Wireguard VPN gateway not working in RPi

Hey folks,

I’ve searched here in Reddit (for example, this post) and in Google and can’t find for the life of me why this setup isn’t working.

Context

I want to use my Raspberry Pi as a VPN Gateway so we can “look” like we’re in a specific country. We can’t use a VPN client in our laptops as they’re work ones and we can’t use a VPN client in there (basically because we will already be using the work one).

So the setup is:

Laptop with default gateway to → Raspberry Pi → Router → VPN (Surfshark using WireGuard) → Internet

Here’s my WireGuard configuration

[Interface]
Address = 10.14.0.2/16
PrivateKey = (redacted)
DNS = (surfshark's provided DNS)

PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

PostUp = iptables -A FORWARD -i wlan0 -o wg0 -j ACCEPT
PreDown = iptables -D FORWARD -i wlan0 -o wg0 -j ACCEPT

PostUp = iptables -A FORWARD -i wg0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
PreDown = iptables -D FORWARD -i wg0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

PostUp = sysctl -w net.ipv4.ip_forward=1

[Peer]
PublicKey = (redacted)
AllowedIPs = 0.0.0.0/0
Endpoint = (surfshark endpoint)

With this, from a laptop I’m able to:

  • ping 8.8.8.8 and google.com successfully
  • receive and send Telegram messages (but admittedly, it’s a bit slow)

However, I can’t browse any web, they just don’t load.

I’ve run a tcpdump on the RPi and I can see traffic coming and going.

I used this setup a couple of years ago although I was using an EC2 instance instead of Surfshark’s VPN. I can’t think of why that would be the issue, I’ll try again using that if my current setup doesn’t work but I’d like to understand what may be going wrong here.

Any ideas? Happy to provide TCP dumps, a more detailed schematic, etc

Did you ever get this to work? I have the same setup as you and same exact issue. Page just won’t load.

Do wget and show us the error log. Enable verbose logging as well. We can see whether ssl handshake fails etc.