Routing/Port Forwarding Wireguard to Lan Host

I read another thread Routing Port Forwarding about something close to what i'm doing, but it doesn't quite work for me and I tried quite hard to read the documentation. I'm almost certain I have my system properly configured, but maybe I'm missing something?

I would like to, at the least, allow people on the internet to use a bounce VPS wireguard server provisioned with alpine, along with a dedicated openwrt router on my LAN, to access a service on tcp port 5555 on a lan system. I have not been able to successfully achieve this yet.

Router:

root@OpenWrt:~# wg
interface: WIREGUARD
  public key: <key>
  private key: (hidden)
  listening port: 59538

peer: <another key>
  endpoint: <vps ip>:27479
  allowed ips: 10.100.1.0/24
  latest handshake: 29 seconds ago

On the openWRT router, provisioned via the GUI:
in wireguard peer:
route allowed ip's is checked

in firewall:
there are two firewall zones, one for wireguard, one for lan.
accept: input, output, forward. No masquerading or rules.

alpine:~# wg
interface: wg0
  public key: <key>
  private key: (hidden)
  listening port: 27479

peer: <another key>
  endpoint: <residential outfacing IP>:59538
  allowed ips: 192.168.1.0/24, 10.100.1.0/24
  latest handshake: 40 seconds ago
alpine:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         <vps ip>   0.0.0.0         UG        0 0          0 eth0
10.100.1.0      0.0.0.0         255.255.255.0   U         0 0          0 wg0
<vps ip>     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wg0

in sh script executed on postup:

#!/bin/bash

iptables -I INPUT -i eth0 -p udp --dport 27479 -j ACCEPT #wireguard proto accept
iptables -I FORWARD -i eth0 -o wg0 -j ACCEPT #allow forwarding traffic
iptables -I FORWARD -i wg0 -j ACCEPT #allow the reverse also
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 

iptables -t filter -A FORWARD -m conntrack --ctstate DNAT,ESTABLISHED,RELATED -j ACCEPT #permit existing sockets
iptables -t nat -I PREROUTING -p tcp --dport 5555 -j DNAT --to-destination 192.168.1.112

Do I have this configured correctly? What am I missing?

since some pro users may expect me to include this, below this line is some of the conf files from UCI:

uci export network

package network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fd7d:bd3c:35d8::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option force_link '0'
        option ipaddr '192.168.1.100'
        option gateway '192.168.1.1'
        option device 'br-lan'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config device 'lan_eth1_1_dev'
        option name 'eth1.1'
        option macaddr '8c:59:73:fe:49:5e'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '8c:59:73:fe:49:5f'

config switch
        option name 'switch0'
        option reset '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 6t 1 2 3 4 5'
        option vid '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.2'
        list ports 'eth1.1'

config interface 'WIREGUARD'
        option proto 'wireguard'
        option private_key '<key>'
        option mtu '1420'
        option delegate '0'
        list addresses '10.100.1.2/32'

config wireguard_WIREGUARD
        option description 'vps'
        option public_key '<peer key>'
        option endpoint_host '<vps host'
        option endpoint_port '27479'
        option persistent_keepalive '23'
        option route_allowed_ips '1'
        list allowed_ips '10.100.1.0/24'

config device
        option name 'WIREGUARD'
        option mtu '1420'
        option ipv6 '0'

uci export firewall

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'WIREGUARD'

config forwarding
        option src 'lan'
        option dest 'wg'

config forwarding
        option src 'wg'
        option dest 'lan'

It looks like the WG client is on a Dumb AP?

If so enable MASQUERADING on the LAN interface (or set a static route on the main router of the WG subnet to this router)

I trust the VPS has its own subnet e.g. different form the WG subnet (10.100.1.0/24) and the WG clients subnet (192.168.1.0/24)?

It looks like you are port forwarding from the VPS to a LAN client

port forwarding needs not only a DNAT rule but also a FORWARD ACCEPT rule, I might have overlooked that but otherwise you have to add that e.g.:
iptables -I FORWARD -p tcp -d 192.168.1.112 --dport 5555 -j ACCEPT

Dumb AP?

Correct. Client two, the client inside the lan, is on a router offering no services, only ethernet relaying/bridging.

If so enable MASQUERADING on the LAN interface (or set a static route on the main router of the WG subnet to this router).

I'm getting conflicting instructions about this. Some people say turn it off, others say turn it on. To eliminate confusion, at this point, masquerading is turned on.
In the openwrt router's firewall page, the masq is checked for both zones.

I trust the VPS has its own subnet e.g. different form the WG subnet (10.100.1.0/24) and the WG clients subnet (192.168.1.0/24)?

The VPS has no LAN network, just the ETH0 public facing ip address and WG0 subnet. Does it need a lan network?

It looks like you are port forwarding from the VPS to a LAN client

This is correct.

forwarding rules

I added the rules you propose.
i do have the rule:
iptables -I FORWARD -i eth0 -o wg0 -j ACCEPT #allow forwarding traffic

Edit:
after refining the wireguard behavior a little bit more:
In the local configurations:
remote VPS is set to have allowedIP 10.100.1.0/24 in all other peers.
In the remote configuration:
in-lan router is allowed 10.100.1.2/32 + 192.168.1.0/24.

with this, I can access the service over the wireguard from another added peer.
with the other peer, adding 0.0.0.0/0 and then killswitch- i can access internet over the vps from my LAN. so this behavior is also working.
so, the wireguard peering is working correctly- the remote router is connecting all requests over wireguard to the desired lan machine, using iptables.

All that remains is figuring out remaining thing about allowing people from outside to be automatically connected to the lan machine using the port forwarding.

#!/bin/bash

iptables -I INPUT -i eth0 -p udp --dport 27479 -j ACCEPT #wireguard proto accept
iptables -I FORWARD -i eth0 -o wg0 -j ACCEPT #allow forwarding traffic
iptables -I FORWARD -i wg0 -j ACCEPT #allow the reverse also
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #replace LAN ips with mine

iptables -t filter -A FORWARD -m conntrack --ctstate DNAT,ESTABLISHED,RELATED -j ACCEPT #permit existing sockets

# Forward TCP traffic on ports 5555 to the specific host

iptables -I FORWARD -p tcp -d 192.168.1.112 --dport 5555 -j ACCEPT
iptables -I FORWARD -p tcp -d 192.168.1.112 --dport 50101 -j ACCEPT


iptables -t nat -I PREROUTING -p tcp --dport 5555 -j DNAT --to-destination 192.168.1.112
iptables -t nat -I PREROUTING -p tcp --dport 50101 -j DNAT --to-destination 192.168.1.112

iptables -t filter -A FORWARD -m conntrack --ctstate DNAT,ESTABLISHED,RELATED -j ACCEPT #permit existing sockets

iptables -I INPUT -p tcp --dport 5555 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 5555 -j ACCEPT

iptables -I INPUT -p tcp --dport 50101 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 50101 -j ACCEPT

Here are the current rules. There is no firewall on the remote vps.

alpine:/etc# ip r
default via <broadcast of vps public ip> dev eth0 metric 202
10.100.1.0/24 dev wg0 proto kernel scope link src 10.100.1.1
<subnet of vps public ip>/24 dev eth0 proto kernel scope link src <vps ip>
192.168.1.0/24 dev wg0 scope link

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5555 -j DNAT --to 192.168.1.112
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 50101 -j DNAT --to 192.168.1.112
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 50123 -j DNAT --to 192.168.1.112
iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.112/32 -j MASQUERADE

I also needed to add a postrouting rule for masquerading. seems to work now

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.