Score:0

Firewalld Forwarding Functionality with Wireguard

us flag

I have asked before how to forward ports on a VPS running a wireguard service with ufw and iptables as the management.

I had to do this:

(56000 is a random port I chose) (10.66.66.2 is the internal ip of wireguard)

ufw route allow proto tcp to 10.66.66.2 port 56000

Then I would do this to actually forward the ports with iptables:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination 10.66.66.2

Is there a way for me to achieve this with firewalld instead? so I won't have to separate the forwarding into two places?

And does masquerading come into use here/is it needed? Since I don't know what it does nor what it is used for.

VPS wireguard wg0 conf for reference purposes:

Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 49503
PrivateKey = ***


[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
Score:1
cn flag

From your previous UFW question, sounds like you're using WireGuard for two purposes?: 1) forward traffic from a WireGuard client of your VPS out to the Internet, and 2) forward a few public ports from your VPS back to the WireGuard client. You need masquerading (aka SNAT) for 1) and port forwarding (aka DNAT) for 2).

The simplest way to set this up with firewalld is to bind your VPS's public Ethernet interface (eth0 in your case) to firewalld's predefined external zone, and your VPS's WireGuard interface (wg0 in your case) to firewalld's predefined internal zone. The external zone comes preconfigured with masquerading enabled; and both zones also come preconfigured to accept SSH and a few other services.

First open your VPS's WireGuard listen port (49503 in your case) on the external zone:

$ sudo firewall-cmd --zone=external --add-port=49503/udp

And forward port TCP 56000 on the external zone to the same port on 10.66.66.2:

$ sudo firewall-cmd --zone=external --add-forward-port='port=56000:proto=tcp:toaddr=10.66.66.2'

Then bind eth0 to the external zone (which applies firewalld's configuration for the external zone to all eth0 connections):

$ sudo firewall-cmd --zone=external --add-interface=eth0

And bind wg0 to the internal zone:

$ sudo firewall-cmd --zone=internal --add-interface=wg0

Check your active zones:

$ sudo firewall-cmd --get-active-zones
external
  interfaces: eth0
internal
  interfaces: wg0

And check the configuration of your external zone:

$ sudo firewall-cmd --info-zone=external
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh
  ports: 49503/udp
  protocols:
  masquerade: yes
  forward-ports: port=56000:proto=tcp:toaddr=10.66.66.2
  source-ports:
  icmp-blocks:
  rich rules:

If everything's working correctly, save your current firewalld settings:

$ sudo firewall-cmd --runtime-to-permanent
cn flag
Thanks for this. I use ssh on a different port, and with WG running I found that the clients could do anything they wanted except access public services on the VPS running WG, including ssh. The solution was to add the same `--add-port` command to the `internal` zone. I think in your answer it works because firewalld's internal and external zones both include the standard `ssh` service by default.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.