Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Follow
Facebook Twitter Instagram Youtube
Contact

VPN/WIreguard forward traffic internally as well as externally

byMR
January 11, 2022

This may be more of a Linux firewall question, but the context is the Wireguard VPN setup on Ubuntu. Note, I’m barely getting acquainted with a lot of this stuff.

I have Wireguard up and running on Digital Ocean Ubuntu with Windows and Android clients using it. All seems good.

The basic firewall commands I use when it comes up is/are below: So, the 3rd line appears to route all traffic coming in on wg0 (private VPN) out through the public eth0 interface. As it should (almost?) and it works fine. Wgo/Private network is 10.8.0.1/24 and the server is 10.8.0.1. When a client traffic comes into the server below destined for 10.8.0.x (another address within the private network) it times out.

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel

I "thought" it is because it is attempting to route it through eth0? If so, how do I ensure that traffic destined for the private subnet remains using wg0 interface? If not, any other suggestions?

PreUp = sysctl -w net.ipv4.ip_forward=1
PreUp = sysctl -w net.ipv6.conf.all.forwarding=1
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = sysctl -w net.ipv4.ip_forward=0
PostDown = sysctl -w net.ipv6.conf.all.forwarding=0

>Solution :

If your default policy is to drop or deny forwarding in iptables/ufw. Then you are most likely missing the firewall/ufw entries for allowing the traffic to flow between the different wireguard interface(s) or in and out on the same interface.

You could check your dmesg for [UFW BLOCK] messages.

To allow unrestricted flow in and out on the same wg interface
PostUp = ufw route allow in on wg0 out on wg0

I prefer to modify the config file directly sudo vim /etc/ufw/before.rules
Go to filter, after the end of the required lines you can add the forwarding rules you need. Eg:

-A ufw-before-forward -i wg0 -s 10.8.0.1/24 -o wg0 -d 10.8.0.1/24 -j ACCEPT

This will allow traffic from(-s flag) 10.8.0.1/24 on interface wg0 to(-d flag) 10.8.0.1/24 on interface wg0. -i is the input interface and -o is the output interface.

If you prefer to use your up\down way, you can add iptables in front of the command.

iptables -A ufw-before-forward -i wg0 -s 10.8.0.1/24 -o wg0 -d 10.8.0.1/24 -j ACCEPT

Good luck 🙂

byMR
Published
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Read more

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading