PDA

View Full Version : Wireguard / Linux VPN server port forwarding to firewalled client? (open port?)



Fli
10-02-2019, 10:13 AM
ISSUE:
One want to forward / open port - range when using WireGuard VPN (https://github.com/angristan/wireguard-install). (WG installation HERE (https://internetlifeforum.com/linux-forums/15410-installing-wireguard-linux))

SOLUTION:
The ports should not be blocked on client firewall and should be forwarded on server. Forwarding can be setup manually in iptables firewall, but possibly more simple is when it is managed directly by wireguard.

WARN: You should read this page in full, and do things carefuly, else you can misconfigure your Wireguard network and not being able to connect:

Backup your original /etc/wireguard/wg0.conf files and then add following lines in server's /etc/wireguard/wg0.conf (wg0 is my virtual network interface name):


PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 1230:1240 -j DNAT --to-destination 10.66.66.2 (https://10.66.66.2); iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1230:1240 -j DNAT --to-destination 10.66.66.2 (https://10.66.66.2); iptables -t nat -A POSTROUTING -s 10.66.66.0/24 (https://10.66.66.0/24) -j SNAT --to-source M (https://45.14.148.3)YSERVERPUBLICIPHERE; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D PREROUTING -i eth0 -p udp -m udp --dport 1230:1240 -j DNAT --to-destination 10.66.66.2 (https://10.66.66.2); iptables -t nat -D PREROUTING -i eth0 -p tcp -m tcp --dport 1230:1240 -j DNAT --to-destination 10.66.66.2 (https://10.66.66.2); iptables -t nat -D POSTROUTING -s 10.66.66.0/24 (https://10.66.66.0/24) -j SNAT --to-source M (https://45.14.148.3)YSERVERPUBLICIPHERE; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

if you want to use that, you may need to replace some parts like:

- eth0 is the server's main network interface (command "ifconfig" or "cat /etc/wireguard/params" near SERVER_PUB_NIC)

- 1230:1240 is the port range i want to open/forward

- MYSERVERPUBLICIPHERE - your public IPv4 of the server

- 10.66.66.2 (https://10.66.66.2/) is the address seen on the WG overview on the client or next to "allowed ips" in "wg" command output on server once tunnel is established.

In case of IPv6 forwarding needed, it is more difficult feat, on server:



PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 1230:1240 -j DNAT --to-destination fd44:44:44::2
PostUp = ip6tables -t nat -A PREROUTING -i eth1 -p udp -m udp --dport 1230:1240 -j DNAT --to-destination fd44:44:44::2
PostUp = ip6tables -t nat -A POSTROUTING -s fd44:44:44::/64 -j SNAT --to-source MYSERVERPUBLICIP6HERE::1
PostUp = ip6tables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D PREROUTING -i eth1 -p tcp -m tcp --dport 1230:1240 -j DNAT --to-destination fd44:44:44::2
PostDown = ip6tables -t nat -D PREROUTING -i eth1 -p udp -m udp --dport 1230:1240 -j DNAT --to-destination fd44:44:44::2
PostDown = ip6tables -t nat -D POSTROUTING -s fd44:44:44::/64 -j SNAT --to-source MYSERVERPUBLICIP6HERE::1
PostDown = ip6tables -t nat -D POSTROUTING -o eth1 -j MASQUERADE




if you want to use that, you may need to replace some parts like:

- eth1 is the server's interface to which in my case was assigned IPv6, command "ip -6 a" shown the IPv6 entitled "global" which should mean it is public IP i wanted to use in above case

- 1230:1240 is the port range i want to open/forward

- MYSERVERPUBLICIP6HERE - your public IPv6 of the server

- 10.66.66.2 (https://10.66.66.2/) is the address seen on the WG overview on the client or next to "allowed ips" in "wg" command output on server once tunnel is established.

- fd44:44:44::2 - sample private IPv6 assigned by user to the WG network interface of the client computer in client's wg0.conf
- fd44:44:44::/64 - sample private IPv6 subnet assigned by user to the WG network interface of the client computer in client's wg0.conf

For the above IPv6 rules to work, one have to also set correct IPs:

On server this IPv4+6 wg0.conf variables.:

[Interface]
Address = 10.66.66.1/24, fd44:44:44::1/64
[Peer]
AllowedIPs = 10.66.66.2/32, fd44:44:44::2/128
(multiple peers/clients? second peer have IP .3 and ::3 etc.)

and on client:

[Interface]
Address = 10.66.66.2/32, fd44:44:44::2/64
DNS = 10.66.66.1, fd44:44:44::1, 1.1.1.1
[Peer]
AllowedIPs = 0.0.0.0/0, ::/0

“cat /etc/sysctl.d/*wg*” should return =1

After doublechecking all is right i restarted wireguard server: systemctl restart [email protected]

in my client config file i use: AllowedIPs = 0.0.0.0/0 (https://0.0.0.0/0), ::/0

- - - - - -

by the way on the 0penVPN server, the port can be opened port like this (https://internetlifeforum.com/security-protection/14767-tutotial-how-open-port-linux-openvpn-server/#post29243)
And some hints on wireguard port forwarding HERE (https://www.reddit.com/r/WireGuard/comments/hljaqf/how_do_i_open_portrange_port_forward_on_linux/).

Some more a bit irrelevant info:

QUESTION:
I am currently using OpenVPN (ran from my own server) and torrent works, but the problem is not everyone can connect me as i am kind of "passive" peer and i appear with "filtered/closed" port. I have not found a way to iptables forward port to my client.(UPDATE: found the way (https://internetlifeforum.com/security-protection/14767-tutotial-how-open-port-linux-openvpn-server/)) My client computer is Windows 10 i asume i won't be able to use WireGuard (https://www.wireguard.com/)?

ANSWER:
There is a WireGuard client for Windows 10 at https://www.wireguard.com/install/
It was "pre-alpha" for a while, but it looks like it's finally beta or stable now, and I've been using it on my Windows PC for about a week straight with no problems.
As for the port forwarding thing, it sounds like you are looking for the type of port forwarding described at https://cryptostorm.is/portfwd. The iptables rules we use to add the forwarding server-side are:

iptables -t nat -A PREROUTING -p tcp -d $inst --dport $port -j DNAT --to $ip:$port
iptables -t nat -A PREROUTING -p udp -d $inst --dport $port -j DNAT --to $ip:$port
where $inst is that OpenVPN instance's public IP (the one the internet sees you as having), and $ip is your internal 10.x.x.x IP, and $port is the port to forward. In our setup, because of the port striping feature described at https://cryptostorm.is/blog/port-striping-v2, only ports 30000-65535 can be used for forwarding, since the ones before that are reserved for the VPN. For OpenVPN, the forwarding gets removed using a --client-disconnect script, but with WireGuard there's no server-side way to determine if a client is disconnected, which is why the port fowarding stays for WireGuard users.