Re-route all incoming traffic to my home computer over the wireguard interface

Tim B.

7/24/24, 10:32 AM

I have setup a server in AWS with WireGuard server installed on it. I configured the server and the client and the vpn connection is up and running. I am able to ping from my local computer to the server address (192.168.45.1), and also from my server to my home computer (ping from server to 192.168.45.2). So the base connection is working vice versa. I confirmed the working of the VPN by routing 0.0.0.0 (except local networks) via the Wireguard VPN and that works successfully: an IP-check shows the IP of the AWS cloud.

Secondly i need to be able to receive incoming connections on my AWS instance and that needs to be routed to my home computer. Since there is a Wireguard tunnel running between the server and my home computer it comes down to only local traffic forwarding FROM eth0 (server main incoming ethernet card (which is not used for anything else)) TO the wireguard interface (wg0). And because the destination IP changes i have to use (D)NAT.

So i configured the Linux kernel using sysctl:

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

Then i started configuring the iptables on my AWS instance in which 172.31.5.46 is the eth0 IP of my AWS server and 192.168.45.2 the IP of my home computer:

# iptables -F
# iptables -t nat -A PREROUTING -p tcp -d 172.31.5.46 --dport 3000 -jDNAT --to-destination 192.168.45.2:3000
# iptables -t nat -A PREROUTING -p tcp -d 172.31.5.46 --dport 22 -jDNAT --to-destination 192.168.45.2:22
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

At my home computer i am running a tool called "Simple TCP Listener" which shows me when connections are made to my computer at specific ports.

When I then connect from some endpoint on the internet to the public IP of my AWS instance it gets redirected to my computer and my TCP Listener shows the incoming connection. But for some reason it ALWAYS comes in at my home computer at port 3000. So with above setup port 22 on AWS now forwards to port 3000, and port 3000 is giving a "Connection refused" to the outside world. That means that i am missing something small in my configuration or knowledge. What is that little piece?

1 + 0

iptables

ip-address

external-ip

wireguard

aws-ec2

Score:0

Server

Tim B.

7/24/24, 11:37 AM

I learned today that rules are just being stacked up, not overwritten:

When looking at the NAT entries with below command showed me that all executed NAT rules did not overwrite the previous ones but were simply appended to the NAT rules list, ending up with a list full of wrong entries. I found this out by flusing iptables and noticing that port 22 still was being forwarded.

iptables -t nat -L

Therefore use to clean also the NAT rules chain of iptables:

iptables -F -t nat

And then my above set-up works. Port 22 requests are being forwarded to port 22 at my home computer and port 3000 requests being forwarded to port 3000.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Re-route all incoming traffic to my home computer over the wireguard interface

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.