Unable to forward ports using wireguard

Update: Sorry guys, looks like I just needed to reboot the public server.

My goal is to forward port 8096 from my private server to my public server. That, is any traffic at public server’s port 8096 should be tunneled to port 8096 of my private server and back.

I’ve set up a wireguard tunnel and ping is working from one device to the other. In this, 10.8.0.1 is the private server and 10.8.0.2 is the public server.

Here are my config files (/etc/wireguard/wg0).

<pre style="background-color:#ffffff;">
<span style="color:#323232;">--- On the public server ---
</span><span style="color:#323232;">[Interface]
</span><span style="color:#323232;">Address = 10.8.0.2/24
</span><span style="color:#323232;">ListenPort = 51820
</span><span style="color:#323232;">PrivateKey = *****************************************
</span><span style="color:#323232;">
</span><span style="color:#323232;"># packet forwarding
</span><span style="color:#323232;">PreUp = sysctl -w net.ipv4.ip_forward=1
</span><span style="color:#323232;">
</span><span style="color:#323232;"># port forwarding
</span><span style="color:#323232;">PreUp = firewall-cmd --zone=public --add-port 8096/tcp
</span><span style="color:#323232;">PreUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8096 -j DNAT --to-destination 10.8.0.1:8096
</span><span style="color:#323232;">PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 8096 -j DNAT --to-destination 10.8.0.1:8096
</span><span style="color:#323232;">PostDown = firewall-cmd --zone=public --remove-port 8096/tcp
</span><span style="color:#323232;">
</span><span style="color:#323232;"># packet masquerading
</span><span style="color:#323232;">PreUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
</span><span style="color:#323232;">PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
</span><span style="color:#323232;">
</span><span style="color:#323232;">[Peer]
</span><span style="color:#323232;">PublicKey = *****************************************
</span><span style="color:#323232;">AllowedIPs = 10.8.0.1
</span>

<pre style="background-color:#ffffff;">
<span style="color:#323232;">--- On the private server ---
</span><span style="color:#323232;">[Interface]
</span><span style="color:#323232;">Address = 10.8.0.1/24
</span><span style="color:#323232;">PrivateKey = *****************************************
</span><span style="color:#323232;">
</span><span style="color:#323232;">[Peer]
</span><span style="color:#323232;">PublicKey = *****************************************
</span><span style="color:#323232;">AllowedIPs = 10.8.0.2
</span><span style="color:#323232;">Endpoint = <public-server-addr>:51820
</span><span style="color:#323232;">PersistentKeepalive = 25
</span>

Now, I’m trying to test the connection using netcat. I’m listening from my private server using nc -l 8096 (I’ve made sure that the port is unblocked) and trying to connect from a third device using nc <public-server-addr> 8096 but it’s not working.

I have no idea what’s going on here. Some help from experienced people is very appreciated.

eskuero,
@eskuero@lemmy.fromshado.ws avatar

It’s been a long time since I did forwarding through wireguard so this might be outdated, missing info or actually doing unneeded stuff but I had this notes saved in some old iptables personal documentation from like 4 years ago that might shed you some light:

Allow first packet to start the connection

<pre style="background-color:#ffffff;">
<span style="color:#323232;">iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
</span><span style="color:#323232;">iptables -A FORWARD -i eth0 -o wg0 -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT
</span>

Allow already established connections

<pre style="background-color:#ffffff;">
<span style="color:#323232;">iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
</span><span style="color:#323232;">iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
</span>

Send whatever arrives via port 80 or 443 to the other side of the wg tunnel

<pre style="background-color:#ffffff;">
<span style="color:#323232;">iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.3.1
</span><span style="color:#323232;">iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 192.168.3.1
</span>

Modify source address so it can return

<pre style="background-color:#ffffff;">
<span style="color:#323232;">iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 80 -d 192.168.3.1 -j SNAT --to-source 192.168.3.2
</span><span style="color:#323232;">iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 443 -d 192.168.3.1 -j SNAT --to-source 192.168.3.2
</span>
SexualPolytope,
@SexualPolytope@lemmy.sdf.org avatar

Thanks. I’ll try these out.

sifrmoja,
@sifrmoja@mastodon.social avatar

@eskuero @SexualPolytope do you have the nftables version?

SexualPolytope,
@SexualPolytope@lemmy.sdf.org avatar

If I run iptables directly, it tells me that I have the nf_tables version.

sifrmoja,
@sifrmoja@mastodon.social avatar

@SexualPolytope yeah. It's rare that nftables isn't the default anymore.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • uselessserver093
  • Food
  • aaaaaaacccccccce
  • [email protected]
  • test
  • CafeMeta
  • testmag
  • MUD
  • RhythmGameZone
  • RSS
  • dabs
  • Socialism
  • KbinCafe
  • TheResearchGuardian
  • Ask_kbincafe
  • oklahoma
  • feritale
  • SuperSentai
  • KamenRider
  • All magazines
    •