Join Log in
Score:1
Paul G avatar Ubuntu

VPN/WIreguard forward traffic internally as well as externally

br flag
Paul G

This may be more of a Linux firewall question, but the context is the Wireguard VPN setup on Ubuntu. Note, I'm barely getting acquainted with a lot of this stuff.

I have Wireguard up and running on Digital Ocean Ubuntu with Windows and Android clients using it. All seems good.

The basic firewall commands I use when it comes up is/are below: So, the 3rd line appears to route all traffic coming in on wg0 (private VPN) out through the public eth0 interface. As it should (almost?) and it works fine. Wgo/Private network is 10.8.0.1/24 and the server is 10.8.0.1. When a client traffic comes into the server below destined for 10.8.0.x (another address within the private network) it times out.

I "thought" it is because it is attempting to route it through eth0? If so, how do I ensure that traffic destined for the private subnet remains using wg0 interface? If not, any other suggestions?

PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = sysctl -w net.ipv6.conf.all.forwarding=1
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = sysctl -w net.ipv4.ip_forward=0
PostDown = sysctl -w net.ipv6.conf.all.forwarding=0
287
0 + 0
Score:0
Anders F. U. Kiær avatar Ubuntu
in flag
Anders F. U. Kiær

If your default policy is to drop or deny forwarding in iptables/ufw. Then you are most likely missing the firewall/ufw entries for allowing the traffic to flow between the different wireguard interface(s) or in and out on the same interface.

You could check your dmesg for [UFW BLOCK] messages.

To allow unrestricted flow in and out on the same wg interface PostUp = ufw route allow in on wg0 out on wg0

I prefer to modify the config file directly sudo vim /etc/ufw/before.rules Go to filter, after the end of the required lines you can add the forwarding rules you need. Eg:

-A ufw-before-forward -i wg0 -s 10.8.0.1/24 -o wg0 -d 10.8.0.1/24 -j ACCEPT

This will allow traffic from(-s flag) 10.8.0.1/24 on interface wg0 to(-d flag) 10.8.0.1/24 on interface wg0. -i is the input interface and -o is the output interface.

If you prefer to use your up\down way, you can add iptables in front of the command.

iptables -A ufw-before-forward -i wg0 -s 10.8.0.1/24 -o wg0 -d 10.8.0.1/24 -j ACCEPT

Good luck :)

0 + 0
Paul G avatar
br flag
Paul G
Just got back to this. As suggested i added iptables -A ufw-before-forward -i wg0 -s 10.8.0.1/24 -o wg0 -d 10.8.0.1/24 -j ACCEPT but to my wg0.conf file as, indeed this is exactly what i wanted. traffic within that subnet to stay on wg0. It appears to have worked perfectly, thanks !! I'm not familiar with the before.rules configuration file, so stuck with wg0.conf
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.