Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

Home Help
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Help with port forwarding vpn wireguard

ofitofit Member
in Help

Hello. I have a problem with my internet provider. In the evening, the speed can drop to 5Mbit/s on most VPS. I cannot change the provider because it is the only wired optical provider. Initially, I tried to change VPS providers (Virmach NL → Virmach DE → Inception Hosting NL → Netcup → online.net NL → online.net FR → PHP-Friends), but it did not help because my ISP often changes routing and uses networks that do not work well with a particular VPS provider. It is impossible to buy statically ipv4 because my internet provider does not provide this service. There are several VPS that have been working well for a long time. Therefore, I decided that I could set up a vpn (wireguarde) + port porward tunnel between my main VPS (PHP-Friends) and the VPS that works well in the evening. And I redirect ports 80, 443, 22 from VPS_2 (vps for wiretguard tunnel) to Main VPS (all service working on this VPS)

I did that, but I don't like that I can use only 1 VPS for vpn (vps for wiretguard tunnel) and also all connections go through wireguard vpn.

I used the angristan script for wireguard vpn https://github.com/angristan/wireguard-install
and manual for port forwarding farhttps://securitynetworkinglinux.wordpress.com/2019/07/03/how-to-port-forward-ipv4-traffic-using-ufw-on-ubuntu-cli/

VPS server config

cat /etc/wireguard/wg0.conf

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 55372
PrivateKey = 4BYvcuNXSi9IH9a3aw+WOcXSz2GGvWFqwOT9WtS2kUY=
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip>
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; >

### Client PC
[Peer]
PublicKey = 1EYbzK1ZmOlNOFs0GgGb5S2Ttm27/3srIt0ZvBc1KE8=
PresharedKey = 1Sk/qTShfhfghfghfghd2trkRlwiaAcTlOmT8nRHoO8=
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

### Client HS
[Peer]
PublicKey = 8v4ghPNdxfk8oRanwIp8xyyWKqFzCwmWK+T7B9IIlHQ=
PresharedKey = 8d6QtB1fghfghfghfgfiL4DfWlafAYRpmj7nvMHJW5aA=
AllowedIPs = 10.66.66.3/32,fd42:42:42::3/128
cat /etc/default/ufw

# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# Extra connection tracking modules to load. IPT_MODULES should typically be
# empty for new installations and modules added only as needed. See
# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can
# be found in net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
# nf_conntrack_sane: sane support
IPT_MODULES=""



root@vm398062:~# cat /etc/ufw/sysctl.conf
#
# Configuration file for setting network variables. Please note these settings
# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
# Documentation/networking/ip-sysctl.txt in the kernel source code for more
# information.
#

# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
# traffic to those sites.
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0

# Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0

# Don't log Martian Packets (impossible addresses)
# packets
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0

#net/ipv4/tcp_fin_timeout=30
#net/ipv4/tcp_keepalive_intvl=1800

# Uncomment this to turn off ipv6 autoconfiguration
#net/ipv6/conf/default/autoconf=1
#net/ipv6/conf/all/autoconf=1

# Uncomment this to enable ipv6 privacy addressing
#net/ipv6/conf/default/use_tempaddr=2
#net/ipv6/conf/all/use_tempaddr=2



root@vm398062:~# cat /etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#


*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# forward 202.54.1.1 port 80 to 192.168.1.100:80
# forward 202.54.1.1 port 443 to 192.168.1.100:443
-A PREROUTING -i eth0 -d 2.2.2.2 -p tcp --dport 80 -j DNAT --to-destination 10.66.66.3:80
-A PREROUTING -i eth0 -d 2.2.2.2 -p tcp --dport 443 -j DNAT --to-destination 10.66.66.3:443
-A PREROUTING -i eth0 -d 2.2.2.2 -p tcp --dport 5001 -j DNAT --to-destination 10.66.66.3:5331

# setup routing
-A POSTROUTING -s 10.66.66.0/24 ! -d 10.66.66.0/24 -j MASQUERADE
COMMIT



# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT




root@vm398062:~# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 31356 packets, 3557K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  304 16788 DNAT       tcp  --  eth0   any     anywhere             2.2.2.2      tcp dpt:http to:10.66.66.3:80
  321 17876 DNAT       tcp  --  eth0   any     anywhere             2.2.2.2      tcp dpt:https to:10.66.66.3:443
    9   396 DNAT       tcp  --  eth0   any     anywhere             2.2.2.2      tcp dpt:5001 to:10.66.66.3:5331
    0     0 DNAT       tcp  --  eth0   any     anywhere             2.2.2.2      tcp dpt:http to:10.66.66.3:80
    0     0 DNAT       tcp  --  eth0   any     anywhere             2.2.2.2      tcp dpt:https to:10.66.66.3:443
    0     0 DNAT       tcp  --  eth0   any     anywhere             2.2.2.2      tcp dpt:5001 to:10.66.66.3:5331

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 623 packets, 37096 bytes)
 pkts bytes target     prot opt in     out     source               destination         
79400 5356K MASQUERADE  all  --  any    eth0    anywhere             anywhere            
    4   372 MASQUERADE  all  --  any    any     10.66.66.0/24       !10.66.66.0/24       
    0     0 MASQUERADE  all  --  any    any     10.66.66.0/24       !10.66.66.0/24


root@s0:~# cat vps_2.conf
[Interface]
PrivateKey = ANLdsdfsdfsdfuasdasdasdas07C4tbPObQ0A=
Address = 10.66.66.3/32,fd42:42:42::3/128
DNS = 94.140.14.14,94.140.15.15

[Peer]
PublicKey = zMGKMW5sdfsdfsdfsdf8CHW7lGoqS2aj8=
PresharedKey = 8d6QtBasdasddasdasdlafAYRpmj7nvMHJW5aA=
Endpoint = 2.2.2.2:55372
AllowedIPs = 0.0.0.0/0,::/0

I want vpn to be not default route (only connecting from VPS_2 go to vpn) and add 2 more VPNs like vps_2 if some bad happens with vps_2. But I did't know how to do it. I tried to change AllowedIPs but it doesn't work

Sign In or Register to comment.