Score:0

Solved - Router as WireGuard client | External User IP is shown to be WireGuard tunnel's local IP on home server [EdgeRouter]

de flag

I have set up my EdgeRouter-X as a WireGuard client (using IPv6) so that my public IP is shown to be the WireGuard server's public IP.

This is because I want to host an home server using OVH's IP and Anti-DDoS instead of my own public ip which is unprotected.

I have 4 public IPs:

22.22.22.22

33.33.33.33

44.44.44.44

55.55.55.55

The graph for my connection is like this:

OVH VPS Wireguard Server WG0 Tunnel (LOCAL Tunnel 10.0.0.1) [Port forwarding with IPTables] <-----> (LOCAL Tunnel 10.0.0.2) EdgeRouter X

EdgeRouter-X (LOCAL 192.168.1.1) [Port forwarding with EdgeRouter] <-----> (LOCAL 192.168.1.10) HOME-SERVER

I am forwarding all the ports from OVH's VPS (1-65535) with IPTables to my EdgeRouter through the wg0 tunnel and then to my homeserver and that works.

The issue is that when a user connects let's say to 22.22.22.22:80 he is displayed succesfully the web page, but his IP to the server results to be 10.0.0.1 and not the user public IP.

This is my WG Server configuration:

[Interface]

Address = 10.0.0.1/30

ListenPort = 51821

PrivateKey = CENSORED




### Client vpn

[Peer]

PublicKey = CENSORED

PresharedKey = CENSORED

AllowedIPs = 10.0.0.2/30

This is my WG Server IPTables configuration to forward the ports to the EdgeRouter through WG0:

# Generated by iptables-save v1.8.7 on Sun Jan  9 11:04:33 2022
*filter
:INPUT ACCEPT [971:145912]
:FORWARD ACCEPT [920:137172]
:OUTPUT ACCEPT [637:108812]
:f2b-sshd - [0:0]
COMMIT
# Completed on Sun Jan  9 11:04:33 2022
# Generated by iptables-save v1.8.7 on Sun Jan  9 11:04:33 2022
*nat
:PREROUTING ACCEPT [133:6792]
:INPUT ACCEPT [61:2272]
:OUTPUT ACCEPT [3:228]
:POSTROUTING ACCEPT [66:4011]
-A PREROUTING -i ens3 -p udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p udp -m multiport --dports 51822:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p tcp -m multiport --dports 51822:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p tcp -m multiport --dports 80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p udp -m multiport --dports 80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Sun Jan  9 11:04:33 2022

This is my EdgeRouter-X configuration with WG0 client and port forwarding to the home server:

