Port forwarding to WireGuard accessible local host

Overview

I have two networks connected using WireGuard:

  1. Home with public IP
  2. Office without a public IP

In both networks wg0 is member of a lan firewall zone. Hosts of both networks can see & communicate each other.

network

Task

I want my Home network router to forward one port requests to the Office network router.

I've added following rule for that:

config redirect
	option name 'to_office'
	option src 'wan'
	option src_dport '5822'
	option dest 'lan'
	option dest_ip '192.168.22.1'
	option dest_port '5822'
	option target 'DNAT'
	list proto 'tcp'

Problem

It doesn't work. I don't get "Connection refused" which means Home network router doesn't reject my connection but I still can't connect using the telnet $HOME_PUBLIC_IP 5822.

For debugging purposes I run:


tcpdump -f -i wg0 port 5822 on the Home router. Output:

14:15:19.713620 IP 213.189.52.89.14462 > 192.168.22.1.5822: Flags [S], seq 2371290555, win 65535, options [mss 1460,nop,wscale 9,sackOK,TS val 4095909407 ecr 0], length 0
14:15:20.713204 IP 213.189.52.89.14462 > 192.168.22.1.5822: Flags [S], seq 2371290555, win 65535, options [mss 1460,nop,wscale 9,sackOK,TS val 4095910407 ecr 0], length 0
14:15:22.912814 IP 213.189.52.89.14462 > 192.168.22.1.5822: Flags [S], seq 2371290555, win 65535, options [mss 1460,nop,wscale 9,sackOK,TS val 4095912607 ecr 0], length 0

tcpdump -f -i wg0 port 5822 on the Office router. I didn't see a single packet.


So it seems that Home (192.168.27.1) passes packets over WireGuard to the 192.168.22.1 but the later one doesn't ever receive them.

Local test

As some random attempt I tried telnet 192.168.22.1 5822 from device (192.168.27.149) connected to the Home network. That attempt has succeed!


tcpdump -f -i wg0 port 5822 on the Home router:

14:15:28.965845 IP 192.168.27.1.34696 > 192.168.22.1.5822: Flags [S], seq 3927945332, win 64240, options [mss 1460,sackOK,TS val 2531085413 ecr 0,nop,wscale 7], length 0
14:15:29.052140 IP 192.168.22.1.5822 > 192.168.27.1.34696: Flags [S.], seq 1603049024, ack 3927945333, win 27360, options [mss 1380,sackOK,TS val 2008396609 ecr 2531085413,nop,wscale 2], length 0
14:15:29.054301 IP 192.168.27.1.34696 > 192.168.22.1.5822: Flags [.], ack 1, win 502, options [nop,nop,TS val 2531085501 ecr 2008396609], length 0
14:15:30.038104 IP 192.168.27.1.34696 > 192.168.22.1.5822: Flags [P.], seq 1:6, ack 1, win 502, options [nop,nop,TS val 2531086485 ecr 2008396609], length 5
(...)

tcpdump -f -i wg0 port 5822 on the Office router:

21:15:29.024156 IP 192.168.27.1.34696 > 192.168.22.1.5822: Flags [S], seq 3927945332, win 64240, options [mss 1460,sackOK,TS val 2531085413 ecr 0,nop,wscale 7], length 0
21:15:29.024430 IP 192.168.22.1.5822 > 192.168.27.1.34696: Flags [S.], seq 1603049024, ack 3927945333, win 27360, options [mss 1380,sackOK,TS val 2008396609 ecr 2531085413,nop,wscale 2], length 0
21:15:29.078354 IP 192.168.27.1.34696 > 192.168.22.1.5822: Flags [.], ack 1, win 502, options [nop,nop,TS val 2531085501 ecr 2008396609], length 0
21:15:30.079937 IP 192.168.27.1.34696 > 192.168.22.1.5822: Flags [P.], seq 1:6, ack 1, win 502, options [nop,nop,TS val 2531086485 ecr 2008396609], length 5

Honestly I didn't even expect this to succeed as firewall rule should forward requests from wan only.

Request

It seems there is some problem with forwarding port packets coming from the WAN. Can anyone help me with this, please?

Maybe you don't have 0.0.0.0/0 in AllowedIPs for the Home peer on the Office router?

Reverse path filter (rp_filter) may also cause problems, after you have fixed AllowedIPs. One way is to disable it.

You also need policy based routing in case you don't want to use the WireGuard tunnel for all internet access from the Office network.

Another solution is to use a GRE tunnel within the WireGuard tunnel, then you don't have to change AllowedIPs. In particular this is needed if you have more than one peer you want to forward ports to, and don't want to use multiple WireGuard tunnels.

2 Likes

Oh, that was such a simple solution. I've temporary added just my Internet host IP to the allowed_ips and it worked like a charm. Thank you have much for your help!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.