Port forward from wan to wireguard

I am unable to get port forwarding working from WAN to Wireguard. It works if I try to forward to a LAN host.

I am able to connect from a LAN host to any host on the Wireguard VPN.

See images attached. This works if I replace the IP 192.168.11.3, which is a host on my Wireguard VPN, with a LAN host (given it has port 22 open).


Very likely incoming mssql is blocked by your provider

It is not. I checked with nmap -p 1433 portquiz.net

I can also reach the host on wireguard directly from the router over the console (ssh).

I was implying other way around. Just make full wireguard dial-in and all will work.

1 Like

how is it related ?
portquiz.net is ...

1 Like

1433 is not blocked outgoing from the remote source, nor from my ISP.

I got it working with a workaround, in the router (OpenWRT) I did:

socat tcp-listen:1433,reuseaddr,fork tcp:192.168.11.3:22

Then I was able to ssh into 192.168.11.3 from a remote destionation.

I of course altered the forwarding rule. But it would be great to not utilise this "hack".

I thought he meant the other way around, I read it to quick.

You could use something like this:
iptables -t nat -A INPUT -p tcp --dport 1433 -j DNAT --to-destination 192.168.11.3:22

1 Like

Or add "internal IP address" in dnat rule to use that in place of own ip

1 Like

Seems like my screenshot above did not reflect my question, I guess I experimented with something.

Anyway, I have tried that. And it does not work :confused: In the windows titled "Firewall - Port Forwards - ssh 1433 to home" it is supposed to say 192.168.11.3, and not any.

1 Like

I am not used to use iptables on OpenWRT. I have usually used luci. Does this setting persist? And can I specify the same using luci?

This is the same as if you would click on the word "any" in the address and type it manually.

Yes - port rule, type dnat source zone where 1433 should be listening, forward address +ip shows destination. zone not needed for destination.

Like so?

Seems like iptables is not installed on my OpenWRT.

Lets start with the basics.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
wg show

OpenWrt uses nftables now. But you don't have to worry about that because fw4 can handle this forward at a higher level.

It is required to specify a destination zone and internal IP for a port forward to work. It is a config redirect not a config rule. I'm not sure what those look like in the GUI.

Again, I am sorry for the first screenshots. They did not reflect the state. See attached updated screenshots:


So on the NAT I do have a dest zone and rule

Add dest address, empty means incoming interface

@mk24 in config-form:

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option src 'wan'
        option dest '*'
        option dest_port '1433'
        option name 'Allow 1433 on WAN to FWD'

config redirect
        option dest 'home'
        option target 'DNAT'
        option name 'ssh 1433 to home'
        list proto 'tcp'
        option src 'wan'
        option src_dport '1433'
        option dest_port '22'
        option family 'ipv4'
        option dest_ip '192.168.11.3'
1 Like