Routing/Port Forwarding Wireguard to Lan Network

dylanteague18 · August 20, 2023, 8:15am

Hi All,

I'm trying to port forward from my VPN to my Router and back again. I'm pretty sure that this is the issue I'm having as everything else is working properly. The server I'm port forwarding to is an nginx server 10.0.4.246 but this doesn't really matter as it's just sending and receiving data I believe.

Nginx Snippet:

    location / {
        proxy_pass    http://172.16.1.176:1234;
        proxy_connect_timeout   820s;
        proxy_send_timeout      820s;
        proxy_read_timeout      820s;
        client_max_body_size    512M;
    }

Whenever I try to go to a domain name after using the rules below they either route me back to the Router IP of 172.16.1.1 or take me to an error page (unable to load). I'm very stumped and It's 3:00AM. Any help would be appreciated.

Here are my wireguard rules:

PreUp = sysctl -w net.ipv4.conf.all.forwarding=1

PostUp = iptables -I INPUT -p udp --dport 51821 -j ACCEPT
PostUp = iptables -I FORWARD -i ens3 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
#PostUp = iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 80 -j DNAT --to-destination 10.10.20.3:80
#PostUp = iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 443 -j DNAT --to-destination 10.10.20.3:443
PostUp = iptables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.20.3:80
PostUp = iptables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.10.20.3:443
PostUp = iptables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.4.1:80
PostUp = iptables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.4.1:443


PostDown = iptables -D INPUT -p udp --dport 51821 -j ACCEPT
PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
#PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 80 -j DNAT --to-destination 10.10.20.3:80
#PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 443 -j DNAT --to-destination 10.10.20.3:443
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.20.3:80
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.10.20.3:443
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.4.1:80
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.4.1:443

I included both 10.10.20.3 and 10.0.4.1 for testing purposes but I couldn't get them to work.

Here are the port forwarding rules I have tried:

config redirect
        option dest 'vpnlan'
        option target 'DNAT'
        option src 'vpnlan'
        option src_dport '80'
        option dest_ip '10.0.4.246'
        option dest_port '80'
        option src_ip '10.10.20.3'

config redirect
        option dest 'vpnlan'
        option target 'DNAT'
        option src 'vpnlan'
        option src_dport '443'
        option dest_ip '10.0.4.246'
        option dest_port '443'
        option src_ip '10.10.20.3'

10.0.4.246
This is the response I get from my 10.0.4.246 server:

root@nginx:~# netstat -tuln | grep -E '80|443'
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     
root@nginx:~#

10.0.4.246
It looks to be working but whenever I try to curl my domain name:
curl https://panel.example.com
curl: (7) Failed to connect to panel.example.com port 443 after 89 ms: Couldn't connect to server
root@nginx:~#

I have it behind an NGINX server but the local IP's are all available and I'm able to access all the local ports as well.

10.0.4.246
Same Server example:

root@nginx:~# curl http://172.16.1.176:1234/

        <html>
            <title>BlueBubbles Server</title>
            <body>
                <h4>Welcome to the BlueBubbles Server landing page!</h4>
            </body>
        </html>
    root@nginx:~#

10.0.4.246
Here is my IP address coming back on the same server, this is my VPN IP address. (this has been changed for security purposes):
root@nginx:~# curl ipecho.net/plain; echo
45.40.20.110
root@nginx:~#

Finally a screenshot of my interfaces. I'm only worried about the zones in blue.

egc · August 20, 2023, 8:50am

It looks like you have an OpenWRT router as WG "client" to your own VPS running a WG "server" in the cloud?

If so you can setup as a site-to-site configuration.
Basically you setup your OpenWRT router as WG server e.g. no Masquerading and opening up the firewall.
Edit: https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#site-to-site

In that way you do not need port forwarding on your OpenWRT router but on your VPS you can port forward directly to your router/LAN clients as your VPS should have the route to your LAN (set in Allowed IP of the VPS) and your firewall should be open for traffic from your VPS.

About your VPS you do not need to Masquerade on the WG interface.
The port forwarding rules do not only need a DNAT rule but also an ACCEPT rule to allow that port e.g.:

iptables -I FORWARD -i ens3  -p tcp -d <IPaddres of router/LAN client> --dport 80 -j ACCEPT

dylanteague18 · August 20, 2023, 3:08pm

I'm looking at the Site-to-Site configuration help and it seems that I need openwrt running on both sides?

Site-to-site

Implement plain routing between server side LAN and client side LAN assuming that:

192.168.1.0/24 - server side LAN
192.168.2.0/24 - client side LAN

Add route to client side LAN on VPN server.

