No handshake, no connection... IP discovery issue?

truthsword · 15 April 2024 03:54

First use of Wireguard container, but I have no internet. It seems that it is an issue with
discovering my public IP. For the URL I entered

SERVERURL=wireguard.mydomain.com

but there us no handshake when activated on Android phone.

However if I instead use either a DDNS domain or my current public IP (not fixed IP), handshake is instant and the tunnel connects.

I suspect the issue is that my domain is on Cloudflare behind their proxy, so that my public IP is not returned by ping. I’d prefer not to use the DDNS due to reliability. Is there a simple solution I’m overlooking to enable IP discovery properly?

Thank you!

aptalca · 15 April 2024 04:05

Create a dns A record for the subdomain wireguard and set up a service that updates that IP (cron+curl or a container like ddclient or cloudflareddns).

If your public IP is dynamic, you have no other choice. You need to have a dns record that gets updated every time your public IP changes.

truthsword · 15 April 2024 14:37

I have that … through a wildcard A record and Cloudflare IP updater. I checked “wireguard.mydomain.com” using https://www.whatsmydns.net/ and it shows good propagation (of course it returns Cloudflare IPs as it is proxyed.

Is my only recourse a non-proxyed A record? I didn’t want to do anything that might reveal my personal IP associated with my domain. Thanks!

aptalca · 15 April 2024 14:46

If you don’t want your IP listed anywhere and it changes all the time, how do you expect the android wireguard client to know what it is?

truthsword · 15 April 2024 15:23

My other containers work via Cloudflare proxy… for example jellyfin, joplin, mail… hxxps//:joplin.domain.com.

I tried URL=auto without success. If open a container browser to “what’s my IP” it finds my external IP. What is different with WG?

aptalca · 15 April 2024 15:33

You have multiple things going on
Cloudflare proxy proxies http traffic, not wireguard, so that won’t work.
If set to auto, the peer conf generated will have your public IP, but it still needs the port forwarded. But even then, it will work initially until your public IP changes.

I’m trying to get you to think this through so you understand how it all fits together. That way you can troubleshoot issues yourself in the future.

truthsword · 15 April 2024 18:51

Ok, this is becoming clearer.

Cloudflare proxy proxies http traffic, not wireguard

I presumed traffic was traffic, and that WG was “sophisticated” HTTPS.

If set to auto, the peer conf generated will have your public IP, but it still needs the port forwarded. But even then, it will work initially until your public IP changes.

Yes, I see in the conf file that it lists that IP, URL… that it is dependent upon. If those change the conf is useless.

So my “solution” is to use a DDNS domain (with updater) dedicated for WG service. This preserves the privacy of my domain’s IP.

I’m trying to get you to think this through so you understand how it all fits together. That way you can troubleshoot issues yourself in the future.

I appreciate that. Thank you.

system · 20 April 2024 18:52

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.