Join Log in
Score:0
avatar Server

How setup wireguard + nixos to access servers (PostgreSQL, nginx) from workstation?

ma flag
mamcx

I wanna give access to operators using wireguard to services like PostgreSQL, nginx, ssh, etc without giving the public IP of the host.

I use nixos, but a plain setup with wireguard + iptables can work for me.

The tunnel is established and packets are transferring, as shown (on the server):

❯ wg
interface: wg0
  public key: k4lOk+/rXONPolNI...
  private key: (hidden)
  listening port: 51820

peer: VCH3gPI0qu0rUKMR...
  endpoint: ...:51820
  allowed ips: 10.100.0.2/32
  latest handshake: 32 seconds ago
  transfer: 53.11 KiB received, 1.05 KiB sent

But can't connect to postgres with psql -h 10.100.0.2 -U postgresor the webserver with curl 10.100.0.1 from the client (from the server it works).

I have the server (where is located PostgreSQL):

[Interface]
Address = 10.100.0.1/32
ListenPort = 51820
PrivateKey = AIaYgTe...

[Peer]
PublicKey = VCH3gPI0qu...
AllowedIPs = 10.100.0.2/32
Endpoint = x.x.x.x:51820

I have the client (peer1)

[Interface]
PrivateKey = cLUTCqLAj2aq...
ListenPort = 51820
Address = 10.100.0.2/32

[Peer]
PublicKey = k4lOk+/rXONP...
AllowedIPs = 0.0.0.0/0
Endpoint = x.x.x.x:51820
persistentKeepalive = 10

I have tried many ways to setup the firewall, currently:

  networking.nat.enable = true;
  networking.nat.externalInterface = "eth0";
  networking.nat.internalInterfaces = [ "wg0" ];

  networking.wireguard.interfaces = {
    wg0 = {
interface.
      ips = [ "10.100.0.1/32" ];
      listenPort = 51820;

        # ${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -i wg0 -p tcp --match multiport --destination-ports 22,5432,443,80 -j DNAT --to-destination 192.168.88.1
        # ${pkgs.iptables}/bin/iptables -A INPUT -i wg0 -m state --state NEW -p tcp -m multiport --dports 80,443,22,5432 -j ACCEPT        
      postSetup = ''
        ${pkgs.iptables}/bin/iptables -I FORWARD 1 -i wg0 -j ACCEPT; 
        ${pkgs.iptables}/bin/iptables -t nat -I POSTROUTING 1 -o eth0 -j MASQUERADE
        ${pkgs.iptables}/bin/iptables -t nat -A PREROUTING -i wg0 -p tcp --match multiport --destination-ports 22,5432,443,80 -j DNAT --to-destination 127.0.0.1
      '';

      # This undoes the above command
      postShutdown = ''
        ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT; 
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
        ${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -i wg0 -p tcp --match multiport --destination-ports 22,5432,443,80 -j DNAT --to-destination 127.0.0.1
      '';

      privateKeyFile = "/root/wireguard_private";

      peers = [
        # List of allowed peers.
        { # peer1
          publicKey = "VCH3gPI0qu0rUK...";
          allowedIPs = [ "10.100.0.2/32" ];
        }
      ];
    };
  };

  networking.firewall = {
    enable = true;
    allowPing = true;
    allowedUDPPorts = [ 51820 ];

    allowedTCPPorts = [ 80 443 22 ];

    interfaces.wg0.allowedTCPPorts = [ 993 68 80 443 22 5432 ];
  };
62
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.