Add route to server side LAN on VPN client.

uci set network.wgclient.route_allowed_ips="1" uci add_list network.wgclient.allowed_ips="192.168.2.0/24"
uci commit network
/etc/init.d/network restart

I would rather avoid this as I feel my vps would become rather restricted with openwrt running on it. It would also be more time consuming to completely scrap my server and install a new OS on it.

dylanteague18 · August 20, 2023, 3:10pm

I'm confused about: Change the source zone for OpenWrt redirects to wg1 .

The blue zone is using pull_wg1 as it's wireguard interface. I had changed it a bit from what you sent me in my last post. Why would I use wg1 over the pull_wg1 inside of my blue firewall zone?

egc · August 20, 2023, 3:21pm

You do not need to run openwrt on your VPS at all.
The only thing which changes on the WG of your VPS is that you add to the allowed IPs the clients (openwrt router) subnet
But a normal server implementation should not NAT via the WG interface so you have to remove that from your VPS, so remove:

PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

On the openwrt router you add the VPS subnet to the allowed IPs (beside the already existing entries, unless you have 0.0.0.0/0 that already covers all (make sure to enable Route allowed IPs )

Furthermore you can disable Masquerading on the Firewall zone as the VPS now knows to which subnet it must return traffic (because you added it to the VPS allowed IPs)

I leave the firewall settings to @vgaetera ( I can actually leave everything to him he is the superior knowledge)

dylanteague18 · August 20, 2023, 3:30pm

I removed the redundant filewall rules from my VPS:

PostUp = iptables -I INPUT -p udp --dport 51821 -j ACCEPT
PostUp = iptables -I FORWARD -i ens3 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = iptables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.20.3:80
PostUp = iptables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.10.20.3:443

PostDown = iptables -D INPUT -p udp --dport 51821 -j ACCEPT
PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.20.3:80
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.10.20.3:443

I also added this:

PostUp = iptables -I FORWARD -i ens3 -p tcp -d 10.0.4.1 --dport 80 -j ACCEPT

Finished Rules:

PreUp = sysctl -w net.ipv4.conf.all.forwarding=1

PostUp = iptables -I INPUT -p udp --dport 51821 -j ACCEPT
PostUp = iptables -I FORWARD -i ens3 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = iptables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.20.3:80
PostUp = iptables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.10.20.3:443
PostUp = iptables -I FORWARD -m conntrack --ctstate DNAT -j ACCEPT

PostDown = iptables -D INPUT -p udp --dport 51821 -j ACCEPT
PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.20.3:80
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.10.20.3:443
PostDown = iptables -D FORWARD -m conntrack --ctstate DNAT -j ACCEPT

dylanteague18 · August 20, 2023, 3:33pm

Should I split vpnlan and pull_wg1 in to two different firewall zones?

I didn't think this looked right whenever I created it.

I'm not sure if this will help but going to my IP address: 45.40.20.110
Always takes me back to my router.

vgaetera · August 20, 2023, 4:38pm

Since both interfaces are already in the same zone, there's no reason to make it more complicated.

Add 10.0.4.0/24 to allowed IPs in the server config for your router peer.
Change the redirects destination IP to 10.0.4.246 in the server config.
Remove firewall redirects on OpenWrt.

dylanteague18 · August 20, 2023, 4:50pm

[Interface]
Address = 10.10.20.1/24,fd42:42:42::1/64
ListenPort = 51821
PrivateKey = <OMIT>
PreUp = sysctl -w net.ipv4.conf.all.forwarding=1

PostUp = iptables -I INPUT -p udp --dport 51821 -j ACCEPT
PostUp = iptables -I FORWARD -i ens3 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = iptables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.4.246:80
PostUp = iptables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.4.246:443
PostUp = iptables -I FORWARD -m conntrack --ctstate DNAT -j ACCEPT

PostDown = iptables -D INPUT -p udp --dport 51821 -j ACCEPT
PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.4.246:80
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.4.246:443
PostDown = iptables -D FORWARD -m conntrack --ctstate DNAT -j ACCEPT


### Client router
[Peer]
PublicKey = <OMIT>
PresharedKey = <OMIT>
AllowedIPs = 10.10.20.0/24,172.16.1.0/24,fd42:42:42::0/128

### Client phone
[Peer]
PublicKey = <OMIT>
PresharedKey = <OMIT>
AllowedIPs = 10.10.20.2/32,fd42:42:42::2/128

### Client vpnlan
[Peer]
PublicKey = <OMIT>
PresharedKey = <OMIT>
AllowedIPs = 10.10.20.3/32,10.0.4.0/24,fd42:42:42::3/128

dylanteague18 · August 20, 2023, 5:00pm

This worked It just took a second to load.

You're amazing, thank you! Do you take tips or donations? You've saved me weeks of work.

system · August 30, 2023, 5:01pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.