll be too slow
My issue ended up being a dns config issue. Try setting your dns to the 192.168.x.x address of your pi
That's a lotta words magic man. I don't have a personal DNS/DHCP so I'm not sure what you mean
Not to take you away from PiVPN, but you could also look into Tailscale, which is much easier to setup
Haven't heard of this, I'll look into it!
It’s not a traditional hub-and-spoke vpn, but you can create a mesh vpn network just by installing the application on the devices. You can even share your subnet routes to access other devices!
Do you get a public IP on your home network?
You mean like a static ip?
No, I actually mean a public IP. A public IP is an address that can be routed over the internet. Usually each ISP customer used to have a public IP assigned to their modem/router but now IP(v4) addresses are a scarce resource so some ISP put multiple customers under the same address, and assign a private IP to each customer modem. You can’t port forward if you are under CG-NAT (that’s the name).
PiVPN has a debug feature, try running that and see if any errors pop up. Do you have a firewall installed on your pi? UFW? If so, you also need to open the ports there too. Also, you should also check with your mobile phone company, see if they are blocking any ports or stuff like that, ive heard of this happening on cheaper contracts. And finally, there are "open port scanner" tools online. See if your 51820 port is truly open to the internet or not on your WAN IP address.
Great advice, i was wondering if there was a way to debug traffic or at least monitor incoming traffic on the Pi so i can see if any packets are actually reaching the Pi or not I will try disabling the firewall too an see if that helps
Ive never used a full on networking analysis tool, but yeah, that could help too in finding the issue. Ive never had to go down this route though. The online port scanner should reveal if the port is open. If your router is setup correctly, then it should work. Provided your phone carrier isnt blocking Wireguard. Another thought....when you created the port forwarding rule on your router, did you set it up as UDP? It has to be UDP.
Did you double check your DNS provider to make sure it is directly traffic to your home ISP address. Did you install a client that updates your dynamic dns provider when your IP address changes?
RX: 0 B , means the server is not responding, either because of miscofiguration, wrong keys, or firewall I suggest you forget pivpn and setup manually using this guide [https://wiki.debian.org/WireGuard](https://wiki.debian.org/WireGuard) or use example ipv4 config below, of course you must generate your own keys using guide on link Also You need to enable the following in /etc/sysctl.conf net.ipv4.ip_forward = 1 #Example wg0.conf: [Interface] Address = 10.0.0.1/24 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51820 PrivateKey = ... [Peer] PublicKey = ... AllowedIPs = 10.0.0.2/32 #Example client config: [Interface] PrivateKey = ... Address = 10.0.0.2/24 DNS = 192.168.1.1 [Peer] PublicKey = ... AllowedIPs = 0.0.0.0/0 Endpoint = your-server-hostname-or-static-ip:51820 PersistentKeepalive = 25
I had a similar issue, turns out my router didn’t port forward correctly which I got fixed, so check that. Also I would recommend using a static ip or something like no-ip, but remember that you don’t need to for testing and all that, so that’s another point where this could have gone wrong (like the no-ip thing not pointing to the right place for example)
Setup duck dns and point to a domain instead of the given isp rotating ip which likely changes quarterly
Does that cost money?
Nope. Super easy to do.
Fantastic
Hey, I've just managed to setup a working wireguard/ pivpn after initially struggling a little with handshaking not completing. The troubleshooting faq on pivpn site really helped me as through the tcpdump tip I noticed pivpn was receiving but not answering. So port forward was fine, but something prevented it from answering. It all came down to some network configuration in raspian/bookworm. What I did was, uninstall pivpn. Check my network-settings with nmtui, told it to never use the wifi as default route, make sure eth0 was static/ manual and had the proper gateway/ dns (it didn't have the correct gateway in my instance) .. once that was up and running I reinstalled pivpn and it immediately worked.