 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         address-group MY_PUBLIC {
             address 22.22.22.22
             address 33.33.33.33
             address 44.44.44.44
             address 55.55.55.55
         }
     }
     ipv6-name WANv6_IN {
         default-action drop
         description "WAN inbound traffic forwarded to LAN"
         enable-default-log
         rule 10 {
             action accept
             description "Allow established/related sessions"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     ipv6-name WANv6_LOCAL {
         default-action drop
         description "WAN inbound traffic to the router"
         enable-default-log
         rule 10 {
             action accept
             description "Allow established/related sessions"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 30 {
             action accept
             description "Allow IPv6 icmp"
             protocol ipv6-icmp
         }
         rule 40 {
             action accept
             description "allow dhcpv6"
             destination {
                 port 546
             }
             protocol udp
             source {
                 port 547
             }
         }
     }
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     modify wireguard_route {
         rule 5 {
             action modify
             destination {
                 group {
                     address-group MY_PUBLIC
                 }
             }
             modify {
                 table main
             }
         }
         rule 10 {
             action modify
             description wireguard-vpn
             modify {
                 table 1
             }
             source {
                 address 192.168.1.0/24
             }
         }
     }
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address dhcp
         description Internet
         dhcpv6-pd {
             pd 0 {
                 interface eth1 {
                     service dhcpv6-stateful
                 }
                 interface eth2 {
                     service dhcpv6-stateful
                 }
                 interface eth3 {
                     service dhcpv6-stateful
                 }
                 interface switch0 {
                     host-address ::1
                     service slaac
                 }
                 prefix-length /64
             }
             rapid-commit enable
         }
         duplex auto
         firewall {
             in {
                 ipv6-name WANv6_IN
                 name WAN_IN
             }
             local {
                 ipv6-name WANv6_LOCAL
                 name WAN_LOCAL
             }
         }
         ipv6 {
             address {
                 autoconf
             }
             dup-addr-detect-transmits 1
         }
         speed auto
     }
     ethernet eth1 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth2 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth3 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth4 {
         description Local
         duplex auto
         poe {
             output off
         }
         speed auto
     }
     loopback lo {
     }
     switch switch0 {
         address 192.168.1.1/24
         description Local
         firewall {
             in {
                 modify wireguard_route
             }
         }
         mtu 1500
         switch-port {
             interface eth1 {
             }
             interface eth2 {
             }
             interface eth3 {
             }
             interface eth4 {
             }
             vlan-aware disable
         }
     }
     wireguard wg0 {
         address 10.0.0.2/30
         description Wireguard
         listen-port 51821
         mtu 1420
         peer CENSORED {
             allowed-ips 0.0.0.0/0
             endpoint [2001:41d0:52:400::6e3]:51821
             persistent-keepalive 25
             preshared-key /config/auth/wg-preshared.key
         }
         private-key /config/auth/wg.key
         route-allowed-ips false
     }
 }
 port-forward {
     auto-firewall enable
     hairpin-nat enable
     lan-interface switch0
     rule 1 {
         description "Allow ALL"
         forward-to {
             address 192.168.1.10
         }
         original-port 1-65535
         protocol tcp_udp
     }
     wan-interface wg0
 }
 protocols {
     static {
         table 1 {
             description "table to force wg0:aws"
             interface-route 0.0.0.0/0 {
                 next-hop-interface wg0 {
                 }
             }
             route 0.0.0.0/0 {
                 blackhole {
                     distance 255
                 }
             }
         }
     }
 }
 service {
     dhcp-server {
         disabled false
         hostfile-update disable
         shared-network-name LAN {
             authoritative enable
             subnet 192.168.1.0/24 {
                 default-router 192.168.1.1
                 dns-server 192.168.1.1
                 lease 86400
                 start 192.168.1.38 {
                     stop 192.168.1.243
                 }
                 static-mapping Node2 {
                     ip-address 192.168.1.10
                     mac-address 90:b1:1c:44:f6:da
                 }
                 static-mapping iDRAC {
                     ip-address 192.168.1.120
                     mac-address E0:DB:55:06:2D:14
                 }
             }
         }
         static-arp disable
         use-dnsmasq disable
     }
     dns {
         forwarding {
             cache-size 150
             listen-on switch0
         }
     }
     gui {
         http-port 80
         https-port 443
         older-ciphers enable
     }
     nat {
         rule 5002 {
             description wireguard-nat
             log disable
             outbound-interface wg0
             protocol all
             source {
                 address 192.168.1.0/24
             }
             type masquerade
         }
         rule 5003 {
             description "masquerade for WAN"
             log disable
             outbound-interface eth0
             protocol all
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
     unms {
     }
 }
 system {
     analytics-handler {
         send-analytics-report false
     }
     crash-handler {
         send-crash-report false
     }
     host-name EdgeRouter-X-5-Port
     login {
         user ubnt {
             authentication {
                 encrypted-password 
             }
             level admin
         }
     }
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
         server 1.ubnt.pool.ntp.org {
         }
         server 2.ubnt.pool.ntp.org {
         }
         server 3.ubnt.pool.ntp.org {
         }
     }
     offload {
         hwnat enable
         ipsec enable
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
 }
Score:0
de flag

Solved by changing:

-A POSTROUTING -j MASQUERADE

with:

-A POSTROUTING -o ens3 -j MASQUERADE
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.