Skip to main content

Introduction

In this post I will detail how I setup a working Wireguard VPN to access my Fedora homelab server. I will connect to the VPN using my Chromebook connected to a Google Fi hotspot served by my phone. I will also utilize the PiHole DNS server on the homelab through the VPN.

A few gotchas include potential default MTU incompatibility, and a picky native VPN app on Chromebook. Read on.

Environment

Our environment includes:

  • (Homelab Server) Fedora Linux 42 (Workstation Edition)
    • Runs PiHole and a number of HTTPS services
  • Standard TP-Link Router
  • Spectrum Internet with a private IP ( does not use Carrier-Grade NAT (CGNAT) )
  • Pixel 7 with Google Fi
  • Lenovo Chromebook running ChromeOS 135

Testing the connection

With our Wireguard server activated, we should now activate the connection on our Chromebook and send some packets.

First, lets disconnect from our local network first:

  • Ensure Phone has Wifi off and the hotspot is activated. Making sure all traffic is through the Google Fi connection
  • Disconnect chromebook from local network and connect to the phone hotspot
  • Enable the newly created VPN on the Chromebook

Typical testing might include trying to access services from your Homelab, such as an HTTP site or SSH.

But for a more technical approach, try the following:

On the server, we need to temporarily open a port on our firewall for our Wireguard interface. (Ensure you have added the Wireguard interface to the public zone on your firewall as mentioned in the firewall section)

firewall-cmd --add-port=2222/tcp --zone=public

On the Wirelab server, lets listen for packets using ncat.

nc -vvlnp 2222
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::2222
Ncat: Listening on 0.0.0.0:2222

Lets send some packets using our penguin linux terminal on our Chromebook:

dd if=/dev/zero bs=1024k count=1024 | nc -v 192.0.2.1 2222

On our server, we see a new connection:

Ncat: Connection from 192.0.2.2.
Ncat: Connection from 192.0.2.2:38424.

After a few moments, lets kill the connection with ctrl+c and check our wireguard status:

^C
wg
interface: wg0
  public key: oS0mQplCAG4TYj6l9jbCZHn55e3tcyla6kPe4LvQHSA=
  private key: (hidden)
  listening port: 51820

peer: u3zlZTq7YJHnrfvnUPwh2riKVz0zdZs9ieAIq2S0vX8=
  endpoint: some.public.googlefi.ip:randomport
  allowed ips: 192.0.2.2/32
  latest handshake: 21 seconds ago
  transfer: 16.14 MiB received, 2.48 MiB sent

We can see much data has been transferred. Success!

Troubleshooting

Enable debugging

Lets enable debugging in the kernel so we can see journalctl messages:

modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

Follow any wireguard messages:

journalctl -f -g wireguard.*

Handshake timeouts

Double check:

  • firewall open ports
  • router port forwarding
  • public keys are correct
  • allowed_ips are correct

Docs link

Verifying MTU

To verify your set MTU is not too big for your particular network setup try pinging a Google nameserver:

ping 8.8.8.8 -s 1420 -M probe
1428 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=15.7 ms
1428 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=14.3 ms
1428 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=12.8 ms

where the -s option is your set MTU size.

References