VPN-PBR config for Wireguard client and server

AnAx · August 21, 2020, 12:10am

I've been trying for many days now to get a basic working setup with a Wireguard client and server.
I have asked about how to get it done, with no answers. I've posted my configs, without any replies. I've searched without finding any complete answers.

This should be such a simple thing to do but all over the internet I find people who have the same problem and only partial solutions are posted, nothing that seem to work.

Can someone post an actual working config with where they have a Wireguard "client" connection to a "VPN" provider where all LAN traffic get routed and a Wireguard "server" that accepts incoming connections to access the LAN?

I'm getting rather frustrated about this since it's almost on the same level as trying to finding out how to write the "@" symbol on the keyboard but no matter what you ask, what you try or what you Google you can't find a solution.

The closest to a description I've found is this:
local-openvpn-server--openvpn-client-scenario-1
But I can't get that to work either (I do get scenario-2 to work)

Someone must have this simple setup working and can post it, for my sanity and the greater good of the internet!

vgaetera · August 21, 2020, 12:32am

Running a VPN client and server simultaneously requires to utilize policy-based routing:
https://openwrt.org/docs/guide-user/services/vpn/server_client

Oh, I see there's your other thread:
Working config for Local Wireguard Server + Wireguard Client

So, you actually don't need WG configs, but need a working VPN-PBR config.
I updated the thread name for better consistency.

AnAx · August 21, 2020, 12:49am

I'm still a bit unclear if policy-based routing is really needed to get this to work but since that is a way to go I tried it, but couldn't get it to fully work.

It might be the case that it's a working VPN-PBR config I need.

vgaetera · August 21, 2020, 1:14am

The tunnel typically uses masquerading on the other end, so the client receives replies from another IP, and this is the problem that VPN-PBR is designed to solve.

According to the documentation, it should be like this:

config vpn-policy-routing 'config'
  list ignored_interface 'wgserver'
  ...

config policy
  option name 'wgserver'
  option interface 'wan'
  option proto 'udp'
  option src_port '1234'
  option chain 'OUTPUT'

What is your current config?

uci show network; uci show vpn-policy-routing; iptables-save -c

AnAx · August 21, 2020, 10:40pm

This is my current config. The Wireguard client (wgbahnhof) works but I can't connect to the Wireguard server from the outside.

