Join Log in
Score:0
Nicolò avatar Server

WireGuard: 2 client peers on the same server with Internet connection and port forwarding

de flag
Nicolò

Dear ServerFault community,

I have recently bought a home-server. I did not want to host any content on my office IP (1.1.1.1) and I, therefore, bought an OVH VPS with 4 IPs and created a WireGuard tunnel to use the VPS' IP as the homeserver IP.

OVH VPS also forwards all the ports to my homeserver.

I am currently using 2 of the 4 OVH VPS' IPs (2.2.2.2) and (3.3.3.3).

I created two WireGuard tunnels on the VPS on different subnets. One on 10.0.0.0 and one on 10.1.0.0.

My AIM was to achieve a config so that listening to 10.0.0.2 would resolve to 2.2.2.2 and listening to 10.1.0.2 would resolve to 3.3.3.3.

This does work for the first tunnel and for the second tunnel when running by themsleves on AllowedIPs = 0.0.0.0/0.

The problem is that when running togheter on AllowedIPs = 0.0.0.0/0 Internet connection stops.

I tried changing WG1's Allowed IPs to 10.1.0.0/24 but then a WG1 has no internet connection working.

Here are my configuration files:

Server WG0 (OVH VPS):

[Interface]
Address = 10.0.0.1/24
ListenPort = 51821
PrivateKey = {CENSORED}

### Client vpn
[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
AllowedIPs = 10.0.0.2/32

Server WG1 (OVH VPS):

[Interface]
Address = 10.1.0.1/24
ListenPort = 51822
PrivateKey = {CENSORED}

[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
AllowedIPs = 10.1.0.2/32

OVH VPS' IPTables configuration:

# Generated by iptables-save v1.8.7 on Tue May 31 15:25:37 2022
*filter
:INPUT ACCEPT [1698:235639]
:FORWARD ACCEPT [1053:163056]
:OUTPUT ACCEPT [1451:166474]
:f2b-sshd - [0:0]
COMMIT
# Completed on Tue May 31 15:25:37 2022
# Generated by iptables-save v1.8.7 on Tue May 31 15:25:37 2022
*nat
:PREROUTING ACCEPT [435:15811]
:INPUT ACCEPT [428:15399]
:OUTPUT ACCEPT [32:2255]
:POSTROUTING ACCEPT [119:6298]
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p tcp -m tcp -m multiport --dports 21,22,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 2.2.2.2/32 -p udp -m udp -m multiport --dports 21,22,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 51826:65534 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p tcp -m tcp -m multiport --dports 21,22,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -d 3.3.3.3/32 -p udp -m udp -m multiport --dports 21,22,80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.1.0.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 1000:51820 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 51826:65534 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p tcp -m tcp -m multiport --sports 21,22,80,25,995,110,443,465,993,143 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 1000:51820 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 51826:65534 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.0.0.2/32 -p udp -m udp -m multiport --sports 21,22,80,25,995,110,443,465,993,143 -j SNAT --to-source 2.2.2.2
-A POSTROUTING -s 10.1.0.2/32 -p tcp -m tcp -m multiport --sports 1000:51820 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p tcp -m tcp -m multiport --sports 51826:65534 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p tcp -m tcp -m multiport --sports 21,22,80,25,995,110,443,465,993,143 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p udp -m udp -m multiport --sports 1000:51820 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p udp -m udp -m multiport --sports 51826:65534 -j SNAT --to-source 3.3.3.3
-A POSTROUTING -s 10.1.0.2/32 -p udp -m udp -m multiport --sports 21,22,80,25,995,110,443,465,993,143 -j SNAT --to-source 3.3.3.3
COMMIT
# Completed on Tue May 31 15:25:37 2022

Homeserver WG0 configuration:

[Interface]
PrivateKey = {CENSORED}
Address = 10.0.0.2/32

[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
Endpoint = 2.2.2.2:51821
AllowedIPs = 0.0.0.0/0
#AllowedIPs = 10.0.0.0/24

Homeserver WG1 configuration:

[Interface]
PrivateKey = {CENSORED}
Address = 10.1.0.2/32

[Peer]
PublicKey = {CENSORED}
PresharedKey = {CENSORED}
Endpoint = 3.3.3.3:51822
AllowedIPs = 10.1.0.0/24

With my current (pasted here) configuration I can bind (for example Apache2) to 10.0.0.2 and it correctly resolves and allows people to access the server from 2.2.2.2, but when I bind to 10.1.0.2, the IP address 3.3.3.3 is not accessible from the internet from any port and the interface WG1 has no internet connection (eg. when attempting curl --interface wg1 ifconfig.co).

Thank you in advance for your time and help!

21
0 + 0
vpn
djdomi avatar
za flag
djdomi
is this question related to a business environment and you are been a professional business administrator?
0
Reply
Nicolò avatar
de flag
Nicolò
Yes @djdomi, the environment is business related, otherwise I would not ask on ServerFault… I just defined the server home-server as it is of relatively small dimensions, but as you can recall from the message it is installed in my office for a production environment.
0
Reply
djdomi avatar
za flag
djdomi
and what kind of services should be running? a Webserver is easier to use with a reverse proxy
0
Reply
Nicolò avatar
de flag
Nicolò
I am aware of the possible idea of using a reverse proxy, but as I am going to host databases, docker, emails and anything that could become useful I have the necessity of tunnelling all the ports. @djdomi
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.