Score:1

Port forwarding with wireguard

us flag

Using applications like qbittorrent and airdcpp to share files. They all need some ports to be forwarded in order to be "connectable".

In the home connection I would go into the router settings 192.168.1.1 and then forward the ports, ex. 56000 to my PC's local ip address: 192.168.1.124. And the services would work alright.

Later set up wireguard on a Linode VPS wishing I can vpn into it and and mask my IP. But when I do that, my ip address is changed when I go to somewhere like https://whoer.net . But the ports used, ex. 56000 is not forwarded and thus the apps are not "connectable".

What are the things I need to add in iptables in order for the VPS to forward those ports like my home router does?

Port 56000 is set to allow in the active VPS ufw firewall.

Many thanks for looking.

This is what my VPS wireguard conf looks like:

Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 49503
PrivateKey = ***


[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
Score:2
cn flag

Since you're using UFW, first make sure the UFW rule for port 56000 that you added is not a regular input rule, but instead a "route" (aka forwarding) rule, like this (assuming it's for a TCP port; replace tcp with udp for UDP):

ufw route allow proto tcp to 10.66.66.2 port 56000

Then you need an iptables rule like this for each port you want to forward (where eth0 is the name of your WAN interface):

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination 10.66.66.2

If you have a bunch of individual ports you want to forward, you can put them all (up to 15 ports) in the same rule using the --dports flag (note the s) of the multiport module:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 123,456,789 -j DNAT --to-destination 10.66.66.2

And since you're using UFW, you probably want to put your PREROUTING rules in the *nat block of your /etc/ufw/before.rules config file, like this (assuming you probably already have something similar to the POSTROUTING rule there):

# /etc/ufw/before.rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination 10.66.66.2
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

If you don't already have a *nat block in your /etc/ufw/before.rules file, add it at the end of the file. Restart UFW after you make the changes.

Michael Hampton avatar
cz flag
ufw is not capable of port forwarding? That's rather odd.
Asmodean avatar
us flag
@MichaelHampton, it is just that you need to use iptables for forwarding, not that ufw can't. It is a firewall. So I guess you could say it can't but technically it isn't for that.
Asmodean avatar
us flag
Thank you so much! You don't know how long and how much I gave agonized over this, because of how I didn't know of that rules to specifically let the ports to be forwarded. Guess I haven't been asking the question in the right exchange either. Was always in unix before I found out about serverfault. Again the answer is very appreciated!
Michael Hampton avatar
cz flag
Well, firewalld has port forwarding built in. About a year ago I migrated everything to firewalld, including Debian/Ubuntu systems, just to keep things consistent, as I have to manage a wide variety of distros. The larger feature set of firewalld and it being easier to manage via automation were compelling reasons to standardize on it.
Asmodean avatar
us flag
@MichaelHampton, is firewalld able to forward things like the answer does? I have used it on my local machine, though it is currently off as of now, I have used it to forward ports locally very conveniently with its GUI. Love it for that purpose, but don't know about what the iptables mentioned was able to do.
Michael Hampton avatar
cz flag
@Asmodean Yes, it both forwards ports and does masquerading itself.
Asmodean avatar
us flag
@MichaelHampton, so I just don't know how to, can you look at this question? https://serverfault.com/questions/1068004/firewalld-forwarding-functionality-with-wireguard
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.