This could also be 127.0.0.1 right? If set in the hosts file…
Well, when you ping a domain, the result shows the ip addres from the record A, so when I ping passbolt.domain.com i get the 192.168.97.1 in result.
Sorry, what I meant was that if passbolt NGINX is listening on 0.0.0.0 then passbolt can be recorded in the /etc/hosts file on the passbolt host as 127.0.0.1.
The wg subnet should be different than networks on either end. passbolt itself should not attempt to reach the wg ip. Can you post a healthcheck?
I don’t want the NGINX to listen on address 0.0.0.0, the whole point of VPN was to make the NGINX to listen only on 192.168.97.1. However, the issue might be related to WG. I’ve noticed odd behavior while pinging the private address. Sometimes ping “stops” and starts again after WG sends the keep alive package. So I’ve changed the frequency of keep alive packages to 5 seconds, and now the progress bar on the mobile application at least moves “a little”, and in the nginx log i can see one request from the mobile client (ip: 192.168.97.12). Is it possible that the mobile app doesn’t wait long enough for the serwer response? I will try to configure OpenVPN or IKEv2 and give a try.
I would think that the issue is the app is confusing the wg server regarding closed connections because it’s on the same ip. But, Wireguard is meant to send traffic over UDP isn’t it?
@clayton Just to confirm, do we have any processes in mobile setup that use UDP? I was thinking we didn’t.
I’m like 99% sure we don’t but I’ve asked internally just to be sure
Well, the Wire Guard and NGINX are not on the same IP. The WG “listens” on the external IP address and creates a “virtual” interface with private IP address 192.168.97.1 and the NGINX listens on that private IP (192.168.97.1). WG uses UPD as transport protocol but this is between WG Service and WG Client. From the point of view of NGINX and mobile browser (or passbolt app) the communication is (should be) HTTP (TCP), even if down below it is wrapped in UDP packets, right?
Try removing the address line from the wg0 server interface.
Sorry I don’t have any great answers to the issue.
I run Wire Guard VPN from a VPS (Kamatera) and only that ip address is allowed into my nginx server conf on my home server running Passbolt.
I am able to use the iOS, iPad, and Android Passbolt app without any issues.
These are the instruction I followed at LinuxBabe.com
2 Likes
just confirming here, UDP isn’t used for the mobile app
1 Like
Are the WireGuard server and the xginx installed on the same VPS?
WireGuard is on the $4/m vps and Passbolt is on my home server.
I was not able to get WireGuard to work on my home server with Passbolt or any other software. I had to use a vps to get the vpn working. I tried for a long time but could not figure it out. Once I installed WireGuard on the vps all started to work perfectly.
Sorry I don’t have a better fix or answer 
I successfully configured Wire Guard VPN. The problem was initial tutorial I used. I didn’t metion that each client needs a separate peer configuration with different pairs of keys. So with my initial configuration was working for one device. As soon as I connected the other device, the packets started to “disappear” randomly. I couldn’t notice that for desktop / mobile browser request, but it was very problematic while scanning qrcode in the mobile application.
So now I can confirm that everything works. Also you can configure the nginx / apache (and other services) to listen on the WG private address (192.168.97.1 in my case) without any problems. Configuration with IKEv2 in exchange for WG also works.
Thank you very much for all Your advises and dedicated time.
2 Likes