Launched a Wireguard instance in AWS - I can connect to it over the Internet but once connected have no Internet access over VPN

Site Feedback
1

I installed wireguard packaged with turnkey linux on an AWS EC2 with Internet access. I can successfully access the instance over its public IP, hit the status page, and download my wireguard profile. My client will connect to the WG server and gets a local IP but cannot access the Internet.

What does it look like I’m missing?

Server information:

Network config (NOTE: eth0 is assigned a private IP in my VPC and has Internet access:

admin@wireguard ~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 12:9d:8a:5f:24:b7 brd ff:ff:ff:ff:ff:ff
    altname enX0
    inet 172.31.91.91/20 brd 172.31.95.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::109d:8aff:fe5f:24b7/64 scope link
       valid_lft forever preferred_lft forever
8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 172.31.91.0/24 scope global wg0
       valid_lft forever preferred_lft forever

Wireguard server config:

[Interface]
Address = 172.31.91.0/24
DNS = 172.31.0.2
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
ListenPort = 51820
PrivateKey = ####################

[Peer]
PublicKey = ########################
AllowedIPs = 172.31.91.1/32

iptables:

$ sudo iptables -L -v -n |more
Chain INPUT (policy ACCEPT 21670 packets, 2003K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  wg0    *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 23205 packets, 3924K bytes)
 pkts bytes target     prot opt in     out     source               destination

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i wg0 -j ACCEPT

Client Information:

Wireguard config:

[Interface]
PrivateKey = ###########################################
Address = 172.31.80.1/32
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = ###########################################
AllowedIPs = 0.0.0.0/0
Endpoint = 34.########:51820

Network config

C:\Users\####>ipconfig
Windows IP Configuration
Unknown adapter wg0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 172.31.80.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
2 
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT

and

echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/wg.conf
3

WireGuard doesn’t have an interface address on aws host.

They’re trying to use the same subnet as aws is.

4

The iptables forward rule is redundant here, OP already has a default policy of ACCEPT for forwards AND a forward rule for wg0.

5

I set an iptables forward rule on the virtual wg0 adapter:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  wg0    *       0.0.0.0/0            0.0.0.0/0

 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  wg0    *       0.0.0.0/0            0.0.0.0/0
6

Config file has the following lines already:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;

7

Why is eth0 in the wg subnet?