You are here
I've created an EC2 instance with Turnkey Wireguard VPN image provided in AWS marketplace.
Ran the initial setup connecting to it with SSH. Wasn't sure what to enter for CIDR so entered private IP of server itself. Then connected to web interface to see the admin panel, opened the console from there to start Wireguard client setup as explained here.
At this point when I run the command wireguard-addclient client-name-here 0.0.0.0/0 I get this message:
[#] wg showconf wg0 unable to find free IP in virtual subnet
No /etc/wireguard/clients/ folder is created with config file.
When I check system info from dashboard I see eth0 with private IP of instance (netmask 255.255.240.0) and wg0 to public IP, both active.
What shall I do?
By the way I believe documentation in this page and Gituhb repo can be more detailed. While I understand this is a technical process and you expect prior knowledge to use this product, if users can't run it they simply will search another option where they can follow step by step instructions. Maybe more sections in documentation describing different use cases?
Thanks for posting. I'll have to have a closer look myself
Hi there and welcome to TurnKey.
Unfortunately, I'm not a Wireguard user and I haven't worked on the Wireguard appliance much myself, so I'm not really familiar with the software or our helper scripts. I do recall doing pre-release testing on Wireguard. TBH, I don't recall the steps I took, but I do recall that it "just worked" - without me doing anything special (not that I recall anyway...).
So bottom line, to be 100% sure I'm not leading you astray, I probably need to have a look myself and try to get reacquainted with it.
Unfortunately, I'm not sure when I'll get a chance for that (I'm bit under the pump ATM). So in the meantime, let me give you a few hints of what I think might be going on.
As per step 2 in the setup docs, this needs to be a new IP on a new subnet that Wireguard will control. The first part (the IP address) will define the IP address of your server (within the private subnet - i.e. "behind" Wireguard). The second part (separated with a slash '/') gives the size of the subnet. As noted in the docs, we give examples for '10.x.x.x' subnets. E.g. if you wanted a subnet of 10.0.0.1 -> 10.0.0.254 with your Wireguard server having an IP of 10.0.0.1, set the CDIR to '10.0.0.1/24'.
Firstly, I assume that the client config wasn't created because of the error.
Looking at the error message, I can't be 100% sure, but that suggests to me that perhaps you didn't set a subnet at all, just an IP address? (I.e. a subnet of one!). As per what I wrote above, it needs to be both an IP address, as well as defining a subnet (e.g. with a '/8' suffix). If you only entered an IP address in step 2, then that's almost certainly the issue. I would not recommend using the private IP address of your AWS server, although you could use the same subnet if you wished. If you did include the subnet, then that sounds like a bug! Please let me know ASAP if you definitely did set a proper subnet or it doesn't work after defining a proper subnet.
On step 3, put he public IP address of your server (which it sounds like you have - so that should be good).
As for doc improvements, I'm sure they could be better. If you have any concrete suggestions, I'd love to implement them. Part of the issue for us is curse of knowledge - so feedback from people such as yourself is invaluable.
Thanks again for taking the time to post. If we don't get this sort of feedback, we don't have any chance to improve things!
Working now: setup start over
Here are the things I've done:
At this point I am again feeling like I need to make some criticism about documentation and tools.
I'd rather have all info in one place, rather than going back and forth with product page and document in Github repo. Also on the Github repo I see people trying to contribute (pull-request pending) remaining part of the process by streamlining it with QR code generation.
We are at this stage in the documentation.
client is ambiguous here. Are we talking about the client definition on the server Wireguard or the one that will connect to it?
Basically watching this Youtube video all was clear to me and did take remaining steps, setting up Wireguard client on the machine that will connect to the server and letting the server know about it with the key generated during that setup:
wg set wg0 peer PublicKey_of_the_Client allowed-ips IP_VPN_of_the_Client
It works now. I'll see how it goes costwise.
Thanks for your extensive feedback and info
Thank you so much for taking the time to work through this and provide your extensive and clear feedback.
Your critique of documentation and outstanding PRs not yet resolved is fair. WireGuard is coming up for a rebuild and I hope to include that pull request you refer to. For fear of sounding like I'm making excuses, we're a small team with a lot on. It's also often a case of the "squeaky wheels" getting the most oil. So thanks for being a "squeaky wheel" for WireGuard! :)
Please keep me posted on how things go and whether it continues to work out for you. Any other feedback yo have is always welcome. Also, if you ever feel an inclination, we'd welcome any improvements to our documentation. Often users such as your self are best placed to improve the documentation. The appliance page is derived from the appliance readme and if you have any specific improvements for docs, please feel free.
Add new comment