Join Log in
Score:1
Asmodean avatar Server

Port forwarding with wireguard

us flag
Asmodean

Using applications like qbittorrent and airdcpp to share files. They all need some ports to be forwarded in order to be "connectable".

In the home connection I would go into the router settings 192.168.1.1 and then forward the ports, ex. 56000 to my PC's local ip address: 192.168.1.124. And the services would work alright.

Later set up wireguard on a Linode VPS wishing I can vpn into it and and mask my IP. But when I do that, my ip address is changed when I go to somewhere like https://whoer.net . But the ports used, ex. 56000 is not forwarded and thus the apps are not "connectable".

What are the things I need to add in iptables in order for the VPS to forward those ports like my home router does?

Port 56000 is set to allow in the active VPS ufw firewall.

Many thanks for looking.

This is what my VPS wireguard conf looks like:

Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 49503
PrivateKey = ***


[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
12670
1 + 0
Score:2
avatar Server
cn flag
Justin Ludwig

Since you're using UFW, first make sure the UFW rule for port 56000 that you added is not a regular input rule, but instead a "route" (aka forwarding) rule, like this (assuming it's for a TCP port; replace tcp with udp for UDP):

ufw route allow proto tcp to 10.66.66.2 port 56000

Then you need an iptables rule like this for each port you want to forward (where eth0 is the name of your WAN interface):

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination 10.66.66.2

If you have a bunch of individual ports you want to forward, you can put them all (up to 15 ports) in the same rule using the --dports flag (note the s) of the multiport module:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 123,456,789 -j DNAT --to-destination 10.66.66.2

And since you're using UFW, you probably want to put your PREROUTING rules in the *nat block of your /etc/ufw/before.rules config file, like this (assuming you probably already have something similar to the POSTROUTING rule there):

# /etc/ufw/before.rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination 10.66.66.2
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

If you don't already have a *nat block in your /etc/ufw/before.rules file, add it at the end of the file. Restart UFW after you make the changes.

0 + 7
Michael Hampton avatar
cz flag
Michael Hampton
ufw is not capable of port forwarding? That's rather odd.
0
Reply
Asmodean avatar
us flag
Asmodean
@MichaelHampton, it is just that you need to use iptables for forwarding, not that ufw can't. It is a firewall. So I guess you could say it can't but technically it isn't for that.
0
Reply
Asmodean avatar
us flag
Asmodean
Thank you so much! You don't know how long and how much I gave agonized over this, because of how I didn't know of that rules to specifically let the ports to be forwarded. Guess I haven't been asking the question in the right exchange either. Was always in unix before I found out about serverfault. Again the answer is very appreciated!
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
Well, firewalld has port forwarding built in. About a year ago I migrated everything to firewalld, including Debian/Ubuntu systems, just to keep things consistent, as I have to manage a wide variety of distros. The larger feature set of firewalld and it being easier to manage via automation were compelling reasons to standardize on it.
0
Reply
Asmodean avatar
us flag
Asmodean
@MichaelHampton, is firewalld able to forward things like the answer does? I have used it on my local machine, though it is currently off as of now, I have used it to forward ports locally very conveniently with its GUI. Love it for that purpose, but don't know about what the iptables mentioned was able to do.
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
@Asmodean Yes, it both forwards ports and does masquerading itself.
0
Reply
Asmodean avatar
us flag
Asmodean
@MichaelHampton, so I just don't know how to, can you look at this question? https://serverfault.com/questions/1068004/firewalld-forwarding-functionality-with-wireguard
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.