Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Help with port forwarding vpn wireguard
New on LowEndTalk? Please Register and read our Community Rules.

Help with port forwarding vpn wireguard

ofitofit Member

Hello. I have a problem with my internet provider. In the evening, the speed can drop to 5Mbit/s on most VPS. I cannot change the provider because it is the only wired optical provider. Initially, I tried to change VPS providers (Virmach NL → Virmach DE → Inception Hosting NL → Netcup → online.net NL → online.net FR → PHP-Friends), but it did not help because my ISP often changes routing and uses networks that do not work well with a particular VPS provider. It is impossible to buy statically ipv4 because my internet provider does not provide this service. There are several VPS that have been working well for a long time. Therefore, I decided that I could set up a vpn (wireguarde) + port porward tunnel between my main VPS (PHP-Friends) and the VPS that works well in the evening. And I redirect ports 80, 443, 22 from VPS_2 (vps for wiretguard tunnel) to Main VPS (all service working on this VPS)

I did that, but I don't like that I can use only 1 VPS for vpn (vps for wiretguard tunnel) and also all connections go through wireguard vpn.

I used the angristan script for wireguard vpn https://github.com/angristan/wireguard-install
and manual for port forwarding farhttps://securitynetworkinglinux.wordpress.com/2019/07/03/how-to-port-forward-ipv4-traffic-using-ufw-on-ubuntu-cli/

VPS server config

cat /etc/wireguard/wg0.conf

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 55372
PrivateKey = 4BYvcuNXSi9IH9a3aw+WOcXSz2GGvWFqwOT9WtS2kUY=
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip>
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; >

### Client PC
[Peer]
PublicKey = 1EYbzK1ZmOlNOFs0GgGb5S2Ttm27/3srIt0ZvBc1KE8=
PresharedKey = 1Sk/qTShfhfghfghfghd2trkRlwiaAcTlOmT8nRHoO8=
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

### Client HS
[Peer]
PublicKey = 8v4ghPNdxfk8oRanwIp8xyyWKqFzCwmWK+T7B9IIlHQ=
PresharedKey = 8d6QtB1fghfghfghfgfiL4DfWlafAYRpmj7nvMHJW5aA=
AllowedIPs = 10.66.66.3/32,fd42:42:42::3/128
cat /etc/default/ufw

# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# Extra connection tracking modules to load. IPT_MODULES should typically be
# empty for new installations and modules added only as needed. See
# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can
# be found in net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
# nf_conntrack_sane: sane support
IPT_MODULES=""



[email protected]:~# cat /etc/ufw/sysctl.conf
#
# Configuration file for setting network variables. Please note these settings
# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
# Documentation/networking/ip-sysctl.txt in the kernel source code for more
# information.
#

# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
# traffic to those sites.
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0

# Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0

# Don't log Martian Packets (impossible addresses)
# packets
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0

#net/ipv4/tcp_fin_timeout=30
#net/ipv4/tcp_keepalive_intvl=1800

# Uncomment this to turn off ipv6 autoconfiguration
#net/ipv6/conf/default/autoconf=1
#net/ipv6/conf/all/autoconf=1

# Uncomment this to enable ipv6 privacy addressing
#net/ipv6/conf/default/use_tempaddr=2
#net/ipv6/conf/all/use_tempaddr=2



[email protected]:~# cat /etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#


*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# forward 202.54.1.1 port 80 to 192.168.1.100:80
# forward 202.54.1.1 port 443 to 192.168.1.100:443
-A PREROUTING -i eth0 -d 2.2.2.2 -p tcp --dport 80 -j DNAT --to-destination 10.66.66.3:80
-A PREROUTING -i eth0 -d 2.2.2.2 -p tcp --dport 443 -j DNAT --to-destination 10.66.66.3:443
-A PREROUTING -i eth0 -d 2.2.2.2 -p tcp --dport 5001 -j DNAT --to-destination 10.66.66.3:5331

# setup routing
-A POSTROUTING -s 10.66.66.0/24 ! -d 10.66.66.0/24 -j MASQUERADE
COMMIT



# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT




[email protected]:~# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 31356 packets, 3557K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  304 16788 DNAT       tcp  --  eth0   any     anywhere             2.2.2.2      tcp dpt:http to:10.66.66.3:80
  321 17876 DNAT       tcp  --  eth0   any     anywhere             2.2.2.2      tcp dpt:https to:10.66.66.3:443
    9   396 DNAT       tcp  --  eth0   any     anywhere             2.2.2.2      tcp dpt:5001 to:10.66.66.3:5331
    0     0 DNAT       tcp  --  eth0   any     anywhere             2.2.2.2      tcp dpt:http to:10.66.66.3:80
    0     0 DNAT       tcp  --  eth0   any     anywhere             2.2.2.2      tcp dpt:https to:10.66.66.3:443
    0     0 DNAT       tcp  --  eth0   any     anywhere             2.2.2.2      tcp dpt:5001 to:10.66.66.3:5331

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 623 packets, 37096 bytes)
 pkts bytes target     prot opt in     out     source               destination         
79400 5356K MASQUERADE  all  --  any    eth0    anywhere             anywhere            
    4   372 MASQUERADE  all  --  any    any     10.66.66.0/24       !10.66.66.0/24       
    0     0 MASQUERADE  all  --  any    any     10.66.66.0/24       !10.66.66.0/24

[email protected]:~# cat vps_2.conf
[Interface]
PrivateKey = ANLdsdfsdfsdfuasdasdasdas07C4tbPObQ0A=
Address = 10.66.66.3/32,fd42:42:42::3/128
DNS = 94.140.14.14,94.140.15.15

[Peer]
PublicKey = zMGKMW5sdfsdfsdfsdf8CHW7lGoqS2aj8=
PresharedKey = 8d6QtBasdasddasdasdlafAYRpmj7nvMHJW5aA=
Endpoint = 2.2.2.2:55372
AllowedIPs = 0.0.0.0/0,::/0

I want vpn to be not default route (only connecting from VPS_2 go to vpn) and add 2 more VPNs like vps_2 if some bad happens with vps_2. But I did't know how to do it. I tried to change AllowedIPs but it doesn't work

Sign In or Register to comment.