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdd6:2214:2ebc::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ifname='eth0'
network.lan.ipaddr='192.168.0.1'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wgbahnhof=interface
network.wgbahnhof.proto='wireguard'
network.wgbahnhof.private_key='SECRET'
network.wgbahnhof.force_link='1'
network.wgbahnhof.addresses='10.0.221.XXX'
network.@wireguard_wgbahnhof[0]=wireguard_wgbahnhof
network.@wireguard_wgbahnhof[0].public_key='SECRET'
network.@wireguard_wgbahnhof[0].persistent_keepalive='25'
network.@wireguard_wgbahnhof[0].endpoint_port='48574'
network.@wireguard_wgbahnhof[0].allowed_ips='0.0.0.0/0'
network.@wireguard_wgbahnhof[0].route_allowed_ips='1'
network.@wireguard_wgbahnhof[0].endpoint_host='98.128.186.72'
network.wgserver=interface
network.wgserver.proto='wireguard'
network.wgserver.private_key='SECRET'
network.wgserver.listen_port='1234'
network.wgserver.addresses='10.14.0.1/24'
network.@wireguard_wgserver[0]=wireguard_wgserver
network.@wireguard_wgserver[0].public_key='SECRET'
network.@wireguard_wgserver[0].description='User 1'
network.@wireguard_wgserver[0].allowed_ips='10.14.0.2/32'
network.@wireguard_wgserver[0].route_allowed_ips='1'
network.@wireguard_wgserver[0].persistent_keepalive='25'
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.dest_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.iprule_enabled='0'
vpn-policy-routing.config.webui_enable_column='0'
vpn-policy-routing.config.webui_protocol_column='0'
vpn-policy-routing.config.webui_chain_column='0'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.config.ignored_interface='wgserver'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'
vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].interface='wan'
vpn-policy-routing.@policy[0].name='Test'
vpn-policy-routing.@policy[0].src_addr='192.168.0.51'
vpn-policy-routing.@policy[1]=policy
vpn-policy-routing.@policy[1].name='Wireguard Server'
vpn-policy-routing.@policy[1].interface='wan'
vpn-policy-routing.@policy[1].proto='udp'
vpn-policy-routing.@policy[1].src_port='1234'
vpn-policy-routing.@policy[1].chain='OUTPUT'
# Generated by iptables-save v1.8.3 on Fri Aug 21 22:34:14 2020
*nat
:PREROUTING ACCEPT [764:108906]
:INPUT ACCEPT [33:3493]
:OUTPUT ACCEPT [96:6998]
:POSTROUTING ACCEPT [10:976]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wgbahnhof_rule - [0:0]
:postrouting_wgserver_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wgbahnhof_rule - [0:0]
:prerouting_wgserver_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wgbahnhof_postrouting - [0:0]
:zone_wgbahnhof_prerouting - [0:0]
:zone_wgserver_postrouting - [0:0]
:zone_wgserver_prerouting - [0:0]
[764:108906] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[724:105797] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[36:2708] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[4:401] -A PREROUTING -i wgbahnhof -m comment --comment "!fw3" -j zone_wgbahnhof_prerouting
[0:0] -A PREROUTING -i wgserver -m comment --comment "!fw3" -j zone_wgserver_prerouting
[246:19800] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:349] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[236:18824] -A POSTROUTING -o wgbahnhof -m comment --comment "!fw3" -j zone_wgbahnhof_postrouting
[0:0] -A POSTROUTING -o wgserver -m comment --comment "!fw3" -j zone_wgserver_postrouting
[1:349] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[724:105797] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[36:2708] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[236:18824] -A zone_wgbahnhof_postrouting -m comment --comment "!fw3: Custom wgbahnhof postrouting rule chain" -j postrouting_wgbahnhof_rule
[236:18824] -A zone_wgbahnhof_postrouting -m comment --comment "!fw3" -j MASQUERADE
[4:401] -A zone_wgbahnhof_prerouting -m comment --comment "!fw3: Custom wgbahnhof prerouting rule chain" -j prerouting_wgbahnhof_rule
[0:0] -A zone_wgserver_postrouting -m comment --comment "!fw3: Custom wgserver postrouting rule chain" -j postrouting_wgserver_rule
[0:0] -A zone_wgserver_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wgserver_prerouting -m comment --comment "!fw3: Custom wgserver prerouting rule chain" -j prerouting_wgserver_rule
COMMIT
# Completed on Fri Aug 21 22:34:14 2020
# Generated by iptables-save v1.8.3 on Fri Aug 21 22:34:14 2020
*mangle
:PREROUTING ACCEPT [5174:1923739]
:INPUT ACCEPT [2508:936961]
:FORWARD ACCEPT [2117:879012]
:OUTPUT ACCEPT [1911:550867]
:POSTROUTING ACCEPT [4019:1429519]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
[5472:2118592] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[2607:999200] -A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
[0:0] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[2265:971577] -A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
[1962:558015] -A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
[0:0] -A VPR_FORWARD -m set --match-set wgbahnhof dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_FORWARD -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set wgbahnhof dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_OUTPUT -p udp -m multiport --sports 1234 -m comment --comment Wireguard_Server -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set wgbahnhof dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_PREROUTING -s 192.168.0.51/32 -m comment --comment Text -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set wgbahnhof dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Fri Aug 21 22:34:14 2020
# Generated by iptables-save v1.8.3 on Fri Aug 21 22:34:14 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wgbahnhof_rule - [0:0]
:forwarding_wgserver_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wgbahnhof_rule - [0:0]
:input_wgserver_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wgbahnhof_rule - [0:0]
:output_wgserver_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wgbahnhof_dest_ACCEPT - [0:0]
:zone_wgbahnhof_dest_REJECT - [0:0]
:zone_wgbahnhof_forward - [0:0]
:zone_wgbahnhof_input - [0:0]
:zone_wgbahnhof_output - [0:0]
:zone_wgbahnhof_src_REJECT - [0:0]
:zone_wgserver_dest_ACCEPT - [0:0]
:zone_wgserver_dest_REJECT - [0:0]
:zone_wgserver_forward - [0:0]
:zone_wgserver_input - [0:0]
:zone_wgserver_output - [0:0]
:zone_wgserver_src_ACCEPT - [0:0]
[68:6432] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2626:1037525] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[2184:884353] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[31:1352] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -p udp -m udp --dport 1234 -m comment --comment "!fw3: Allow-WG-Inbound" -j ACCEPT
[400:149959] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[36:2708] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[6:505] -A INPUT -i wgbahnhof -m comment --comment "!fw3" -j zone_wgbahnhof_input
[0:0] -A INPUT -i wgserver -m comment --comment "!fw3" -j zone_wgserver_input
[2310:980507] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[2148:966769] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[162:13738] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wgbahnhof -m comment --comment "!fw3" -j zone_wgbahnhof_forward
[0:0] -A FORWARD -i wgserver -m comment --comment "!fw3" -j zone_wgserver_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[68:6432] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1987:571602] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1898:565151] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:349] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[88:6102] -A OUTPUT -o wgbahnhof -m comment --comment "!fw3" -j zone_wgbahnhof_output
[0:0] -A OUTPUT -o wgserver -m comment --comment "!fw3" -j zone_wgserver_output
[29:1475] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[13:1738] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[31:1352] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:349] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[162:13738] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[162:13738] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wgbahnhof forwarding policy" -j zone_wgbahnhof_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[400:149959] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[400:149959] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:349] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:349] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[400:149959] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[36:2708] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[36:2708] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[36:2708] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
[9:360] -A zone_wgbahnhof_dest_ACCEPT -o wgbahnhof -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[241:19480] -A zone_wgbahnhof_dest_ACCEPT -o wgbahnhof -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wgbahnhof_dest_REJECT -o wgbahnhof -m comment --comment "!fw3" -j reject
[0:0] -A zone_wgbahnhof_forward -m comment --comment "!fw3: Custom wgbahnhof forwarding rule chain" -j forwarding_wgbahnhof_rule
[0:0] -A zone_wgbahnhof_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wgbahnhof_forward -m comment --comment "!fw3" -j zone_wgbahnhof_dest_REJECT
[6:505] -A zone_wgbahnhof_input -m comment --comment "!fw3: Custom wgbahnhof input rule chain" -j input_wgbahnhof_rule
[0:0] -A zone_wgbahnhof_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[6:505] -A zone_wgbahnhof_input -m comment --comment "!fw3" -j zone_wgbahnhof_src_REJECT
[88:6102] -A zone_wgbahnhof_output -m comment --comment "!fw3: Custom wgbahnhof output rule chain" -j output_wgbahnhof_rule
[88:6102] -A zone_wgbahnhof_output -m comment --comment "!fw3" -j zone_wgbahnhof_dest_ACCEPT
[6:505] -A zone_wgbahnhof_src_REJECT -i wgbahnhof -m comment --comment "!fw3" -j reject
[0:0] -A zone_wgserver_dest_ACCEPT -o wgserver -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wgserver_dest_ACCEPT -o wgserver -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wgserver_dest_REJECT -o wgserver -m comment --comment "!fw3" -j reject
[0:0] -A zone_wgserver_forward -m comment --comment "!fw3: Custom wgserver forwarding rule chain" -j forwarding_wgserver_rule
[0:0] -A zone_wgserver_forward -m comment --comment "!fw3: Zone wgserver to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wgserver_forward -m comment --comment "!fw3: Zone wgserver to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wgserver_forward -m comment --comment "!fw3: Zone wgserver to wgbahnhof forwarding policy" -j zone_wgbahnhof_dest_ACCEPT
[0:0] -A zone_wgserver_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wgserver_forward -m comment --comment "!fw3" -j zone_wgserver_dest_REJECT
[0:0] -A zone_wgserver_input -m comment --comment "!fw3: Custom wgserver input rule chain" -j input_wgserver_rule
[0:0] -A zone_wgserver_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wgserver_input -m comment --comment "!fw3" -j zone_wgserver_src_ACCEPT
[0:0] -A zone_wgserver_output -m comment --comment "!fw3: Custom wgserver output rule chain" -j output_wgserver_rule
[0:0] -A zone_wgserver_output -m comment --comment "!fw3" -j zone_wgserver_dest_ACCEPT
[0:0] -A zone_wgserver_src_ACCEPT -i wgserver -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT

