ISSUE:
One want to open port/range when using WireGuard VPN. (WG installation HERE)

SOLUTION:
The ports should not be blocked on client firewall and should be forwarded on server. Forwarding can be setup manually in iptables firewall, but possibly more simple is when it is managed directly by wireguard.

So add following lines in server's /etc/wireguard/wg0.conf (wg0 is my virtual network interface name):

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 1230:1240 -j DNAT --to-destination 10.66.66.2; iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1230:1240 -j DNAT --to-destination 10.66.66.2; iptables -t nat -A POSTROUTING -s 10.66.66.0/24 -j SNAT --to-source MYSERVERPUBLICIPHERE; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D PREROUTING -i eth0 -p udp -m udp --dport 1230:1240 -j DNAT --to-destination 10.66.66.2; iptables -t nat -D PREROUTING -i eth0 -p tcp -m tcp --dport 1230:1240 -j DNAT --to-destination 10.66.66.2; iptables -t nat -D POSTROUTING -s 10.66.66.0/24 -j SNAT --to-source MYSERVERPUBLICIPHERE; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE"
if you want to use that, you may need to replace some parts like:

- eth0 is main network interface (command "ifconfig" or "cat /etc/wireguard/params" near SERVER_PUB_NIC)

- 1230:1240 is the port range i want to open/forward

- MYSERVERPUBLICIPHERE - your public IPv4 of the server

- 10.66.66.2 is the address seen on the WG overview on the client or next to "allowed ips" in "wg" command output on server once tunnel is established.


And after doublechecking all is right i restarted wireguard server: systemctl restart [email protected]e

in my client config file i use: AllowedIPs = 0.0.0.0/0, ::/0

when i enter 192.168.1.5 or 192.168.1.0/24 into AllowedIPs, then somehow strangely the internet connectivity fails. But when i remove that 192.168** IP, then i am not allowed to connect LAN computers from my client. Anyone knows how to fix it?

- - - - - -

by the way on the 0penVPN server, the port can be opened port like this
And some hints on wireguard port forwarding HERE.

Some more a bit irrelevant info:

QUESTION:
I am currently using OpenVPN (ran from my own server) and torrent works, but the problem is not everyone can connect me as i am kind of "passive" peer and i appear with "filtered/closed" port. I have not found a way to iptables forward port to my client.(UPDATE: found the way) My client computer is Windows 10 i asume i won't be able to use WireGuard?

ANSWER:
There is a WireGuard client for Windows 10 at https://www.wireguard.com/install/
It was "pre-alpha" for a while, but it looks like it's finally beta or stable now, and I've been using it on my Windows PC for about a week straight with no problems.
As for the port forwarding thing, it sounds like you are looking for the type of port forwarding described at https://cryptostorm.is/portfwd. The iptables rules we use to add the forwarding server-side are:
iptables -t nat -A PREROUTING -p tcp -d $inst --dport $port -j DNAT --to $ip:$port
iptables -t nat -A PREROUTING -p udp -d $inst --dport $port -j DNAT --to $ip:$port
where $inst is that OpenVPN instance's public IP (the one the internet sees you as having), and $ip is your internal 10.x.x.x IP, and $port is the port to forward. In our setup, because of the port striping feature described at https://cryptostorm.is/blog/port-striping-v2, only ports 30000-65535 can be used for forwarding, since the ones before that are reserved for the VPN. For OpenVPN, the forwarding gets removed using a --client-disconnect script, but with WireGuard there's no server-side way to determine if a client is disconnected, which is why the port fowarding stays for WireGuard users.