vgaetera · August 23, 2020, 7:56am

The config looks correct, but traffic counters are zero:

AnAx:

[0:0] -A VPR_OUTPUT -p udp -m multiport --sports 1234 -m comment --comment Wireguard_Server -j MARK --set-xmark 0x10000/0xff0000`
[0:0] -A INPUT -p udp -m udp --dport 1234 -m comment --comment "!fw3: Allow-WG-Inbound" -j ACCEPT

Try to connect from outside and check:

iptables-save -c | grep -e "\s1234\s"

AnAx · August 23, 2020, 9:41am

The same thing pops up:

-A VPR_OUTPUT -p udp -m multiport --sports 1234 -m comment --comment Wireguard_Server -j MARK --set-xmark 0x10000/0xff0000
-A INPUT -p udp -m udp --dport 1234 -m comment --comment "!fw3: Allow-WG-Inbound" -j ACCEPT

Any ideas what might cause this?

vgaetera · August 24, 2020, 10:42am

It's really tricky, I once tested it for OpenVPN and there were problems with UDP, so I used TCP.
I'm not sure if WireGuard has similar issues or not, and my testing capabilities are currently limited.

AnAx · August 24, 2020, 12:40pm

Yes, it seem to be a strange problem.
As I've written before have I gotten it to work with both the server and the client but only if I did the opposite: All LAN traffic goes through WAN and I need to specify, using VPN-policy-based routing, which ip's goes through Wireguard/VPN.

I think this is one of those rather stupid problems where there is a minor problem somewhere.

stevewaffler · December 17, 2021, 7:39pm

Moved here.

ulmwind · December 17, 2021, 8:10pm

I really do not understand, how it would be possible for UDP. It works for TCP (OpenVPN).